Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO 4500005168 NIKOLA.exe

Overview

General Information

Sample name:PO 4500005168 NIKOLA.exe
Analysis ID:1465533
MD5:6dd4f871c7d18b3f1b45a7112c21ced3
SHA1:e4f29ee54067cb1b18269e652f0b9deea63f437b
SHA256:6232ba2d8c8ca87c37818660014882d4d0536d7296e08f2c37ba1c692b901f66
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • PO 4500005168 NIKOLA.exe (PID: 5820 cmdline: "C:\Users\user\Desktop\PO 4500005168 NIKOLA.exe" MD5: 6DD4F871C7D18B3F1B45A7112C21CED3)
    • powershell.exe (PID: 2924 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 4500005168 NIKOLA.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 3088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6996 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GpAHAtkovL.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 5076 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 1780 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GpAHAtkovL" /XML "C:\Users\user\AppData\Local\Temp\tmp7910.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 2708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 4884 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • GpAHAtkovL.exe (PID: 5424 cmdline: C:\Users\user\AppData\Roaming\GpAHAtkovL.exe MD5: 6DD4F871C7D18B3F1B45A7112C21CED3)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "mail@iaa-airferight.com", "Password": "Asaprocky11"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.4569752583.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000009.00000002.4569752583.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000009.00000002.4571658613.000000000316C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000009.00000002.4571658613.0000000003141000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000009.00000002.4571658613.0000000003141000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 6 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.PO 4500005168 NIKOLA.exe.4334390.5.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.PO 4500005168 NIKOLA.exe.4334390.5.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.PO 4500005168 NIKOLA.exe.4334390.5.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x316f7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x31769:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x317f3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x31885:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x318ef:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x31961:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x319f7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x31a87:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                0.2.PO 4500005168 NIKOLA.exe.42f9970.8.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.2.PO 4500005168 NIKOLA.exe.42f9970.8.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 10 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 4500005168 NIKOLA.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 4500005168 NIKOLA.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO 4500005168 NIKOLA.exe", ParentImage: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exe, ParentProcessId: 5820, ParentProcessName: PO 4500005168 NIKOLA.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 4500005168 NIKOLA.exe", ProcessId: 2924, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 4500005168 NIKOLA.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 4500005168 NIKOLA.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO 4500005168 NIKOLA.exe", ParentImage: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exe, ParentProcessId: 5820, ParentProcessName: PO 4500005168 NIKOLA.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 4500005168 NIKOLA.exe", ProcessId: 2924, ProcessName: powershell.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 46.175.148.58, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 4884, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49717
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GpAHAtkovL" /XML "C:\Users\user\AppData\Local\Temp\tmp7910.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GpAHAtkovL" /XML "C:\Users\user\AppData\Local\Temp\tmp7910.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\PO 4500005168 NIKOLA.exe", ParentImage: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exe, ParentProcessId: 5820, ParentProcessName: PO 4500005168 NIKOLA.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GpAHAtkovL" /XML "C:\Users\user\AppData\Local\Temp\tmp7910.tmp", ProcessId: 1780, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 4500005168 NIKOLA.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 4500005168 NIKOLA.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO 4500005168 NIKOLA.exe", ParentImage: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exe, ParentProcessId: 5820, ParentProcessName: PO 4500005168 NIKOLA.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 4500005168 NIKOLA.exe", ProcessId: 2924, ProcessName: powershell.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Scheduled temp file as task from temp location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GpAHAtkovL" /XML "C:\Users\user\AppData\Local\Temp\tmp7910.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GpAHAtkovL" /XML "C:\Users\user\AppData\Local\Temp\tmp7910.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\PO 4500005168 NIKOLA.exe", ParentImage: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exe, ParentProcessId: 5820, ParentProcessName: PO 4500005168 NIKOLA.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GpAHAtkovL" /XML "C:\Users\user\AppData\Local\Temp\tmp7910.tmp", ProcessId: 1780, ProcessName: schtasks.exe

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: PO 4500005168 NIKOLA.exeAvira: detected
                    Antivirus detection for URL or domain
                    Source: http://mail.iaa-airferight.comAvira URL Cloud: Label: malware
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\GpAHAtkovL.exeAvira: detection malicious, Label: HEUR/AGEN.1308640
                    Found malware configuration
                    Source: 0.2.PO 4500005168 NIKOLA.exe.4334390.5.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "mail@iaa-airferight.com", "Password": "Asaprocky11"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\GpAHAtkovL.exeReversingLabs: Detection: 28%
                    Multi AV Scanner detection for submitted file
                    Source: PO 4500005168 NIKOLA.exeReversingLabs: Detection: 28%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\GpAHAtkovL.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: PO 4500005168 NIKOLA.exeJoe Sandbox ML: detected
                    Source: PO 4500005168 NIKOLA.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.6:49716 version: TLS 1.2
                    Source: PO 4500005168 NIKOLA.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeCode function: 4x nop then jmp 03274972h0_2_032740A7
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeCode function: 4x nop then jmp 03274972h0_2_03274901
                    Source: Joe Sandbox ViewIP Address: 46.175.148.58 46.175.148.58
                    Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                    Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                    Source: Joe Sandbox ViewASN Name: ASLAGIDKOM-NETUA ASLAGIDKOM-NETUA
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: global trafficTCP traffic: 192.168.2.6:49717 -> 46.175.148.58:25
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                    Source: global trafficDNS traffic detected: DNS query: mail.iaa-airferight.com
                    Source: RegSvcs.exe, 00000009.00000002.4571658613.000000000316C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.iaa-airferight.com
                    Source: PO 4500005168 NIKOLA.exe, 00000000.00000002.2182552745.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.4571658613.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: PO 4500005168 NIKOLA.exe, GpAHAtkovL.exe.0.drString found in binary or memory: http://www.opcom.ro/rapoarte/export_csv_raportPIPsiVolumTranzactionat_PI.php?zi=
                    Source: PO 4500005168 NIKOLA.exe, GpAHAtkovL.exe.0.drString found in binary or memory: http://www.opcom.ro/rapoarte/export_xml_PIPsiVolTranPI.php?zi=
                    Source: PO 4500005168 NIKOLA.exe, 00000000.00000002.2186028148.00000000042F9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.4569752583.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: PO 4500005168 NIKOLA.exe, 00000000.00000002.2186028148.00000000042F9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.4571658613.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.4569752583.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                    Source: RegSvcs.exe, 00000009.00000002.4571658613.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                    Source: RegSvcs.exe, 00000009.00000002.4571658613.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.6:49716 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.PO 4500005168 NIKOLA.exe.4334390.5.raw.unpack, abAX9N.cs.Net Code: BFeixnEv
                    Source: 0.2.PO 4500005168 NIKOLA.exe.42f9970.8.raw.unpack, abAX9N.cs.Net Code: BFeixnEv
                    Installs a global keyboard hook
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.PO 4500005168 NIKOLA.exe.4334390.5.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.PO 4500005168 NIKOLA.exe.42f9970.8.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.PO 4500005168 NIKOLA.exe.4334390.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.PO 4500005168 NIKOLA.exe.42f9970.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess Stats: CPU usage > 49%
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeCode function: 0_2_03275B280_2_03275B28
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeCode function: 0_2_032700060_2_03270006
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeCode function: 0_2_032700400_2_03270040
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeCode function: 0_2_032709F00_2_032709F0
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeCode function: 0_2_03277D800_2_03277D80
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeCode function: 0_2_05D1E0D00_2_05D1E0D0
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeCode function: 0_2_05D1E7800_2_05D1E780
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeCode function: 0_2_05D1B9880_2_05D1B988
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeCode function: 0_2_0820DB600_2_0820DB60
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeCode function: 0_2_0820DF980_2_0820DF98
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeCode function: 0_2_0820936C0_2_0820936C
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeCode function: 0_2_082063AF0_2_082063AF
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeCode function: 0_2_082063E80_2_082063E8
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeCode function: 0_2_0820E3D00_2_0820E3D0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0105A9689_2_0105A968
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01054A989_2_01054A98
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01053E809_2_01053E80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010541C89_2_010541C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0105F8A59_2_0105F8A5
                    Source: PO 4500005168 NIKOLA.exe, 00000000.00000002.2182552745.0000000003341000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename8854fa4e-ee03-4899-b0c3-2df80b3f7614.exe4 vs PO 4500005168 NIKOLA.exe
                    Source: PO 4500005168 NIKOLA.exe, 00000000.00000002.2175000112.00000000016AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PO 4500005168 NIKOLA.exe
                    Source: PO 4500005168 NIKOLA.exe, 00000000.00000002.2186028148.00000000042F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename8854fa4e-ee03-4899-b0c3-2df80b3f7614.exe4 vs PO 4500005168 NIKOLA.exe
                    Source: PO 4500005168 NIKOLA.exe, 00000000.00000002.2193510066.00000000074D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRT.dll. vs PO 4500005168 NIKOLA.exe
                    Source: PO 4500005168 NIKOLA.exe, 00000000.00000002.2196459238.0000000008320000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs PO 4500005168 NIKOLA.exe
                    Source: PO 4500005168 NIKOLA.exe, 00000000.00000002.2186028148.00000000044CE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs PO 4500005168 NIKOLA.exe
                    Source: PO 4500005168 NIKOLA.exeBinary or memory string: OriginalFilenamewps_lid.lid-e8GCBlwe6t6b.exe8 vs PO 4500005168 NIKOLA.exe
                    Source: PO 4500005168 NIKOLA.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.PO 4500005168 NIKOLA.exe.4334390.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.PO 4500005168 NIKOLA.exe.42f9970.8.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.PO 4500005168 NIKOLA.exe.4334390.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.PO 4500005168 NIKOLA.exe.42f9970.8.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: PO 4500005168 NIKOLA.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: GpAHAtkovL.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.PO 4500005168 NIKOLA.exe.4334390.5.raw.unpack, RsYAkkzVoy.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.4334390.5.raw.unpack, Kqqzixk.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.4334390.5.raw.unpack, xROdzGigX.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.4334390.5.raw.unpack, ywes.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.4334390.5.raw.unpack, iPVW0zV.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.4334390.5.raw.unpack, 1Pi9sgbHwoV.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.4334390.5.raw.unpack, YUgDfWK2g4.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.4334390.5.raw.unpack, YUgDfWK2g4.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.4334390.5.raw.unpack, MarWtcu.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.4334390.5.raw.unpack, MarWtcu.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.4334390.5.raw.unpack, MarWtcu.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.4334390.5.raw.unpack, MarWtcu.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.8320000.11.raw.unpack, BU04tCHTSjxVMJsUxj.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.PO 4500005168 NIKOLA.exe.8320000.11.raw.unpack, BU04tCHTSjxVMJsUxj.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.PO 4500005168 NIKOLA.exe.8320000.11.raw.unpack, BU04tCHTSjxVMJsUxj.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.PO 4500005168 NIKOLA.exe.46d5b00.7.raw.unpack, tQ8eNfrAaHWx8OP0bQ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.PO 4500005168 NIKOLA.exe.46d5b00.7.raw.unpack, BU04tCHTSjxVMJsUxj.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.PO 4500005168 NIKOLA.exe.46d5b00.7.raw.unpack, BU04tCHTSjxVMJsUxj.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.PO 4500005168 NIKOLA.exe.46d5b00.7.raw.unpack, BU04tCHTSjxVMJsUxj.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.PO 4500005168 NIKOLA.exe.8320000.11.raw.unpack, tQ8eNfrAaHWx8OP0bQ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.PO 4500005168 NIKOLA.exe.46596e0.6.raw.unpack, BU04tCHTSjxVMJsUxj.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.PO 4500005168 NIKOLA.exe.46596e0.6.raw.unpack, BU04tCHTSjxVMJsUxj.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.PO 4500005168 NIKOLA.exe.46596e0.6.raw.unpack, BU04tCHTSjxVMJsUxj.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.PO 4500005168 NIKOLA.exe.46596e0.6.raw.unpack, tQ8eNfrAaHWx8OP0bQ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.PO 4500005168 NIKOLA.exe.34d588c.4.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                    Source: 0.2.PO 4500005168 NIKOLA.exe.7730000.10.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                    Source: 0.2.PO 4500005168 NIKOLA.exe.34b46bc.1.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@14/13@2/2
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeFile created: C:\Users\user\AppData\Roaming\GpAHAtkovL.exeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3088:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6792:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2708:120:WilError_03
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeFile created: C:\Users\user\AppData\Local\Temp\tmp7910.tmpJump to behavior
                    Source: PO 4500005168 NIKOLA.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: PO 4500005168 NIKOLA.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: PO 4500005168 NIKOLA.exeReversingLabs: Detection: 28%
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeFile read: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exe "C:\Users\user\Desktop\PO 4500005168 NIKOLA.exe"
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 4500005168 NIKOLA.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GpAHAtkovL.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GpAHAtkovL" /XML "C:\Users\user\AppData\Local\Temp\tmp7910.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\GpAHAtkovL.exe C:\Users\user\AppData\Roaming\GpAHAtkovL.exe
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 4500005168 NIKOLA.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GpAHAtkovL.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GpAHAtkovL" /XML "C:\Users\user\AppData\Local\Temp\tmp7910.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeSection loaded: acgenral.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeSection loaded: msacm32.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeSection loaded: winmmbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeSection loaded: winmmbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeSection loaded: aclayers.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeSection loaded: sfc.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: PO 4500005168 NIKOLA.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: PO 4500005168 NIKOLA.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: PO 4500005168 NIKOLA.exe, OptionsWindow.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                    Source: GpAHAtkovL.exe.0.dr, OptionsWindow.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.PO 4500005168 NIKOLA.exe.46596e0.6.raw.unpack, BU04tCHTSjxVMJsUxj.cs.Net Code: MTdn2Acfld System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.PO 4500005168 NIKOLA.exe.46d5b00.7.raw.unpack, BU04tCHTSjxVMJsUxj.cs.Net Code: MTdn2Acfld System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.PO 4500005168 NIKOLA.exe.8320000.11.raw.unpack, BU04tCHTSjxVMJsUxj.cs.Net Code: MTdn2Acfld System.Reflection.Assembly.Load(byte[])
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeCode function: 0_2_03273248 push esp; ret 0_2_03273249
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeCode function: 0_2_05D15F98 push eax; mov dword ptr [esp], ecx0_2_05D15F9C
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeCode function: 0_2_0820CD68 pushfd ; ret 0_2_0820CD69
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeCode function: 0_2_0820D19B pushad ; retf 0_2_0820D19D
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeCode function: 0_2_082034F5 push 0000005Eh; iretd 0_2_08203536
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeCode function: 0_2_0820A4F8 pushfd ; iretd 0_2_0820A505
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeCode function: 0_2_082034D3 push 0000005Eh; iretd 0_2_08203536
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01050C45 push ebx; retf 9_2_01050C52
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01050C53 push ebx; retf 9_2_01050C52
                    Source: PO 4500005168 NIKOLA.exeStatic PE information: section name: .text entropy: 7.960147965955043
                    Source: GpAHAtkovL.exe.0.drStatic PE information: section name: .text entropy: 7.960147965955043
                    Source: 0.2.PO 4500005168 NIKOLA.exe.46596e0.6.raw.unpack, P6Tw7XfdVwAcBVuTnH.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'v1gvxnTuPx', 'GxHvh8Dm0q', 'NfCvzHjEuC', 'Jg9WcCTLjl', 'GtwWjQ8nTx', 'tBYWvtsZSx', 'RAkWWRofM5', 'uu1or2Hq2HwabjBryRV'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.46596e0.6.raw.unpack, OssdYitnKMwMkVNN0t.csHigh entropy of concatenated method names: 'db4VOvVFKl', 'J5XV9Qx226', 'oAAVTHYIKP', 'cPtThLMfoP', 'PNtTzH64Zd', 'dUNVcyYnRv', 'LphVjSoRks', 'DIXVvAAOGm', 'BDQVWu4IOi', 'wp3Vn4mBn5'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.46596e0.6.raw.unpack, EG5b8wbfehDlwucEwG.csHigh entropy of concatenated method names: 'dB6Vk0xp3a', 'XDBVsXU5US', 'NOuV2JN0E0', 'JSaVCgfrI5', 'Q8SVgR0uxe', 'jEdVQ8R3ZU', 'IawVwGwwYD', 'KfMViZVrVO', 'icdV5lrtfK', 'ONsVIJ9dC4'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.46596e0.6.raw.unpack, L6P0V9g72YyCuMfQ98.csHigh entropy of concatenated method names: 'OI6RgVjYil', 'tfHRwVds4e', 'kcT9tYNfcv', 'HFB9qKBh2A', 'KRu9LeTOyM', 'OX49PWmvi4', 'ni99ptrFdq', 'grU9l4xqfB', 'Cat9fvt5sy', 'zYb9ULo1p5'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.46596e0.6.raw.unpack, FgZJceCoBY30WoIp1g.csHigh entropy of concatenated method names: 'ifZ9CGO8My', 'KeX9QrnCbU', 'Goi9iORJ6Z', 'oe195L3KCi', 'vnf93fnt8x', 'cHe9XYritX', 'UJ297TCZWT', 'iHZ9rNseBE', 'vSd9G8A4IT', 'JRH9AI2002'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.46596e0.6.raw.unpack, wTpWmxIUfAdeyg1b1j.csHigh entropy of concatenated method names: 'N0e7ScebFJ', 'n6x7hPeZAE', 'ul7rcAfRPD', 'ysTrjBvgiQ', 'iI37KSRhpb', 'Wd87ycJK35', 'oU47YmRlbH', 'dM57HoR41t', 'Qk271LO0Lm', 'KWL7ZTd8CD'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.46596e0.6.raw.unpack, Q4lu6KFWx590wheV3e.csHigh entropy of concatenated method names: 'rEC3UoKKuj', 'diX3yKN0OR', 'qyK3H4FLDC', 'rRW31YQT07', 'vAc3EE5BId', 'sbM3tDSHBT', 'dXn3qP6Rhw', 'NiF3Lh3OmG', 'dp23PYpWQB', 'MxP3pUu6pl'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.46596e0.6.raw.unpack, iIdTJ8oBqj9MSxkSRS.csHigh entropy of concatenated method names: 'GEXjV6SVNK', 'i4Cj0P2Gpk', 'A4MjDgivGV', 'QxojFxnDCh', 'depj33i5f0', 'LBCjXXHZTb', 'i8MapDv9itgJ8qQv1w', 'DteeGvecn79WD90PPI', 'vx8jj0MUfc', 'csSjWkPKip'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.46596e0.6.raw.unpack, wo7KbayZ0CKXhssRJF.csHigh entropy of concatenated method names: 'pVtrODX7ib', 'QuNrb0pSH1', 'N3Qr9BdfuC', 'SgurR3CbST', 'tNqrTcfV47', 'zURrVIYNJA', 'zejr00VK2M', 'rmyreYBmn7', 'SwdrDlAIGb', 'VQOrFDbXSw'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.46596e0.6.raw.unpack, tQ8eNfrAaHWx8OP0bQ.csHigh entropy of concatenated method names: 'icfbHvtTE8', 'lyGb1IdNns', 'AMJbZOgOhB', 'SRbbmNZDbO', 'J1Lba69wks', 'VHEbuWUNZU', 'oRjb6I3HrL', 'E4WbSOhWA8', 'dm2bxsQ2Od', 'BJ7bhA2ZSL'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.46596e0.6.raw.unpack, PNIXH2ZspBpW9hVKLU.csHigh entropy of concatenated method names: 'WXU2N9TCT', 'oBFC8twFH', 'UyLQZtlkL', 'kjhwO9sbx', 'XSy5wFr3V', 'MHsIL3WR6', 'BO5NFaRCkLR9g4bjZs', 'BPQQ9E8GqgcvAUgBbM', 'aRerbPn06', 'uTgApNrSK'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.46596e0.6.raw.unpack, fVbJ0oR2rSSd0dUots.csHigh entropy of concatenated method names: 'PwmTBd9UAY', 'smSTb2ruKQ', 'UAKTR4UJ6r', 'X7OTVP39n2', 'Ww5T0i4WSp', 'e0eRaKtPIo', 'gSMRuwaqQf', 'OZ6R6pjmUW', 'XO8RSWPmEN', 'E99Rxv5UYN'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.46596e0.6.raw.unpack, ej24jG66bY7gKG8m4n.csHigh entropy of concatenated method names: 'NYfVDZT75gSNE0dgu0A', 'pdNrn6TalrsBJqR6cOJ', 'jePTrvOgYa', 'FdYTGrNFKL', 'iWbTA7ZM66', 'nCKp19TwItinpeP4uu2', 'yxxO3YTlFM6UsZeycwG'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.46596e0.6.raw.unpack, BU04tCHTSjxVMJsUxj.csHigh entropy of concatenated method names: 'FcbWBnGLeE', 'EL5WOu826A', 'pw1WbefbMG', 'AqRW9icqnZ', 'KWtWRSVeRT', 'NDvWTNIV80', 'ffvWV3Yvwv', 'YwYW0VnSE3', 'lZcWe1GbUn', 'AwUWDwlMr6'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.46596e0.6.raw.unpack, kaPLuBNJtQFCxEteSbJ.csHigh entropy of concatenated method names: 'j3yGk4DDbR', 'C6gGsEdm6N', 'fgcG2ElKL3', 'XwcGC1VJGP', 'SJ6GgqbtUR', 'qVbGQ5xfVL', 'qdgGwwnM82', 'b1GGioDXII', 'ix6G5Cfnli', 'gDIGIc6PlC'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.46596e0.6.raw.unpack, kHgWSHQDeHTcVYqEX3.csHigh entropy of concatenated method names: 'YYddiusJ7Y', 'pfFd5jd7Uh', 'OQXdMs1lHl', 'dUodEnV5he', 'KeTdqXjt9s', 'KqddL2uARn', 'wTcdpwyCGg', 'iNQdlKwZQV', 'hMGdUQLhZI', 'OGndKWk6Ol'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.46596e0.6.raw.unpack, KPChXHnrNeLJMeRJcN.csHigh entropy of concatenated method names: 'PwjrMquea6', 'eUurE0BFFo', 'f95rtw9Gj4', 'nPnrqJZoFf', 'DtxrHWscHO', 'DWUrLeYNKL', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.46596e0.6.raw.unpack, aNsXNHBbfx4UgKBm7L.csHigh entropy of concatenated method names: 'AbiGjCPo8V', 'OjZGWyVqV1', 'nKMGnDqAwM', 'CDWGOiciW2', 'u5dGbwQru0', 'VsOGRfMqDR', 'NQaGT6xiNI', 'mhdr6LSkWb', 'CGarSQ0WVM', 'yQmrxJNw6m'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.46596e0.6.raw.unpack, IoNKtANuQ2wGOjDj3n8.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'AOsAH3mLAQ', 'cWCA1i7s80', 'hXfAZducvP', 'FcaAmYbGth', 'xxKAapmZc3', 'JV7AuiqImR', 'z4AA6McRCW'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.46596e0.6.raw.unpack, ywkcheKS515YMxjlXg.csHigh entropy of concatenated method names: 'Dispose', 'F2TjxS3Aax', 'feJvEN36fv', 'PHNJJM5clI', 'NH7jhZmGsI', 'jjqjzx4w10', 'ProcessDialogKey', 'EtVvcQHnVf', 'GHOvjGrsVM', 'VQovvpaTFx'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.46d5b00.7.raw.unpack, P6Tw7XfdVwAcBVuTnH.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'v1gvxnTuPx', 'GxHvh8Dm0q', 'NfCvzHjEuC', 'Jg9WcCTLjl', 'GtwWjQ8nTx', 'tBYWvtsZSx', 'RAkWWRofM5', 'uu1or2Hq2HwabjBryRV'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.46d5b00.7.raw.unpack, OssdYitnKMwMkVNN0t.csHigh entropy of concatenated method names: 'db4VOvVFKl', 'J5XV9Qx226', 'oAAVTHYIKP', 'cPtThLMfoP', 'PNtTzH64Zd', 'dUNVcyYnRv', 'LphVjSoRks', 'DIXVvAAOGm', 'BDQVWu4IOi', 'wp3Vn4mBn5'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.46d5b00.7.raw.unpack, EG5b8wbfehDlwucEwG.csHigh entropy of concatenated method names: 'dB6Vk0xp3a', 'XDBVsXU5US', 'NOuV2JN0E0', 'JSaVCgfrI5', 'Q8SVgR0uxe', 'jEdVQ8R3ZU', 'IawVwGwwYD', 'KfMViZVrVO', 'icdV5lrtfK', 'ONsVIJ9dC4'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.46d5b00.7.raw.unpack, L6P0V9g72YyCuMfQ98.csHigh entropy of concatenated method names: 'OI6RgVjYil', 'tfHRwVds4e', 'kcT9tYNfcv', 'HFB9qKBh2A', 'KRu9LeTOyM', 'OX49PWmvi4', 'ni99ptrFdq', 'grU9l4xqfB', 'Cat9fvt5sy', 'zYb9ULo1p5'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.46d5b00.7.raw.unpack, FgZJceCoBY30WoIp1g.csHigh entropy of concatenated method names: 'ifZ9CGO8My', 'KeX9QrnCbU', 'Goi9iORJ6Z', 'oe195L3KCi', 'vnf93fnt8x', 'cHe9XYritX', 'UJ297TCZWT', 'iHZ9rNseBE', 'vSd9G8A4IT', 'JRH9AI2002'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.46d5b00.7.raw.unpack, wTpWmxIUfAdeyg1b1j.csHigh entropy of concatenated method names: 'N0e7ScebFJ', 'n6x7hPeZAE', 'ul7rcAfRPD', 'ysTrjBvgiQ', 'iI37KSRhpb', 'Wd87ycJK35', 'oU47YmRlbH', 'dM57HoR41t', 'Qk271LO0Lm', 'KWL7ZTd8CD'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.46d5b00.7.raw.unpack, Q4lu6KFWx590wheV3e.csHigh entropy of concatenated method names: 'rEC3UoKKuj', 'diX3yKN0OR', 'qyK3H4FLDC', 'rRW31YQT07', 'vAc3EE5BId', 'sbM3tDSHBT', 'dXn3qP6Rhw', 'NiF3Lh3OmG', 'dp23PYpWQB', 'MxP3pUu6pl'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.46d5b00.7.raw.unpack, iIdTJ8oBqj9MSxkSRS.csHigh entropy of concatenated method names: 'GEXjV6SVNK', 'i4Cj0P2Gpk', 'A4MjDgivGV', 'QxojFxnDCh', 'depj33i5f0', 'LBCjXXHZTb', 'i8MapDv9itgJ8qQv1w', 'DteeGvecn79WD90PPI', 'vx8jj0MUfc', 'csSjWkPKip'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.46d5b00.7.raw.unpack, wo7KbayZ0CKXhssRJF.csHigh entropy of concatenated method names: 'pVtrODX7ib', 'QuNrb0pSH1', 'N3Qr9BdfuC', 'SgurR3CbST', 'tNqrTcfV47', 'zURrVIYNJA', 'zejr00VK2M', 'rmyreYBmn7', 'SwdrDlAIGb', 'VQOrFDbXSw'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.46d5b00.7.raw.unpack, tQ8eNfrAaHWx8OP0bQ.csHigh entropy of concatenated method names: 'icfbHvtTE8', 'lyGb1IdNns', 'AMJbZOgOhB', 'SRbbmNZDbO', 'J1Lba69wks', 'VHEbuWUNZU', 'oRjb6I3HrL', 'E4WbSOhWA8', 'dm2bxsQ2Od', 'BJ7bhA2ZSL'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.46d5b00.7.raw.unpack, PNIXH2ZspBpW9hVKLU.csHigh entropy of concatenated method names: 'WXU2N9TCT', 'oBFC8twFH', 'UyLQZtlkL', 'kjhwO9sbx', 'XSy5wFr3V', 'MHsIL3WR6', 'BO5NFaRCkLR9g4bjZs', 'BPQQ9E8GqgcvAUgBbM', 'aRerbPn06', 'uTgApNrSK'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.46d5b00.7.raw.unpack, fVbJ0oR2rSSd0dUots.csHigh entropy of concatenated method names: 'PwmTBd9UAY', 'smSTb2ruKQ', 'UAKTR4UJ6r', 'X7OTVP39n2', 'Ww5T0i4WSp', 'e0eRaKtPIo', 'gSMRuwaqQf', 'OZ6R6pjmUW', 'XO8RSWPmEN', 'E99Rxv5UYN'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.46d5b00.7.raw.unpack, ej24jG66bY7gKG8m4n.csHigh entropy of concatenated method names: 'NYfVDZT75gSNE0dgu0A', 'pdNrn6TalrsBJqR6cOJ', 'jePTrvOgYa', 'FdYTGrNFKL', 'iWbTA7ZM66', 'nCKp19TwItinpeP4uu2', 'yxxO3YTlFM6UsZeycwG'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.46d5b00.7.raw.unpack, BU04tCHTSjxVMJsUxj.csHigh entropy of concatenated method names: 'FcbWBnGLeE', 'EL5WOu826A', 'pw1WbefbMG', 'AqRW9icqnZ', 'KWtWRSVeRT', 'NDvWTNIV80', 'ffvWV3Yvwv', 'YwYW0VnSE3', 'lZcWe1GbUn', 'AwUWDwlMr6'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.46d5b00.7.raw.unpack, kaPLuBNJtQFCxEteSbJ.csHigh entropy of concatenated method names: 'j3yGk4DDbR', 'C6gGsEdm6N', 'fgcG2ElKL3', 'XwcGC1VJGP', 'SJ6GgqbtUR', 'qVbGQ5xfVL', 'qdgGwwnM82', 'b1GGioDXII', 'ix6G5Cfnli', 'gDIGIc6PlC'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.46d5b00.7.raw.unpack, kHgWSHQDeHTcVYqEX3.csHigh entropy of concatenated method names: 'YYddiusJ7Y', 'pfFd5jd7Uh', 'OQXdMs1lHl', 'dUodEnV5he', 'KeTdqXjt9s', 'KqddL2uARn', 'wTcdpwyCGg', 'iNQdlKwZQV', 'hMGdUQLhZI', 'OGndKWk6Ol'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.46d5b00.7.raw.unpack, KPChXHnrNeLJMeRJcN.csHigh entropy of concatenated method names: 'PwjrMquea6', 'eUurE0BFFo', 'f95rtw9Gj4', 'nPnrqJZoFf', 'DtxrHWscHO', 'DWUrLeYNKL', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.46d5b00.7.raw.unpack, aNsXNHBbfx4UgKBm7L.csHigh entropy of concatenated method names: 'AbiGjCPo8V', 'OjZGWyVqV1', 'nKMGnDqAwM', 'CDWGOiciW2', 'u5dGbwQru0', 'VsOGRfMqDR', 'NQaGT6xiNI', 'mhdr6LSkWb', 'CGarSQ0WVM', 'yQmrxJNw6m'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.46d5b00.7.raw.unpack, IoNKtANuQ2wGOjDj3n8.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'AOsAH3mLAQ', 'cWCA1i7s80', 'hXfAZducvP', 'FcaAmYbGth', 'xxKAapmZc3', 'JV7AuiqImR', 'z4AA6McRCW'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.46d5b00.7.raw.unpack, ywkcheKS515YMxjlXg.csHigh entropy of concatenated method names: 'Dispose', 'F2TjxS3Aax', 'feJvEN36fv', 'PHNJJM5clI', 'NH7jhZmGsI', 'jjqjzx4w10', 'ProcessDialogKey', 'EtVvcQHnVf', 'GHOvjGrsVM', 'VQovvpaTFx'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.8320000.11.raw.unpack, P6Tw7XfdVwAcBVuTnH.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'v1gvxnTuPx', 'GxHvh8Dm0q', 'NfCvzHjEuC', 'Jg9WcCTLjl', 'GtwWjQ8nTx', 'tBYWvtsZSx', 'RAkWWRofM5', 'uu1or2Hq2HwabjBryRV'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.8320000.11.raw.unpack, OssdYitnKMwMkVNN0t.csHigh entropy of concatenated method names: 'db4VOvVFKl', 'J5XV9Qx226', 'oAAVTHYIKP', 'cPtThLMfoP', 'PNtTzH64Zd', 'dUNVcyYnRv', 'LphVjSoRks', 'DIXVvAAOGm', 'BDQVWu4IOi', 'wp3Vn4mBn5'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.8320000.11.raw.unpack, EG5b8wbfehDlwucEwG.csHigh entropy of concatenated method names: 'dB6Vk0xp3a', 'XDBVsXU5US', 'NOuV2JN0E0', 'JSaVCgfrI5', 'Q8SVgR0uxe', 'jEdVQ8R3ZU', 'IawVwGwwYD', 'KfMViZVrVO', 'icdV5lrtfK', 'ONsVIJ9dC4'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.8320000.11.raw.unpack, L6P0V9g72YyCuMfQ98.csHigh entropy of concatenated method names: 'OI6RgVjYil', 'tfHRwVds4e', 'kcT9tYNfcv', 'HFB9qKBh2A', 'KRu9LeTOyM', 'OX49PWmvi4', 'ni99ptrFdq', 'grU9l4xqfB', 'Cat9fvt5sy', 'zYb9ULo1p5'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.8320000.11.raw.unpack, FgZJceCoBY30WoIp1g.csHigh entropy of concatenated method names: 'ifZ9CGO8My', 'KeX9QrnCbU', 'Goi9iORJ6Z', 'oe195L3KCi', 'vnf93fnt8x', 'cHe9XYritX', 'UJ297TCZWT', 'iHZ9rNseBE', 'vSd9G8A4IT', 'JRH9AI2002'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.8320000.11.raw.unpack, wTpWmxIUfAdeyg1b1j.csHigh entropy of concatenated method names: 'N0e7ScebFJ', 'n6x7hPeZAE', 'ul7rcAfRPD', 'ysTrjBvgiQ', 'iI37KSRhpb', 'Wd87ycJK35', 'oU47YmRlbH', 'dM57HoR41t', 'Qk271LO0Lm', 'KWL7ZTd8CD'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.8320000.11.raw.unpack, Q4lu6KFWx590wheV3e.csHigh entropy of concatenated method names: 'rEC3UoKKuj', 'diX3yKN0OR', 'qyK3H4FLDC', 'rRW31YQT07', 'vAc3EE5BId', 'sbM3tDSHBT', 'dXn3qP6Rhw', 'NiF3Lh3OmG', 'dp23PYpWQB', 'MxP3pUu6pl'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.8320000.11.raw.unpack, iIdTJ8oBqj9MSxkSRS.csHigh entropy of concatenated method names: 'GEXjV6SVNK', 'i4Cj0P2Gpk', 'A4MjDgivGV', 'QxojFxnDCh', 'depj33i5f0', 'LBCjXXHZTb', 'i8MapDv9itgJ8qQv1w', 'DteeGvecn79WD90PPI', 'vx8jj0MUfc', 'csSjWkPKip'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.8320000.11.raw.unpack, wo7KbayZ0CKXhssRJF.csHigh entropy of concatenated method names: 'pVtrODX7ib', 'QuNrb0pSH1', 'N3Qr9BdfuC', 'SgurR3CbST', 'tNqrTcfV47', 'zURrVIYNJA', 'zejr00VK2M', 'rmyreYBmn7', 'SwdrDlAIGb', 'VQOrFDbXSw'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.8320000.11.raw.unpack, tQ8eNfrAaHWx8OP0bQ.csHigh entropy of concatenated method names: 'icfbHvtTE8', 'lyGb1IdNns', 'AMJbZOgOhB', 'SRbbmNZDbO', 'J1Lba69wks', 'VHEbuWUNZU', 'oRjb6I3HrL', 'E4WbSOhWA8', 'dm2bxsQ2Od', 'BJ7bhA2ZSL'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.8320000.11.raw.unpack, PNIXH2ZspBpW9hVKLU.csHigh entropy of concatenated method names: 'WXU2N9TCT', 'oBFC8twFH', 'UyLQZtlkL', 'kjhwO9sbx', 'XSy5wFr3V', 'MHsIL3WR6', 'BO5NFaRCkLR9g4bjZs', 'BPQQ9E8GqgcvAUgBbM', 'aRerbPn06', 'uTgApNrSK'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.8320000.11.raw.unpack, fVbJ0oR2rSSd0dUots.csHigh entropy of concatenated method names: 'PwmTBd9UAY', 'smSTb2ruKQ', 'UAKTR4UJ6r', 'X7OTVP39n2', 'Ww5T0i4WSp', 'e0eRaKtPIo', 'gSMRuwaqQf', 'OZ6R6pjmUW', 'XO8RSWPmEN', 'E99Rxv5UYN'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.8320000.11.raw.unpack, ej24jG66bY7gKG8m4n.csHigh entropy of concatenated method names: 'NYfVDZT75gSNE0dgu0A', 'pdNrn6TalrsBJqR6cOJ', 'jePTrvOgYa', 'FdYTGrNFKL', 'iWbTA7ZM66', 'nCKp19TwItinpeP4uu2', 'yxxO3YTlFM6UsZeycwG'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.8320000.11.raw.unpack, BU04tCHTSjxVMJsUxj.csHigh entropy of concatenated method names: 'FcbWBnGLeE', 'EL5WOu826A', 'pw1WbefbMG', 'AqRW9icqnZ', 'KWtWRSVeRT', 'NDvWTNIV80', 'ffvWV3Yvwv', 'YwYW0VnSE3', 'lZcWe1GbUn', 'AwUWDwlMr6'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.8320000.11.raw.unpack, kaPLuBNJtQFCxEteSbJ.csHigh entropy of concatenated method names: 'j3yGk4DDbR', 'C6gGsEdm6N', 'fgcG2ElKL3', 'XwcGC1VJGP', 'SJ6GgqbtUR', 'qVbGQ5xfVL', 'qdgGwwnM82', 'b1GGioDXII', 'ix6G5Cfnli', 'gDIGIc6PlC'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.8320000.11.raw.unpack, kHgWSHQDeHTcVYqEX3.csHigh entropy of concatenated method names: 'YYddiusJ7Y', 'pfFd5jd7Uh', 'OQXdMs1lHl', 'dUodEnV5he', 'KeTdqXjt9s', 'KqddL2uARn', 'wTcdpwyCGg', 'iNQdlKwZQV', 'hMGdUQLhZI', 'OGndKWk6Ol'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.8320000.11.raw.unpack, KPChXHnrNeLJMeRJcN.csHigh entropy of concatenated method names: 'PwjrMquea6', 'eUurE0BFFo', 'f95rtw9Gj4', 'nPnrqJZoFf', 'DtxrHWscHO', 'DWUrLeYNKL', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.8320000.11.raw.unpack, aNsXNHBbfx4UgKBm7L.csHigh entropy of concatenated method names: 'AbiGjCPo8V', 'OjZGWyVqV1', 'nKMGnDqAwM', 'CDWGOiciW2', 'u5dGbwQru0', 'VsOGRfMqDR', 'NQaGT6xiNI', 'mhdr6LSkWb', 'CGarSQ0WVM', 'yQmrxJNw6m'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.8320000.11.raw.unpack, IoNKtANuQ2wGOjDj3n8.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'AOsAH3mLAQ', 'cWCA1i7s80', 'hXfAZducvP', 'FcaAmYbGth', 'xxKAapmZc3', 'JV7AuiqImR', 'z4AA6McRCW'
                    Source: 0.2.PO 4500005168 NIKOLA.exe.8320000.11.raw.unpack, ywkcheKS515YMxjlXg.csHigh entropy of concatenated method names: 'Dispose', 'F2TjxS3Aax', 'feJvEN36fv', 'PHNJJM5clI', 'NH7jhZmGsI', 'jjqjzx4w10', 'ProcessDialogKey', 'EtVvcQHnVf', 'GHOvjGrsVM', 'VQovvpaTFx'
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeFile created: C:\Users\user\AppData\Roaming\GpAHAtkovL.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GpAHAtkovL" /XML "C:\Users\user\AppData\Local\Temp\tmp7910.tmp"

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeMemory allocated: 1680000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeMemory allocated: 32F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeMemory allocated: 3210000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeMemory allocated: 83A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeMemory allocated: 93A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeMemory allocated: 9660000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeMemory allocated: A660000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3144Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4594Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1264Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 8593Jump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exe TID: 7160Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3960Thread sleep count: 3144 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5772Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3960Thread sleep count: 130 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3664Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5388Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4156Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3796Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99797Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99687Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99578Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99469Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99359Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99250Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99140Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99031Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98922Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98812Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98703Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98594Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98484Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98375Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98266Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98156Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98047Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97937Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97828Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97719Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97609Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97500Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97391Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97281Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97172Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97063Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96938Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96813Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96688Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96578Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96469Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96344Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96234Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96125Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96016Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95906Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95796Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95687Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95578Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95469Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95344Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95234Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95125Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95003Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94766Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94546Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94437Jump to behavior
                    Source: RegSvcs.exe, 00000009.00000002.4574890992.0000000006230000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 4500005168 NIKOLA.exe"
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GpAHAtkovL.exe"
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 4500005168 NIKOLA.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GpAHAtkovL.exe"Jump to behavior
                    Allocates memory in foreign processes
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43C000Jump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43E000Jump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: DE4008Jump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 4500005168 NIKOLA.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GpAHAtkovL.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GpAHAtkovL" /XML "C:\Users\user\AppData\Local\Temp\tmp7910.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeQueries volume information: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01056CE0 GetUserNameW,9_2_01056CE0
                    Source: C:\Users\user\Desktop\PO 4500005168 NIKOLA.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.PO 4500005168 NIKOLA.exe.4334390.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO 4500005168 NIKOLA.exe.42f9970.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO 4500005168 NIKOLA.exe.4334390.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO 4500005168 NIKOLA.exe.42f9970.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000002.4569752583.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.4571658613.000000000316C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.4571658613.0000000003141000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2186028148.00000000042F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: PO 4500005168 NIKOLA.exe PID: 5820, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4884, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 0.2.PO 4500005168 NIKOLA.exe.4334390.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO 4500005168 NIKOLA.exe.42f9970.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO 4500005168 NIKOLA.exe.4334390.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO 4500005168 NIKOLA.exe.42f9970.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000002.4569752583.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.4571658613.0000000003141000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2186028148.00000000042F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: PO 4500005168 NIKOLA.exe PID: 5820, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4884, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.PO 4500005168 NIKOLA.exe.4334390.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO 4500005168 NIKOLA.exe.42f9970.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO 4500005168 NIKOLA.exe.4334390.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO 4500005168 NIKOLA.exe.42f9970.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000002.4569752583.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.4571658613.000000000316C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.4571658613.0000000003141000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2186028148.00000000042F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: PO 4500005168 NIKOLA.exe PID: 5820, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4884, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    Account Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		311
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		21
                    Input Capture                    		1
                    File and Directory Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    Scheduled Task/Job                    		3
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		24
                    System Information Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		2
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                    Software Packing                    		NTDS211
                    Security Software Discovery                    		Distributed Component Object Model21
                    Input Capture                    		23
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets1
                    Process Discovery                    		SSH1
                    Clipboard Data                    		Fallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Masquerading                    		Cached Domain Credentials141
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                    Virtualization/Sandbox Evasion                    		DCSync1
                    Application Window Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job311
                    Process Injection                    		Proc Filesystem1
                    System Owner/User Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                    System Network Configuration Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1465533 Sample: PO 4500005168 NIKOLA.exe Startdate: 01/07/2024 Architecture: WINDOWS Score: 100 40 mail.iaa-airferight.com 2->40 42 api.ipify.org 2->42 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus detection for URL or domain 2->52 54 11 other signatures 2->54 8 PO 4500005168 NIKOLA.exe 7 2->8         started        12 GpAHAtkovL.exe 2->12         started        signatures3 process4 file5 32 C:\Users\user\AppData\...behaviorgraphpAHAtkovL.exe, PE32 8->32 dropped 34 C:\Users\...behaviorgraphpAHAtkovL.exe:Zone.Identifier, ASCII 8->34 dropped 36 C:\Users\user\AppData\Local\...\tmp7910.tmp, XML 8->36 dropped 38 C:\Users\...\PO 4500005168 NIKOLA.exe.log, ASCII 8->38 dropped 56 Writes to foreign memory regions 8->56 58 Allocates memory in foreign processes 8->58 60 Adds a directory exclusion to Windows Defender 8->60 62 Injects a PE file into a foreign processes 8->62 14 RegSvcs.exe 15 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        64 Antivirus detection for dropped file 12->64 66 Multi AV Scanner detection for dropped file 12->66 68 Machine Learning detection for dropped file 12->68 signatures6 process7 dnsIp8 44 mail.iaa-airferight.com 46.175.148.58, 25 ASLAGIDKOM-NETUA Ukraine 14->44 46 api.ipify.org 104.26.13.205, 443, 49716 CLOUDFLARENETUS United States 14->46 70 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->70 72 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->72 74 Tries to steal Mail credentials (via file / registry access) 14->74 78 3 other signatures 14->78 76 Loading BitLocker PowerShell Module 18->76 24 WmiPrvSE.exe 18->24         started        26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        signatures9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    PO 4500005168 NIKOLA.exe29%ReversingLabsByteCode-MSIL.Trojan.XWorm
                    PO 4500005168 NIKOLA.exe100%AviraHEUR/AGEN.1308640
                    PO 4500005168 NIKOLA.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\GpAHAtkovL.exe100%AviraHEUR/AGEN.1308640
                    C:\Users\user\AppData\Roaming\GpAHAtkovL.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\GpAHAtkovL.exe29%ReversingLabsByteCode-MSIL.Trojan.XWorm

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://api.ipify.org/0%URL Reputationsafe
                    https://api.ipify.org0%URL Reputationsafe
                    https://account.dyn.com/0%URL Reputationsafe
                    https://api.ipify.org/t0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://mail.iaa-airferight.com100%Avira URL Cloudmalware

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    mail.iaa-airferight.com
                    		46.175.148.58
                    		truetrue
                      		unknown
                      api.ipify.org
                      		104.26.13.205
                      		truefalse
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://api.ipify.org/false
                        • URL Reputation: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://api.ipify.orgPO 4500005168 NIKOLA.exe, 00000000.00000002.2186028148.00000000042F9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.4571658613.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.4569752583.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://account.dyn.com/PO 4500005168 NIKOLA.exe, 00000000.00000002.2186028148.00000000042F9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.4569752583.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://api.ipify.org/tRegSvcs.exe, 00000009.00000002.4571658613.00000000030F1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePO 4500005168 NIKOLA.exe, 00000000.00000002.2182552745.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.4571658613.00000000030F1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://mail.iaa-airferight.comRegSvcs.exe, 00000009.00000002.4571658613.000000000316C000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        46.175.148.58
                        		mail.iaa-airferight.comUkraine
                        		56394ASLAGIDKOM-NETUAtrue
                        104.26.13.205
                        		api.ipify.orgUnited States
                        		13335CLOUDFLARENETUSfalse

                        General Information

                        Joe Sandbox version:40.0.0 Tourmaline
                        Analysis ID:1465533
                        Start date and time:2024-07-01 19:22:07 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 9m 3s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:17
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:PO 4500005168 NIKOLA.exe
                        Detection:MAL
                        Classification:mal100.troj.spyw.evad.winEXE@14/13@2/2
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 98%
                        • Number of executed functions: 162
                        • Number of non-executed functions: 14
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                        Warnings

                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                        • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtCreateKey calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                        • VT rate limit hit for: PO 4500005168 NIKOLA.exe

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        13:22:56API Interceptor1x Sleep call for process: PO 4500005168 NIKOLA.exe modified
                        13:23:03API Interceptor32x Sleep call for process: powershell.exe modified
                        13:23:05API Interceptor11380196x Sleep call for process: RegSvcs.exe modified
                        19:23:05Task SchedulerRun new task: GpAHAtkovL path: C:\Users\user\AppData\Roaming\GpAHAtkovL.exe

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        46.175.148.58new shippment.exeGet hashmaliciousAgentTeslaBrowse
                          KiOK5LRFEG.exeGet hashmaliciousAgentTeslaBrowse
                            rHHG2h2w8U.exeGet hashmaliciousAgentTeslaBrowse
                              Shipping & packinglist.exeGet hashmaliciousAgentTeslaBrowse
                                PO 4500029546 (Copy-)Tool 9458715.exeGet hashmaliciousAgentTeslaBrowse
                                  Purchase Order #199072.exeGet hashmaliciousAgentTeslaBrowse
                                    Bank TT request PO - 12619.exeGet hashmaliciousAgentTeslaBrowse
                                      Payment advice.exeGet hashmaliciousAgentTeslaBrowse
                                        QZlNr2E3Nn.exeGet hashmaliciousAgentTeslaBrowse
                                          Payment Status.exeGet hashmaliciousAgentTeslaBrowse
                                            104.26.13.205242764.exeGet hashmaliciousFicker Stealer, Rusty StealerBrowse
                                            • api.ipify.org/?format=wef
                                            Ransom.exeGet hashmaliciousTargeted Ransomware, TrojanRansomBrowse
                                            • api.ipify.org/
                                            ld.exeGet hashmaliciousTargeted Ransomware, TrojanRansomBrowse
                                            • api.ipify.org/
                                            ReturnLegend.exeGet hashmaliciousStealitBrowse
                                            • api.ipify.org/?format=json
                                            SecuriteInfo.com.Trojan.DownLoaderNET.960.9931.28151.exeGet hashmaliciousPureLog Stealer, Targeted RansomwareBrowse
                                            • api.ipify.org/
                                            Sky-Beta-Setup.exeGet hashmaliciousStealitBrowse
                                            • api.ipify.org/?format=json
                                            ArenaWarSetup.exeGet hashmaliciousStealitBrowse
                                            • api.ipify.org/?format=json
                                            Sky-Beta Setup 1.0.0.exeGet hashmaliciousUnknownBrowse
                                            • api.ipify.org/?format=json
                                            E4sbo4F6Sz.exeGet hashmaliciousUnknownBrowse
                                            • api.ipify.org/
                                            E4sbo4F6Sz.exeGet hashmaliciousUnknownBrowse
                                            • api.ipify.org/

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            mail.iaa-airferight.comnew shippment.exeGet hashmaliciousAgentTeslaBrowse
                                            • 46.175.148.58
                                            KiOK5LRFEG.exeGet hashmaliciousAgentTeslaBrowse
                                            • 46.175.148.58
                                            rHHG2h2w8U.exeGet hashmaliciousAgentTeslaBrowse
                                            • 46.175.148.58
                                            Shipping & packinglist.exeGet hashmaliciousAgentTeslaBrowse
                                            • 46.175.148.58
                                            PO 4500029546 (Copy-)Tool 9458715.exeGet hashmaliciousAgentTeslaBrowse
                                            • 46.175.148.58
                                            Purchase Order #199072.exeGet hashmaliciousAgentTeslaBrowse
                                            • 46.175.148.58
                                            Bank TT request PO - 12619.exeGet hashmaliciousAgentTeslaBrowse
                                            • 46.175.148.58
                                            Payment advice.exeGet hashmaliciousAgentTeslaBrowse
                                            • 46.175.148.58
                                            QZlNr2E3Nn.exeGet hashmaliciousAgentTeslaBrowse
                                            • 46.175.148.58
                                            Payment Status.exeGet hashmaliciousAgentTeslaBrowse
                                            • 46.175.148.58
                                            api.ipify.orgrQoutation.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                            • 104.26.13.205
                                            F46VBJ6Yvy.exeGet hashmaliciousAgentTeslaBrowse
                                            • 104.26.13.205
                                            8w5wHh755H.exeGet hashmaliciousAgentTeslaBrowse
                                            • 172.67.74.152
                                            gB49zgUhr8.exeGet hashmaliciousAgentTeslaBrowse
                                            • 172.67.74.152
                                            AdhP1WMUi5.exeGet hashmaliciousAgentTeslaBrowse
                                            • 104.26.12.205
                                            doc -scan file.exeGet hashmaliciousAgentTeslaBrowse
                                            • 104.26.13.205
                                            Drawing specification and June PO #07329.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                            • 104.26.12.205
                                            IMG_067_6331002.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                            • 104.26.13.205
                                            MV RIVA WIND - VESSEL's PARTICULARS.PDF.scr.exeGet hashmaliciousAgentTeslaBrowse
                                            • 104.26.12.205
                                            new shippment.exeGet hashmaliciousAgentTeslaBrowse
                                            • 104.26.12.205

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            ASLAGIDKOM-NETUAnew shippment.exeGet hashmaliciousAgentTeslaBrowse
                                            • 46.175.148.58
                                            KiOK5LRFEG.exeGet hashmaliciousAgentTeslaBrowse
                                            • 46.175.148.58
                                            rHHG2h2w8U.exeGet hashmaliciousAgentTeslaBrowse
                                            • 46.175.148.58
                                            Shipping & packinglist.exeGet hashmaliciousAgentTeslaBrowse
                                            • 46.175.148.58
                                            PO 4500029546 (Copy-)Tool 9458715.exeGet hashmaliciousAgentTeslaBrowse
                                            • 46.175.148.58
                                            Purchase Order #199072.exeGet hashmaliciousAgentTeslaBrowse
                                            • 46.175.148.58
                                            Bank TT request PO - 12619.exeGet hashmaliciousAgentTeslaBrowse
                                            • 46.175.148.58
                                            Payment advice.exeGet hashmaliciousAgentTeslaBrowse
                                            • 46.175.148.58
                                            QZlNr2E3Nn.exeGet hashmaliciousAgentTeslaBrowse
                                            • 46.175.148.58
                                            Payment Status.exeGet hashmaliciousAgentTeslaBrowse
                                            • 46.175.148.58
                                            CLOUDFLARENETUShttp://url2530.tvsmotor.com/ls/click?upn=u001.smInq0-2BkNc5oRshkzMLE7U6zcio2-2F9zwu1ZIXUanV0NJI-2BOrcqj0f4SCu-2B-2BWZYRJ5WulbQ5i5mBsK1zXEak-2FiMRG64aR-2FUGiDgoHteplEfqii9y-2FZm8OviJTU1sjmz7jpaYlxIO-2FZqsCEMZLobIAuBKqKOl6jqYqSAHVwBkUZuGRzhvuesvLIb-2BOJaFEug0CnemcJJ-2FkU8Glr1M3HQvGDefjjvAc1VCRhzhBKQTVpjzhejQ8Rhu1zO1vWGAUfUeULJrKwFSbIOyWIUfIv-2Flo3yTYESP-2B78w2V31KWz3gTVG4x9fJGaMxyv5FQX0-2FC02SNh0q62WGV8moxgoMPN13ug-3D-3D0M2T_RK3E7lcHJh6RzNRog0V2Ww4F1i1LQS7pYYmvozE9BtFWFH8CBc2C7lCJRjsdH3VwNbJDjo91Q5gKMT9cCcdXw8AkweIV-2FNLnytbk6yO5x98zOjWQvldOWLzS2kOJk-2Bc9a9xwBmgqVDiuxw1Lx4HAzZ-2Bjhc2IjRsVwgsa2WyKs6mVKScqAKEYCpz9uhwD3RMPm3P4ijESTEtLH2hoAVbwO9XnUT-2BT6XJFuujR9hf41ZQ-3DGet hashmaliciousHTMLPhisherBrowse
                                            • 104.17.25.14
                                            BIE (1).emlGet hashmaliciousPhisherBrowse
                                            • 104.17.25.14
                                            EFT 06282024, 013441 PM.htmlGet hashmaliciousUnknownBrowse
                                            • 104.17.24.14
                                            https://teamfahad.com/fcilender/Untitled/?id=293bn5&p=page_1&c=1Get hashmaliciousUnknownBrowse
                                            • 172.64.155.119
                                            https://teamfahad.com/fcilender/Untitled/?id=293bn5&p=page_1&c=1Get hashmaliciousUnknownBrowse
                                            • 104.19.178.52
                                            https://indd.adobe.com/view/2bab4c20-5db8-4df4-abb1-5e8820aa4ec8Get hashmaliciousUnknownBrowse
                                            • 104.17.2.184
                                            https://stef.start.page/Get hashmaliciousUnknownBrowse
                                            • 104.18.99.118
                                            https://login.samirashahtaj.com/#billg@microsoft.comGet hashmaliciousHTMLPhisherBrowse
                                            • 104.17.2.184
                                            https://www.rothenberg.ca/Get hashmaliciousUnknownBrowse
                                            • 104.16.117.116
                                            http://jeezipax.co.inGet hashmaliciousHTMLPhisherBrowse
                                            • 188.114.97.3

                                            JA3 Fingerprints

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            3b5074b1b5d032e5620f69f9f700ff0ehttps://stef.start.page/Get hashmaliciousUnknownBrowse
                                            • 104.26.13.205
                                            https://r.clk71.com/s.ashx?ms=AZ71:218551_111930&e=aundrea.leone*40boarshead.com&eId=916323793&c=h&url=https*3a*2f*2fad.doubleclick.net*2fddm*2ftrackclk*2fN30602.5158887REACHMARKETING*2fB31024378.397824557*3bdc_trk_aid*3d589624573*3bdc_trk_cid*3d217531267*3bdc_lat*3d*3bdc_rdid*3d*3btag_for_child_directed_treatment*3d*3btfua*3d*3bltd*3d*3bdc_tdv*3d1__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUl!!KtM2tloZCg!oGzQgrCoYVGJMf6PfDh7IcY45hV0gU-qan8_64QWQnObIIvjhEDVQBbkVGXSn4d1-t_Kr3TB7F4EvB4UjY73BA$&data=05%7C02%7CReportPhish@boarshead.com%7C1f7dece21969420941fa08dc99e4dbc4%7Cb2bfef19062843c684cc966ab48412de%7C0%7C0%7C638554455432035929%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=%7C0%7C%7C%7C&sdata=Kp2blQOuKNOD36q+ozMhAXZ4VpLjNRlb3yoQmzJAvSU=&reserved=0Get hashmaliciousUnknownBrowse
                                            • 104.26.13.205
                                            http://jeezipax.co.inGet hashmaliciousHTMLPhisherBrowse
                                            • 104.26.13.205
                                            https://singlecity.it/test/E/1.htmGet hashmaliciousUnknownBrowse
                                            • 104.26.13.205
                                            https://docs.google.com/drawings/d/15tWfWcuT_MrF3j6quKPc0b_4CSv3-qwRuN5mj0BJkas/previewGet hashmaliciousUnknownBrowse
                                            • 104.26.13.205
                                            DHL Shipping Document Awb & BL.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                            • 104.26.13.205
                                            F46VBJ6Yvy.exeGet hashmaliciousAgentTeslaBrowse
                                            • 104.26.13.205
                                            8w5wHh755H.exeGet hashmaliciousAgentTeslaBrowse
                                            • 104.26.13.205
                                            gB49zgUhr8.exeGet hashmaliciousAgentTeslaBrowse
                                            • 104.26.13.205
                                            AdhP1WMUi5.exeGet hashmaliciousAgentTeslaBrowse
                                            • 104.26.13.205

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO 4500005168 NIKOLA.exe.log

                                            Download File
                                            Process:C:\Users\user\Desktop\PO 4500005168 NIKOLA.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1216
                                            Entropy (8bit):5.34331486778365
                                            Encrypted:false
                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                            Malicious:true
                                            Reputation:high, very likely benign file
                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:modified
                                            Size (bytes):2232
                                            Entropy (8bit):5.380805901110357
                                            Encrypted:false
                                            SSDEEP:48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeC/ZPUyus:lGLHyIFKL3IZ2KRH9Oug8s
                                            MD5:16AD599332DD2FF94DA0787D71688B62
                                            SHA1:02F738694B02E84FFE3BAB7DE5709001823C6E40
                                            SHA-256:452876FE504FC0DBEDBD7F8467E94F6E80002DB4572D02C723ABC69F8DF0B367
                                            SHA-512:A96158FDFFA424A4AC01220EDC789F3236C03AAA6A7C1A3D8BE62074B4923957E6CFEEB6E8852F9064093E0A290B0E56E4B5504D18113A7983F48D5388CEC747
                                            Malicious:false
                                            Reputation:moderate, very likely benign file
                                            Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hzln2qcv.kcw.ps1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jvn1htfo.wak.ps1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mcliy2pb.erd.psm1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pv30jq30.kql.ps1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pyujz1f4.3ii.psm1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wdm1fvyp.nsk.psm1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yekkwff3.2dp.ps1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zvmmo1ft.vev.psm1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\tmp7910.tmp

                                            Download File
                                            Process:C:\Users\user\Desktop\PO 4500005168 NIKOLA.exe
                                            File Type:XML 1.0 document, ASCII text
                                            Category:dropped
                                            Size (bytes):1597
                                            Entropy (8bit):5.094102970992289
                                            Encrypted:false
                                            SSDEEP:24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLBxvn:cge7QYrFdOFzOzN33ODOiDdKrsuTTv
                                            MD5:A65EC5660C5A011787BAEE41A21E258C
                                            SHA1:31B6BCAFC519700E22B229675FBEBE26CDA9860A
                                            SHA-256:B4B9F6112AC135A959E5746338A6E38FF46DB3D833AA7F54326FBC67A169333D
                                            SHA-512:B91320AF44AA9ADCE6802EBD18F005CFAD627500E8A8A5BCF0C96B3993A697F0006CA4265AB36A178EB5E8CAAAB910B6053B02935C4EBA555C70489D5252D120
                                            Malicious:true
                                            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

                                            C:\Users\user\AppData\Roaming\GpAHAtkovL.exe

                                            Download File
                                            Process:C:\Users\user\Desktop\PO 4500005168 NIKOLA.exe
                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Category:dropped
                                            Size (bytes):655360
                                            Entropy (8bit):7.938241568143375
                                            Encrypted:false
                                            SSDEEP:12288:YAt3lRPMManKx996Fd5UtTOOXKQrdMuZeoakR+pt7aQaBnvy8K:R1RO+Gd+8QrdLZbe7a5vB
                                            MD5:6DD4F871C7D18B3F1B45A7112C21CED3
                                            SHA1:E4F29EE54067CB1B18269E652F0B9DEEA63F437B
                                            SHA-256:6232BA2D8C8CA87C37818660014882D4D0536D7296E08F2C37BA1C692B901F66
                                            SHA-512:201478A2C249882AAA3C79EA633738D197B8BE373648926B722775BA0BCC698A53680CDCE79C30D76BC587B68A2C55839304B0ABE8CCCCCA11778FC3CF960723
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Avira, Detection: 100%
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            • Antivirus: ReversingLabs, Detection: 29%
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............0...... ........... ........@.. .......................@............@.....................................O.......t.................... ....................................................... ............... ..H............text...4.... ...................... ..`.rsrc...t...........................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Roaming\GpAHAtkovL.exe:Zone.Identifier

                                            Download File
                                            Process:C:\Users\user\Desktop\PO 4500005168 NIKOLA.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):26
                                            Entropy (8bit):3.95006375643621
                                            Encrypted:false
                                            SSDEEP:3:ggPYV:rPYV
                                            MD5:187F488E27DB4AF347237FE461A079AD
                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                            Malicious:true
                                            Preview:[ZoneTransfer]....ZoneId=0

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Entropy (8bit):7.938241568143375
                                            TrID:
                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                                            • Win32 Executable (generic) a (10002005/4) 49.93%
                                            • Windows Screen Saver (13104/52) 0.07%
                                            • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                            File name:PO 4500005168 NIKOLA.exe
                                            File size:655'360 bytes
                                            MD5:6dd4f871c7d18b3f1b45a7112c21ced3
                                            SHA1:e4f29ee54067cb1b18269e652f0b9deea63f437b
                                            SHA256:6232ba2d8c8ca87c37818660014882d4d0536d7296e08f2c37ba1c692b901f66
                                            SHA512:201478a2c249882aaa3c79ea633738d197b8be373648926b722775ba0bcc698a53680cdce79c30d76bc587b68a2c55839304b0abe8ccccca11778fc3cf960723
                                            SSDEEP:12288:YAt3lRPMManKx996Fd5UtTOOXKQrdMuZeoakR+pt7aQaBnvy8K:R1RO+Gd+8QrdLZbe7a5vB
                                            TLSH:C5D4125135262863EBAC88F4A525188407F59F9A3815F7EA1DC370E90AF7B481863F7F
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............0...... ........... ........@.. .......................@............@................................

                                            File Icon

                                            Icon Hash:003021490125191b

                                            Static PE Info

                                            General

                                            Entrypoint:0x49f12e
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                            Time Stamp:0x6682AC90 [Mon Jul 1 13:18:08 2024 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                            Entrypoint Preview

                                            Instruction
                                            jmp dword ptr [00402000h]
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x9f0dc0x4f.text
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xa00000x1174.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0xa00000x0.rsrc
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xa20000xc.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x20000x9d1340x9d800a49697dd3f75220e60903674d8c03ae4False0.9546394469246032data7.960147965955043IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .rsrc0xa00000x11740x1800cf40a3daca42f92d2bb2bd5979fbefc8False0.23177083333333334data4.270479748543096IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0xa20000xc0x800d3196b1ad96a41cecd5c479514644883False0.015625data0.03037337037012526IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            RT_ICON0xa01180xc28Device independent bitmap graphic, 23 x 64 x 32, image size 2944, resolution 11811 x 11811 px/m0.26317480719794345
                                            RT_GROUP_ICON0xa0d400x14data1.05
                                            RT_GROUP_ICON0xa0d540x14data1.05
                                            RT_VERSION0xa0d680x40cdata0.4189189189189189

                                            Imports

                                            DLLImport
                                            mscoree.dll_CorExeMain

                                            Network Behavior

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Jul 1, 2024 19:23:04.695123911 CEST49716443192.168.2.6104.26.13.205
                                            Jul 1, 2024 19:23:04.695193052 CEST44349716104.26.13.205192.168.2.6
                                            Jul 1, 2024 19:23:04.695384026 CEST49716443192.168.2.6104.26.13.205
                                            Jul 1, 2024 19:23:04.720237017 CEST49716443192.168.2.6104.26.13.205
                                            Jul 1, 2024 19:23:04.720267057 CEST44349716104.26.13.205192.168.2.6
                                            Jul 1, 2024 19:23:05.235503912 CEST44349716104.26.13.205192.168.2.6
                                            Jul 1, 2024 19:23:05.235610008 CEST49716443192.168.2.6104.26.13.205
                                            Jul 1, 2024 19:23:05.238265038 CEST49716443192.168.2.6104.26.13.205
                                            Jul 1, 2024 19:23:05.238277912 CEST44349716104.26.13.205192.168.2.6
                                            Jul 1, 2024 19:23:05.238532066 CEST44349716104.26.13.205192.168.2.6
                                            Jul 1, 2024 19:23:05.295840025 CEST49716443192.168.2.6104.26.13.205
                                            Jul 1, 2024 19:23:05.461087942 CEST49716443192.168.2.6104.26.13.205
                                            Jul 1, 2024 19:23:05.508490086 CEST44349716104.26.13.205192.168.2.6
                                            Jul 1, 2024 19:23:05.585863113 CEST44349716104.26.13.205192.168.2.6
                                            Jul 1, 2024 19:23:05.585925102 CEST44349716104.26.13.205192.168.2.6
                                            Jul 1, 2024 19:23:05.585999012 CEST49716443192.168.2.6104.26.13.205
                                            Jul 1, 2024 19:23:05.599782944 CEST49716443192.168.2.6104.26.13.205
                                            Jul 1, 2024 19:23:06.715795994 CEST4971725192.168.2.646.175.148.58
                                            Jul 1, 2024 19:23:07.717698097 CEST4971725192.168.2.646.175.148.58
                                            Jul 1, 2024 19:23:09.717684984 CEST4971725192.168.2.646.175.148.58
                                            Jul 1, 2024 19:23:13.733362913 CEST4971725192.168.2.646.175.148.58
                                            Jul 1, 2024 19:23:21.733408928 CEST4971725192.168.2.646.175.148.58

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Jul 1, 2024 19:23:04.533341885 CEST6287053192.168.2.61.1.1.1
                                            Jul 1, 2024 19:23:04.542716980 CEST53628701.1.1.1192.168.2.6
                                            Jul 1, 2024 19:23:06.557646990 CEST5445353192.168.2.61.1.1.1
                                            Jul 1, 2024 19:23:06.687870026 CEST53544531.1.1.1192.168.2.6

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                            Jul 1, 2024 19:23:04.533341885 CEST192.168.2.61.1.1.10xb5f8Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                            Jul 1, 2024 19:23:06.557646990 CEST192.168.2.61.1.1.10x4d6cStandard query (0)mail.iaa-airferight.comA (IP address)IN (0x0001)false

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            Jul 1, 2024 19:23:04.542716980 CEST1.1.1.1192.168.2.60xb5f8No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                            Jul 1, 2024 19:23:04.542716980 CEST1.1.1.1192.168.2.60xb5f8No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                            Jul 1, 2024 19:23:04.542716980 CEST1.1.1.1192.168.2.60xb5f8No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                            Jul 1, 2024 19:23:06.687870026 CEST1.1.1.1192.168.2.60x4d6cNo error (0)mail.iaa-airferight.com46.175.148.58A (IP address)IN (0x0001)false

                                            HTTP Request Dependency Graph

                                            • api.ipify.org

                                            HTTPS Proxied Packets

                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            0192.168.2.649716104.26.13.2054434884C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                            TimestampBytes transferredDirectionData
                                            2024-07-01 17:23:05 UTC155OUTGET / HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                            Host: api.ipify.org
                                            Connection: Keep-Alive
                                            2024-07-01 17:23:05 UTC211INHTTP/1.1 200 OK
                                            Date: Mon, 01 Jul 2024 17:23:05 GMT
                                            Content-Type: text/plain
                                            Content-Length: 11
                                            Connection: close
                                            Vary: Origin
                                            CF-Cache-Status: DYNAMIC
                                            Server: cloudflare
                                            CF-RAY: 89c814f77b20437f-EWR
                                            2024-07-01 17:23:05 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                            Data Ascii: 8.46.123.33


                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:13:22:56
                                            Start date:01/07/2024
                                            Path:C:\Users\user\Desktop\PO 4500005168 NIKOLA.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\PO 4500005168 NIKOLA.exe"
                                            Imagebase:0xeb0000
                                            File size:655'360 bytes
                                            MD5 hash:6DD4F871C7D18B3F1B45A7112C21CED3
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2186028148.00000000042F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2186028148.00000000042F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:3
                                            Start time:13:23:02
                                            Start date:01/07/2024
                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 4500005168 NIKOLA.exe"
                                            Imagebase:0xc0000
                                            File size:433'152 bytes
                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:4
                                            Start time:13:23:02
                                            Start date:01/07/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff66e660000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:5
                                            Start time:13:23:02
                                            Start date:01/07/2024
                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GpAHAtkovL.exe"
                                            Imagebase:0xc0000
                                            File size:433'152 bytes
                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:6
                                            Start time:13:23:02
                                            Start date:01/07/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff66e660000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:7
                                            Start time:13:23:02
                                            Start date:01/07/2024
                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GpAHAtkovL" /XML "C:\Users\user\AppData\Local\Temp\tmp7910.tmp"
                                            Imagebase:0x340000
                                            File size:187'904 bytes
                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:8
                                            Start time:13:23:02
                                            Start date:01/07/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff66e660000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:9
                                            Start time:13:23:03
                                            Start date:01/07/2024
                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                            Imagebase:0xb30000
                                            File size:45'984 bytes
                                            MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.4569752583.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.4569752583.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.4571658613.000000000316C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.4571658613.0000000003141000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.4571658613.0000000003141000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:high
                                            Has exited:false

                                            General

                                            Target ID:10
                                            Start time:13:23:05
                                            Start date:01/07/2024
                                            Path:C:\Users\user\AppData\Roaming\GpAHAtkovL.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Users\user\AppData\Roaming\GpAHAtkovL.exe
                                            Imagebase:0x930000
                                            File size:655'360 bytes
                                            MD5 hash:6DD4F871C7D18B3F1B45A7112C21CED3
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Antivirus matches:
                                            • Detection: 100%, Avira
                                            • Detection: 100%, Joe Sandbox ML
                                            • Detection: 29%, ReversingLabs
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:11
                                            Start time:13:23:05
                                            Start date:01/07/2024
                                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                            Imagebase:0x7ff717f30000
                                            File size:496'640 bytes
                                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                            Has elevated privileges:true
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            Disassembly

                                            Reset < >

                                              Execution Graph

                                              Execution Coverage:9.5%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:0%
                                              Total number of Nodes:218
                                              Total number of Limit Nodes:10
                                              execution_graph 41430 168dc08 41431 168dc4e GetCurrentProcess 41430->41431 41433 168dc99 41431->41433 41434 168dca0 GetCurrentThread 41431->41434 41433->41434 41435 168dcdd GetCurrentProcess 41434->41435 41436 168dcd6 41434->41436 41437 168dd13 GetCurrentThreadId 41435->41437 41436->41435 41439 168dd6c 41437->41439 41677 168bd58 41678 168bd67 41677->41678 41680 168be3f 41677->41680 41681 168be61 41680->41681 41682 168be84 41680->41682 41681->41682 41688 168c0e8 41681->41688 41692 168c0d8 41681->41692 41682->41678 41683 168c088 GetModuleHandleW 41685 168c0b5 41683->41685 41684 168be7c 41684->41682 41684->41683 41685->41678 41689 168c0fc 41688->41689 41690 168c121 41689->41690 41696 168b888 41689->41696 41690->41684 41693 168c0fc 41692->41693 41694 168b888 LoadLibraryExW 41693->41694 41695 168c121 41693->41695 41694->41695 41695->41684 41697 168c2c8 LoadLibraryExW 41696->41697 41699 168c341 41697->41699 41699->41690 41700 168e258 DuplicateHandle 41701 168e2ee 41700->41701 41440 1682180 41441 168218a 41440->41441 41443 1682280 41440->41443 41444 16822a5 41443->41444 41448 1682380 41444->41448 41452 1682390 41444->41452 41450 16823b7 41448->41450 41449 1682494 41450->41449 41456 1681fb8 41450->41456 41453 16823b7 41452->41453 41454 1682494 41453->41454 41455 1681fb8 CreateActCtxA 41453->41455 41455->41454 41457 1683420 CreateActCtxA 41456->41457 41459 16834e3 41457->41459 41460 327178a 41461 32716ac 41460->41461 41462 327158c 41460->41462 41462->41461 41466 3273a76 41462->41466 41488 3273a10 41462->41488 41509 3273a01 41462->41509 41467 3273a04 41466->41467 41468 3273a79 41466->41468 41530 32744a2 41467->41530 41535 3274684 41467->41535 41539 32741c5 41467->41539 41544 3273efa 41467->41544 41548 3273f3b 41467->41548 41553 3273f9c 41467->41553 41560 327425d 41467->41560 41564 327429e 41467->41564 41569 32746be 41467->41569 41574 327461f 41467->41574 41581 32741f0 41467->41581 41588 3274510 41467->41588 41595 3273e76 41467->41595 41602 3273fd6 41467->41602 41608 3274309 41467->41608 41613 3273ec9 41467->41613 41617 32743cc 41467->41617 41624 327406e 41467->41624 41469 3273a32 41469->41461 41489 3273a2a 41488->41489 41491 32741c5 2 API calls 41489->41491 41492 3274684 2 API calls 41489->41492 41493 32744a2 2 API calls 41489->41493 41494 327406e 2 API calls 41489->41494 41495 32743cc 4 API calls 41489->41495 41496 3273ec9 2 API calls 41489->41496 41497 3274309 2 API calls 41489->41497 41498 3273fd6 4 API calls 41489->41498 41499 3273e76 4 API calls 41489->41499 41500 3274510 4 API calls 41489->41500 41501 32741f0 4 API calls 41489->41501 41502 327461f 4 API calls 41489->41502 41503 32746be 2 API calls 41489->41503 41504 327429e 2 API calls 41489->41504 41505 327425d 2 API calls 41489->41505 41506 3273f9c 4 API calls 41489->41506 41507 3273f3b 2 API calls 41489->41507 41508 3273efa 2 API calls 41489->41508 41490 3273a32 41490->41461 41491->41490 41492->41490 41493->41490 41494->41490 41495->41490 41496->41490 41497->41490 41498->41490 41499->41490 41500->41490 41501->41490 41502->41490 41503->41490 41504->41490 41505->41490 41506->41490 41507->41490 41508->41490 41510 3273a2a 41509->41510 41512 32741c5 2 API calls 41510->41512 41513 3274684 2 API calls 41510->41513 41514 32744a2 2 API calls 41510->41514 41515 327406e 2 API calls 41510->41515 41516 32743cc 4 API calls 41510->41516 41517 3273ec9 2 API calls 41510->41517 41518 3274309 2 API calls 41510->41518 41519 3273fd6 4 API calls 41510->41519 41520 3273e76 4 API calls 41510->41520 41521 3274510 4 API calls 41510->41521 41522 32741f0 4 API calls 41510->41522 41523 327461f 4 API calls 41510->41523 41524 32746be 2 API calls 41510->41524 41525 327429e 2 API calls 41510->41525 41526 327425d 2 API calls 41510->41526 41527 3273f9c 4 API calls 41510->41527 41528 3273f3b 2 API calls 41510->41528 41529 3273efa 2 API calls 41510->41529 41511 3273a32 41511->41461 41512->41511 41513->41511 41514->41511 41515->41511 41516->41511 41517->41511 41518->41511 41519->41511 41520->41511 41521->41511 41522->41511 41523->41511 41524->41511 41525->41511 41526->41511 41527->41511 41528->41511 41529->41511 41531 32744a8 41530->41531 41532 32744cb 41531->41532 41629 3270fd1 41531->41629 41633 3270fd8 41531->41633 41536 3273ed5 41535->41536 41637 3270912 41536->41637 41641 3270918 41536->41641 41540 32741cb 41539->41540 41645 3270ee0 41540->41645 41649 3270ee8 41540->41649 41541 32748c2 41545 3273ed5 41544->41545 41546 3270912 Wow64SetThreadContext 41545->41546 41547 3270918 Wow64SetThreadContext 41545->41547 41546->41545 41547->41545 41549 3273f5b 41548->41549 41551 3270ee0 WriteProcessMemory 41549->41551 41552 3270ee8 WriteProcessMemory 41549->41552 41550 3273f7c 41551->41550 41552->41550 41554 3273f9b 41553->41554 41554->41553 41555 327463d 41554->41555 41556 3270912 Wow64SetThreadContext 41554->41556 41557 3270918 Wow64SetThreadContext 41554->41557 41653 3270862 41554->41653 41657 3270868 41554->41657 41555->41469 41556->41554 41557->41554 41561 3273ed5 41560->41561 41561->41560 41562 3270912 Wow64SetThreadContext 41561->41562 41563 3270918 Wow64SetThreadContext 41561->41563 41562->41561 41563->41561 41565 3274085 41564->41565 41565->41469 41567 3270fd1 ReadProcessMemory 41565->41567 41568 3270fd8 ReadProcessMemory 41565->41568 41566 32744cb 41567->41566 41568->41566 41570 3273f5b 41569->41570 41571 3273f7c 41569->41571 41572 3270ee0 WriteProcessMemory 41570->41572 41573 3270ee8 WriteProcessMemory 41570->41573 41572->41571 41573->41571 41575 3273f9b 41574->41575 41576 327463d 41575->41576 41577 3270862 ResumeThread 41575->41577 41578 3270868 ResumeThread 41575->41578 41579 3270912 Wow64SetThreadContext 41575->41579 41580 3270918 Wow64SetThreadContext 41575->41580 41576->41469 41577->41575 41578->41575 41579->41575 41580->41575 41582 3273f9b 41581->41582 41583 327463d 41582->41583 41584 3270912 Wow64SetThreadContext 41582->41584 41585 3270918 Wow64SetThreadContext 41582->41585 41586 3270862 ResumeThread 41582->41586 41587 3270868 ResumeThread 41582->41587 41583->41469 41584->41582 41585->41582 41586->41582 41587->41582 41661 3270e20 41588->41661 41665 3270e28 41588->41665 41589 327482f 41589->41469 41590 3273ed5 41590->41589 41591 3270912 Wow64SetThreadContext 41590->41591 41592 3270918 Wow64SetThreadContext 41590->41592 41591->41590 41592->41590 41669 3271165 41595->41669 41673 3271170 41595->41673 41606 3270ee0 WriteProcessMemory 41602->41606 41607 3270ee8 WriteProcessMemory 41602->41607 41603 3273ed5 41604 3270912 Wow64SetThreadContext 41603->41604 41605 3270918 Wow64SetThreadContext 41603->41605 41604->41603 41605->41603 41606->41603 41607->41603 41609 3274321 41608->41609 41611 3270fd1 ReadProcessMemory 41609->41611 41612 3270fd8 ReadProcessMemory 41609->41612 41610 32744cb 41611->41610 41612->41610 41614 3273ed5 41613->41614 41615 3270912 Wow64SetThreadContext 41614->41615 41616 3270918 Wow64SetThreadContext 41614->41616 41615->41614 41616->41614 41618 3273f9b 41617->41618 41618->41617 41619 327463d 41618->41619 41620 3270862 ResumeThread 41618->41620 41621 3270868 ResumeThread 41618->41621 41622 3270912 Wow64SetThreadContext 41618->41622 41623 3270918 Wow64SetThreadContext 41618->41623 41619->41469 41620->41618 41621->41618 41622->41618 41623->41618 41625 3274074 41624->41625 41627 3270fd1 ReadProcessMemory 41625->41627 41628 3270fd8 ReadProcessMemory 41625->41628 41626 32744cb 41627->41626 41628->41626 41630 3271023 ReadProcessMemory 41629->41630 41632 3271067 41630->41632 41632->41532 41634 3271023 ReadProcessMemory 41633->41634 41636 3271067 41634->41636 41636->41532 41638 3270918 Wow64SetThreadContext 41637->41638 41640 32709a5 41638->41640 41640->41536 41642 327095d Wow64SetThreadContext 41641->41642 41644 32709a5 41642->41644 41644->41536 41646 3270ee8 WriteProcessMemory 41645->41646 41648 3270f87 41646->41648 41648->41541 41650 3270f30 WriteProcessMemory 41649->41650 41652 3270f87 41650->41652 41652->41541 41654 3270868 ResumeThread 41653->41654 41656 32708d9 41654->41656 41656->41554 41658 32708a8 ResumeThread 41657->41658 41660 32708d9 41658->41660 41660->41554 41662 3270e28 VirtualAllocEx 41661->41662 41664 3270ea5 41662->41664 41664->41590 41666 3270e68 VirtualAllocEx 41665->41666 41668 3270ea5 41666->41668 41668->41590 41670 3271170 CreateProcessA 41669->41670 41672 32713bb 41670->41672 41674 32711f9 CreateProcessA 41673->41674 41676 32713bb 41674->41676 41420 3274c38 41421 3274dc3 41420->41421 41422 3274c5e 41420->41422 41422->41421 41425 3274eb8 PostMessageW 41422->41425 41427 3274eb1 41422->41427 41426 3274f24 41425->41426 41426->41422 41428 3274eb8 PostMessageW 41427->41428 41429 3274f24 41428->41429 41429->41422

                                              Executed Functions

                                              Function 05D1E0D0 Relevance: .5, Instructions: 471COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2192934036.0000000005D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D10000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d10000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4da3b2c314a01832843b73e50328fff4f3f6fa7188bda543884300f10fe3801c
                                              • Instruction ID: 4db0e9905a2f2d34b46af9d31e696adecec9046c77fdd11ed839e3801c3a4952
                                              • Opcode Fuzzy Hash: 4da3b2c314a01832843b73e50328fff4f3f6fa7188bda543884300f10fe3801c
                                              • Instruction Fuzzy Hash: 1A226C30A00219DFDB14DF68D884A9DBBF2FF85310F5585A9E809AB226DB70ED85CF50
                                              Function 03275B28 Relevance: .4, Instructions: 355COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2181329569.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_3270000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a10df1d26a5863a77ee36c36b7ae3c1e1e2fa20b1fedf8da6ef9a85f561a346d
                                              • Instruction ID: b71b31f385936892639bf501d29164ea0e58af80eaf77251039f80b5a45fe1aa
                                              • Opcode Fuzzy Hash: a10df1d26a5863a77ee36c36b7ae3c1e1e2fa20b1fedf8da6ef9a85f561a346d
                                              • Instruction Fuzzy Hash: 31D1BB707126058FEB29EB79C86076EB7E7BF8A700F28446DD14A8B291DF35E841CB51
                                              Function 0168DC08 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetCurrentProcess.KERNEL32 ref: 0168DC86
                                              • GetCurrentThread.KERNEL32 ref: 0168DCC3
                                              • GetCurrentProcess.KERNEL32 ref: 0168DD00
                                              • GetCurrentThreadId.KERNEL32 ref: 0168DD59
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2174886559.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1680000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID: Current$ProcessThread
                                              • String ID:
                                              • API String ID: 2063062207-0
                                              • Opcode ID: 42dd9c818f979f4b7a3cefaed9edba948a679bdf64cd0af557c6ab5d1716fb47
                                              • Instruction ID: 2049d29556ddaf6e9b859bfd518b445fbaaf0d1ec7cbad5d75529ec14896a7fc
                                              • Opcode Fuzzy Hash: 42dd9c818f979f4b7a3cefaed9edba948a679bdf64cd0af557c6ab5d1716fb47
                                              • Instruction Fuzzy Hash: FE5157B090030ACFEB54DFA9D948B9EBBF1FF88314F208559E119A73A0DB749944CB65
                                              Function 03271165 Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 21 3271165-3271205 24 3271207-3271211 21->24 25 327123e-327125e 21->25 24->25 26 3271213-3271215 24->26 32 3271297-32712c6 25->32 33 3271260-327126a 25->33 27 3271217-3271221 26->27 28 3271238-327123b 26->28 30 3271225-3271234 27->30 31 3271223 27->31 28->25 30->30 34 3271236 30->34 31->30 39 32712ff-32713b9 CreateProcessA 32->39 40 32712c8-32712d2 32->40 33->32 35 327126c-327126e 33->35 34->28 37 3271291-3271294 35->37 38 3271270-327127a 35->38 37->32 41 327127e-327128d 38->41 42 327127c 38->42 53 32713c2-3271448 39->53 54 32713bb-32713c1 39->54 40->39 44 32712d4-32712d6 40->44 41->41 43 327128f 41->43 42->41 43->37 45 32712f9-32712fc 44->45 46 32712d8-32712e2 44->46 45->39 48 32712e6-32712f5 46->48 49 32712e4 46->49 48->48 51 32712f7 48->51 49->48 51->45 64 327144a-327144e 53->64 65 3271458-327145c 53->65 54->53 64->65 66 3271450 64->66 67 327145e-3271462 65->67 68 327146c-3271470 65->68 66->65 67->68 69 3271464 67->69 70 3271472-3271476 68->70 71 3271480-3271484 68->71 69->68 70->71 74 3271478 70->74 72 3271496-327149d 71->72 73 3271486-327148c 71->73 75 32714b4 72->75 76 327149f-32714ae 72->76 73->72 74->71 78 32714b5 75->78 76->75 78->78
                                              APIs
                                              • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 032713A6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2181329569.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_3270000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: 3814258dabe0658fffeb78d32b57173a3777fa83c122b4fcad9203b7c05b486d
                                              • Instruction ID: 6d56d4d6899ad976ae0249554cdba5b237e3e649acde0f68fd26370a38d8dcf5
                                              • Opcode Fuzzy Hash: 3814258dabe0658fffeb78d32b57173a3777fa83c122b4fcad9203b7c05b486d
                                              • Instruction Fuzzy Hash: 95A15F71D1021ADFEF24CFA9C8417EDBBB6BF44314F1481A9E808A7240DB749995CF91
                                              Function 03271170 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 79 3271170-3271205 81 3271207-3271211 79->81 82 327123e-327125e 79->82 81->82 83 3271213-3271215 81->83 89 3271297-32712c6 82->89 90 3271260-327126a 82->90 84 3271217-3271221 83->84 85 3271238-327123b 83->85 87 3271225-3271234 84->87 88 3271223 84->88 85->82 87->87 91 3271236 87->91 88->87 96 32712ff-32713b9 CreateProcessA 89->96 97 32712c8-32712d2 89->97 90->89 92 327126c-327126e 90->92 91->85 94 3271291-3271294 92->94 95 3271270-327127a 92->95 94->89 98 327127e-327128d 95->98 99 327127c 95->99 110 32713c2-3271448 96->110 111 32713bb-32713c1 96->111 97->96 101 32712d4-32712d6 97->101 98->98 100 327128f 98->100 99->98 100->94 102 32712f9-32712fc 101->102 103 32712d8-32712e2 101->103 102->96 105 32712e6-32712f5 103->105 106 32712e4 103->106 105->105 108 32712f7 105->108 106->105 108->102 121 327144a-327144e 110->121 122 3271458-327145c 110->122 111->110 121->122 123 3271450 121->123 124 327145e-3271462 122->124 125 327146c-3271470 122->125 123->122 124->125 126 3271464 124->126 127 3271472-3271476 125->127 128 3271480-3271484 125->128 126->125 127->128 131 3271478 127->131 129 3271496-327149d 128->129 130 3271486-327148c 128->130 132 32714b4 129->132 133 327149f-32714ae 129->133 130->129 131->128 135 32714b5 132->135 133->132 135->135
                                              APIs
                                              • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 032713A6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2181329569.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_3270000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: 3beab96b748143af4cca026c58df5818d6744617ef150f2692f8330ff2ceee62
                                              • Instruction ID: b51e1b48249b36043edbb0a15468a0beab5ccde2c35a9956bec60d67f33400f1
                                              • Opcode Fuzzy Hash: 3beab96b748143af4cca026c58df5818d6744617ef150f2692f8330ff2ceee62
                                              • Instruction Fuzzy Hash: 9D915F71D1022ADFEF24CFA8C8417EDBBB6BF48314F1481A9E808A7240DB749995CF91
                                              Function 0168BE3F Relevance: 1.7, APIs: 1, Instructions: 205COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 136 168be3f-168be5f 137 168be8b-168be8f 136->137 138 168be61-168be6e call 168b824 136->138 139 168be91-168be9b 137->139 140 168bea3-168bee4 137->140 145 168be70 138->145 146 168be84 138->146 139->140 147 168bef1-168beff 140->147 148 168bee6-168beee 140->148 194 168be76 call 168c0e8 145->194 195 168be76 call 168c0d8 145->195 146->137 149 168bf01-168bf06 147->149 150 168bf23-168bf25 147->150 148->147 153 168bf08-168bf0f call 168b830 149->153 154 168bf11 149->154 152 168bf28-168bf2f 150->152 151 168be7c-168be7e 151->146 155 168bfc0-168c080 151->155 156 168bf3c-168bf43 152->156 157 168bf31-168bf39 152->157 159 168bf13-168bf21 153->159 154->159 187 168c088-168c0b3 GetModuleHandleW 155->187 188 168c082-168c085 155->188 160 168bf50-168bf59 call 168b840 156->160 161 168bf45-168bf4d 156->161 157->156 159->152 167 168bf5b-168bf63 160->167 168 168bf66-168bf6b 160->168 161->160 167->168 169 168bf89-168bf8d 168->169 170 168bf6d-168bf74 168->170 192 168bf90 call 168c3e8 169->192 193 168bf90 call 168c3d8 169->193 170->169 172 168bf76-168bf86 call 168b850 call 168b860 170->172 172->169 173 168bf93-168bf96 176 168bf98-168bfb6 173->176 177 168bfb9-168bfbf 173->177 176->177 189 168c0bc-168c0d0 187->189 190 168c0b5-168c0bb 187->190 188->187 190->189 192->173 193->173 194->151 195->151
                                              APIs
                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0168C0A6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2174886559.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1680000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: 17a0b1e7ba94f3f32b080ad743de3a4b6f7693c410bb8bf8315bf523dfe614bf
                                              • Instruction ID: 717bedf4675066a44434e967d083c88f1d01f9487dcd8417a5c627f0ee10910c
                                              • Opcode Fuzzy Hash: 17a0b1e7ba94f3f32b080ad743de3a4b6f7693c410bb8bf8315bf523dfe614bf
                                              • Instruction Fuzzy Hash: 9E8124B0A00B058FE725EF29D85475ABBF1FF88200F008A2ED58ADBB50D775E945CB91
                                              Function 01683414 Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 196 1683414-1683415 197 16833ab-16833ac call 16833b1 196->197 198 1683417-16834e1 CreateActCtxA 196->198 197->196 201 16834ea-1683544 198->201 202 16834e3-16834e9 198->202 209 1683553-1683557 201->209 210 1683546-1683549 201->210 202->201 211 1683568 209->211 212 1683559-1683565 209->212 210->209 214 1683569 211->214 212->211 214->214
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 016834D1
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2174886559.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1680000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: 2e7b09345c0fccbee0ba105269b9b05279c23a0759584f4ed2f56b2b8cb08cbb
                                              • Instruction ID: 8f90e6e7963beadd4dacf2817ce5b758824dd83d7861f12cf0e243f543422433
                                              • Opcode Fuzzy Hash: 2e7b09345c0fccbee0ba105269b9b05279c23a0759584f4ed2f56b2b8cb08cbb
                                              • Instruction Fuzzy Hash: 6F41F2B1C00719CFDF25DFA9C844B9EBBB1BF85704F20816AD408AB251DB75A94ACF51
                                              Function 01681FB8 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 215 1681fb8-16834e1 CreateActCtxA 218 16834ea-1683544 215->218 219 16834e3-16834e9 215->219 226 1683553-1683557 218->226 227 1683546-1683549 218->227 219->218 228 1683568 226->228 229 1683559-1683565 226->229 227->226 231 1683569 228->231 229->228 231->231
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 016834D1
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2174886559.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1680000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: d527c0359ea43ad970311f08cec3b36931ec3e51f535b51d4fd3c9e05083d93e
                                              • Instruction ID: 09d2ca05ded2d407b648c7c6ea46f462a41157fe30825e51369b0a0cde9d6412
                                              • Opcode Fuzzy Hash: d527c0359ea43ad970311f08cec3b36931ec3e51f535b51d4fd3c9e05083d93e
                                              • Instruction Fuzzy Hash: 7C41E0B0C0071CCBEB24DFA9C944B9EBBB1BF89704F20816AD508AB251DB75A945CF91
                                              Function 03270EE0 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 232 3270ee0-3270f36 235 3270f46-3270f85 WriteProcessMemory 232->235 236 3270f38-3270f44 232->236 238 3270f87-3270f8d 235->238 239 3270f8e-3270fbe 235->239 236->235 238->239
                                              APIs
                                              • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 03270F78
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2181329569.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_3270000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID: MemoryProcessWrite
                                              • String ID:
                                              • API String ID: 3559483778-0
                                              • Opcode ID: 00ddba0044cfb7262392ef35a1370378766a0d2baca2db4943ad17d2dad6cc0b
                                              • Instruction ID: b9f37bc85b9d7a8c3aa24915fe297420fd22ba2b2af0f91dfd66d05a78178e14
                                              • Opcode Fuzzy Hash: 00ddba0044cfb7262392ef35a1370378766a0d2baca2db4943ad17d2dad6cc0b
                                              • Instruction Fuzzy Hash: 262148B290030A9FDB10CFA9C881BDEBBF5FF48314F148429E918A7240DB789555CBA5
                                              Function 03270EE8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 243 3270ee8-3270f36 245 3270f46-3270f85 WriteProcessMemory 243->245 246 3270f38-3270f44 243->246 248 3270f87-3270f8d 245->248 249 3270f8e-3270fbe 245->249 246->245 248->249
                                              APIs
                                              • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 03270F78
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2181329569.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_3270000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID: MemoryProcessWrite
                                              • String ID:
                                              • API String ID: 3559483778-0
                                              • Opcode ID: a5066ed8317813b7372a6ebd65782b3df1b23286c5afa22eda510835f46bc0e3
                                              • Instruction ID: 749504113ec63d936f4a94758cd24849a6b2ef70b91d1a3b9dbdc773847a46b0
                                              • Opcode Fuzzy Hash: a5066ed8317813b7372a6ebd65782b3df1b23286c5afa22eda510835f46bc0e3
                                              • Instruction Fuzzy Hash: 0B21267190034A9FDB10CFAAC881BDEBBF5FF88310F148429E918A7240DB789955CBA5
                                              Function 03270912 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 253 3270912-3270963 256 3270965-3270971 253->256 257 3270973-32709a3 Wow64SetThreadContext 253->257 256->257 259 32709a5-32709ab 257->259 260 32709ac-32709dc 257->260 259->260
                                              APIs
                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 03270996
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2181329569.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_3270000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID: ContextThreadWow64
                                              • String ID:
                                              • API String ID: 983334009-0
                                              • Opcode ID: 23085b380e92240c823647658070949a2210148899aa5ad6ba15d2488085ba78
                                              • Instruction ID: 8e26cbda642df3c3f88e1d63b5025ad086bf2b8c08f5cff5536e64c561139f74
                                              • Opcode Fuzzy Hash: 23085b380e92240c823647658070949a2210148899aa5ad6ba15d2488085ba78
                                              • Instruction Fuzzy Hash: 252139729003098FDB10CFAAC4857EEBBF4EF88724F14842AD559A7240DB789544CBA5
                                              Function 03270FD1 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 264 3270fd1-3271065 ReadProcessMemory 267 3271067-327106d 264->267 268 327106e-327109e 264->268 267->268
                                              APIs
                                              • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 03271058
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2181329569.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_3270000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID: MemoryProcessRead
                                              • String ID:
                                              • API String ID: 1726664587-0
                                              • Opcode ID: aeaf41e0bc691caac3592637a8106eac60b3c2904aea7f31a96c391a3b26e1f3
                                              • Instruction ID: ee826f2521205271ba3f6ea2fd96288f7faf305eec7717e1b1775cb96bef71f5
                                              • Opcode Fuzzy Hash: aeaf41e0bc691caac3592637a8106eac60b3c2904aea7f31a96c391a3b26e1f3
                                              • Instruction Fuzzy Hash: 18213971800349DFDB10CF9AC881BDEBBB1FF48310F108429E918A7250D775A550CBA1
                                              Function 03270918 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 273 3270918-3270963 275 3270965-3270971 273->275 276 3270973-32709a3 Wow64SetThreadContext 273->276 275->276 278 32709a5-32709ab 276->278 279 32709ac-32709dc 276->279 278->279
                                              APIs
                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 03270996
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2181329569.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_3270000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID: ContextThreadWow64
                                              • String ID:
                                              • API String ID: 983334009-0
                                              • Opcode ID: 36f9ac86d3f0877cf4c01b67a328b8e92fe187d5f94049506a4f5a81e86c3cc4
                                              • Instruction ID: f1a8c47ea931805560b2ec349af10a56f9d5da003e90a08566e258223b9db24f
                                              • Opcode Fuzzy Hash: 36f9ac86d3f0877cf4c01b67a328b8e92fe187d5f94049506a4f5a81e86c3cc4
                                              • Instruction Fuzzy Hash: 6F2137B19003098FEB10CFAAC4857AEBBF4EF88724F148429D559A7240DB78A944CBA5
                                              Function 03270FD8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 283 3270fd8-3271065 ReadProcessMemory 286 3271067-327106d 283->286 287 327106e-327109e 283->287 286->287
                                              APIs
                                              • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 03271058
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2181329569.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_3270000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID: MemoryProcessRead
                                              • String ID:
                                              • API String ID: 1726664587-0
                                              • Opcode ID: 5358e2b19811493f2468105003b731dd7249a5974c21529dd6c9846cb39bb3fe
                                              • Instruction ID: ce34a0986aaa1e7e40d0f7fe0ae8defea3e804ae23e792ddcc7603a5642266b4
                                              • Opcode Fuzzy Hash: 5358e2b19811493f2468105003b731dd7249a5974c21529dd6c9846cb39bb3fe
                                              • Instruction Fuzzy Hash: 052116719003599FDB10CFAAC881ADEBBF5FF48710F108429E918A7240D779A550CBA5
                                              Function 0168E258 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 292 168e258-168e2ec DuplicateHandle 293 168e2ee-168e2f4 292->293 294 168e2f5-168e312 292->294 293->294
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0168E2DF
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2174886559.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1680000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: e664723521e05e06452368b336e408fb50d873457c2a66c16c69c8ce4eabe11d
                                              • Instruction ID: d6c4be2bbb149fe30da1866acae56ec86ab05abadc05e6f24294bbcc0042ef46
                                              • Opcode Fuzzy Hash: e664723521e05e06452368b336e408fb50d873457c2a66c16c69c8ce4eabe11d
                                              • Instruction Fuzzy Hash: 3A21E2B5900209DFDB10CFAAD984ADEBFF4FB48320F14801AE918A3310D779A954CFA4
                                              Function 03270E20 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 297 3270e20-3270ea3 VirtualAllocEx 301 3270ea5-3270eab 297->301 302 3270eac-3270ed1 297->302 301->302
                                              APIs
                                              • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 03270E96
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2181329569.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_3270000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: de76323ccdbb9a32c6199e25d9950e683d319e27aceb92f92e1715036c268a88
                                              • Instruction ID: 049baa958f58abcf6946f13dd9d5e7f2ab3437f09319ed0625a3570f3bb01aec
                                              • Opcode Fuzzy Hash: de76323ccdbb9a32c6199e25d9950e683d319e27aceb92f92e1715036c268a88
                                              • Instruction Fuzzy Hash: 401159B28103499FDB10CFAAC845BDFBFF5EF88724F248419E519A7210CB759554CBA1
                                              Function 0168C2C0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0168C121,00000800,00000000,00000000), ref: 0168C332
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2174886559.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1680000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 3a83bb37bad8ea54c1b74ed98bd62ae28db4eaca0dc8fb33c450c5475f4f7bfe
                                              • Instruction ID: 0f438e4c8f5f224f87372298a25fe1fcda3967aa79be73b940ccbb792aaa499b
                                              • Opcode Fuzzy Hash: 3a83bb37bad8ea54c1b74ed98bd62ae28db4eaca0dc8fb33c450c5475f4f7bfe
                                              • Instruction Fuzzy Hash: F52106B68003499FDB10DFAAD844ADEFBF5FB88710F14852AD519A7200C775A545CFA1
                                              Function 0168B888 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 306 168b888-168c308 308 168c30a-168c30d 306->308 309 168c310-168c33f LoadLibraryExW 306->309 308->309 310 168c348-168c365 309->310 311 168c341-168c347 309->311 311->310
                                              APIs
                                              • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0168C121,00000800,00000000,00000000), ref: 0168C332
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2174886559.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1680000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: b7e7d805e1f190240958dedbf0d9bec9abee5414afeba0c2a8db431b65655f61
                                              • Instruction ID: 1f987d45c622b4375323b20c40403aec9d7584d8b5bfde768b4fb232d8cbcdb6
                                              • Opcode Fuzzy Hash: b7e7d805e1f190240958dedbf0d9bec9abee5414afeba0c2a8db431b65655f61
                                              • Instruction Fuzzy Hash: 351114B68003098FDB10DF9AD844ADEFBF4EB88720F10852AE519A7200C775A545CFA1
                                              Function 03270E28 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 03270E96
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2181329569.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_3270000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: 9a44f1cbece8052304320e1f909b24ca50caac60a9049de89573e2ea2b56d8a8
                                              • Instruction ID: be8aae9c8d34d09bd92d3ed9c36511498572da3778e6f108f283df3abe707472
                                              • Opcode Fuzzy Hash: 9a44f1cbece8052304320e1f909b24ca50caac60a9049de89573e2ea2b56d8a8
                                              • Instruction Fuzzy Hash: E41156728003499FDB10CFAAC844BDFBBF5EF88720F148419E519A7210CB75A554CBA1
                                              Function 03270862 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2181329569.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_3270000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID: ResumeThread
                                              • String ID:
                                              • API String ID: 947044025-0
                                              • Opcode ID: 91334659bf18db72e86148754575ff9c7d61d2c63ae4246e8088fe6944f75090
                                              • Instruction ID: 9d367df78e2424a21f18ebcf3b45710b7edb6cbfccd1d0aee4a0220b5fc4c61d
                                              • Opcode Fuzzy Hash: 91334659bf18db72e86148754575ff9c7d61d2c63ae4246e8088fe6944f75090
                                              • Instruction Fuzzy Hash: 751158719003498FDB20CFAAD4457DFFBF5EF88724F248419D519A7200CB79A544CBA5
                                              Function 03270868 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2181329569.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_3270000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID: ResumeThread
                                              • String ID:
                                              • API String ID: 947044025-0
                                              • Opcode ID: f245082e84bf92a5bcf1cd884047ed9cfa85660dc065f284bf38ab7c094536eb
                                              • Instruction ID: 564f14a5b17e305e01913faf6b832001751b39c97d6821bcbaa590814a40f01f
                                              • Opcode Fuzzy Hash: f245082e84bf92a5bcf1cd884047ed9cfa85660dc065f284bf38ab7c094536eb
                                              • Instruction Fuzzy Hash: 9A1125B19003498FDB20DFAAC44579EFBF5EF88724F248819D519A7240CB79A944CBA5
                                              Function 0168C040 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0168C0A6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2174886559.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1680000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: 059dedb875e02e3c5f53d95931bfd66cc5663e6263d5afba24e7cd66fa109fbd
                                              • Instruction ID: 6b39eac12cbdfde8f644667b7c7ff6e3b5b897a70e582193fc977fb9fbfaf77f
                                              • Opcode Fuzzy Hash: 059dedb875e02e3c5f53d95931bfd66cc5663e6263d5afba24e7cd66fa109fbd
                                              • Instruction Fuzzy Hash: 751102B6C003498FDB10DF9AC844ADEFBF4EB89624F10851AD518B7610D376A545CFA1
                                              Function 03274EB1 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,?,?,?), ref: 03274F15
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2181329569.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_3270000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: 8fbaa99f702e43388e37dfd248f47ecafb01090adbf9005664f781ca8d3a6c7d
                                              • Instruction ID: a73a8e31b35d305e44a58e9384086643c45a4fc03676263b5f97993de145772d
                                              • Opcode Fuzzy Hash: 8fbaa99f702e43388e37dfd248f47ecafb01090adbf9005664f781ca8d3a6c7d
                                              • Instruction Fuzzy Hash: 7B11F5B68003499FDB10DF9AD445BDEBBF8FB48724F108419E518A7610D375A984CFA1
                                              Function 03274EB8 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,?,?,?), ref: 03274F15
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2181329569.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_3270000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: 749753eee86ed3f190e943985366d0831a7a0e8cb4a9fcfe8e396d922abbc616
                                              • Instruction ID: 15c6b7fc8176e8d196bde90e9e3ae128d0d7a4796222ee5fc1b12fa1742934f0
                                              • Opcode Fuzzy Hash: 749753eee86ed3f190e943985366d0831a7a0e8cb4a9fcfe8e396d922abbc616
                                              • Instruction Fuzzy Hash: A511C2B58003499FDB10DF9AC545BDEBBF8FB48724F108419E958A7210D375A944CFA1
                                              Function 0820B920 Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: r
                                              • API String ID: 0-1812594589
                                              • Opcode ID: 345ab92556628affc779472ff0ddbdb40e3211a066788ae01d0ba3cd66fdb477
                                              • Instruction ID: c5fb839d84deace4b2f5bac806f34b74ae004f3fc9d668d15ad0e21322a53a2d
                                              • Opcode Fuzzy Hash: 345ab92556628affc779472ff0ddbdb40e3211a066788ae01d0ba3cd66fdb477
                                              • Instruction Fuzzy Hash: 9C810870D28119CFC728CF99C1849ADF7BAFF4D312B10D255D81AA6297C7709982CFA0
                                              Function 08202320 Relevance: 1.4, Strings: 1, Instructions: 132COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: *
                                              • API String ID: 0-163128923
                                              • Opcode ID: dc5e7c006ca087629b26ae7eeb4e707746cb9bdd71891734eb55f8bb0c72eb5a
                                              • Instruction ID: 73fa8aa2eea151ed81a6607976a41a4a4c6fb03bce1bbfe67c523d524a1eb350
                                              • Opcode Fuzzy Hash: dc5e7c006ca087629b26ae7eeb4e707746cb9bdd71891734eb55f8bb0c72eb5a
                                              • Instruction Fuzzy Hash: CF41A130E2420ADFDB06CBACD8496EEBBB1EF49341F50496AD502AB292D7709945CF91
                                              Function 0820B8DF Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: r
                                              • API String ID: 0-1812594589
                                              • Opcode ID: 7c3138c96813cbaf7a0ef76e5eb06372b98c14282e94e765bdc23f597ee1d88d
                                              • Instruction ID: a20589dae9632e205cff1bffbb57e2f32f8f7f2f836cdafb9fc73dbf07bae7b9
                                              • Opcode Fuzzy Hash: 7c3138c96813cbaf7a0ef76e5eb06372b98c14282e94e765bdc23f597ee1d88d
                                              • Instruction Fuzzy Hash: 9F31A070D2D244CFC729CF6AC4404F9BBBAEF8E212B14D0AAD45AA72A7C7744845CF51
                                              Function 082077E0 Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 3
                                              • API String ID: 0-1842515611
                                              • Opcode ID: 8256af7615acc1e7059a210ca71f39be3ae74b665c504c6265c77b2343a58c70
                                              • Instruction ID: 5e5efb4f2d736bba4bffca6c8f07e0239a6b43d29b7506500b8e28a712f9df05
                                              • Opcode Fuzzy Hash: 8256af7615acc1e7059a210ca71f39be3ae74b665c504c6265c77b2343a58c70
                                              • Instruction Fuzzy Hash: CD21F630729245DFC709DA5CD850A797B75EB85216B1480AED40A9B7D3C6B3BC02EFA1
                                              Function 082013E8 Relevance: 1.3, Strings: 1, Instructions: 66COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: O
                                              • API String ID: 0-878818188
                                              • Opcode ID: 3d51b30144988f21fe76960639d7aba625c14f3b542843e47b8c7a6527d131f4
                                              • Instruction ID: f5bfb3897eab3cc5d72490be9a305c7e72777c45db07bcff24c491ad09e851e1
                                              • Opcode Fuzzy Hash: 3d51b30144988f21fe76960639d7aba625c14f3b542843e47b8c7a6527d131f4
                                              • Instruction Fuzzy Hash: 182190716006048FD714DF79C844A6BBBF6EFC9700F44886DD25A9B760DB319905CB91
                                              Function 082022F1 Relevance: 1.3, Strings: 1, Instructions: 16COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: *
                                              • API String ID: 0-163128923
                                              • Opcode ID: 9673b837bd53b7d03ad7456a7893fd722cfb04cad98e17eef4c5ef12a12de9ba
                                              • Instruction ID: 0fa45a0b41f41875c89fbc579643791c257b420bbae350a35705865085975975
                                              • Opcode Fuzzy Hash: 9673b837bd53b7d03ad7456a7893fd722cfb04cad98e17eef4c5ef12a12de9ba
                                              • Instruction Fuzzy Hash: 7ED0A7305183CCD7D305D759E909FAC7FA9DB03205F400089D84A875C3DBA21D209B42
                                              Function 08202300 Relevance: 1.3, Strings: 1, Instructions: 11COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: *
                                              • API String ID: 0-163128923
                                              • Opcode ID: b1e315bafbca46c572fc2348a72903ea8024820f91d988915154e33469ea3d28
                                              • Instruction ID: 0c0ef7b2dc8a48d15ada2d1322fb3b150d70443106fe268f2c46c16e271a8520
                                              • Opcode Fuzzy Hash: b1e315bafbca46c572fc2348a72903ea8024820f91d988915154e33469ea3d28
                                              • Instruction Fuzzy Hash: 4FC0803052410CD7C704CB85D90D56CBBFDD701301F000085DC0D43183DBF11D005E51
                                              Function 05D17A28 Relevance: .7, Instructions: 729COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2192934036.0000000005D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D10000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d10000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1f432afd00c70264f0b890e098791d8a41032744e113d59fc9773f1dfa23ebdc
                                              • Instruction ID: aa1417d37d5a076202fc26877b921afd7c09e8fca29ff257c8a5f55d0442e04f
                                              • Opcode Fuzzy Hash: 1f432afd00c70264f0b890e098791d8a41032744e113d59fc9773f1dfa23ebdc
                                              • Instruction Fuzzy Hash: 7F723331901619CFCB14EF78D89869DB7B1FF55301F10829AD94AA7269EF30AAC5CF81
                                              Function 05D192C8 Relevance: .5, Instructions: 500COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2192934036.0000000005D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D10000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d10000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2f73cb7b22fbf7179dd3fa1220d0512ea60be9326b6f30a97c703477257a236c
                                              • Instruction ID: 962a97a192782b172d0285087572401e44c3640a47c04605699386c1fafcaffa
                                              • Opcode Fuzzy Hash: 2f73cb7b22fbf7179dd3fa1220d0512ea60be9326b6f30a97c703477257a236c
                                              • Instruction Fuzzy Hash: E0223A30A00215DFDB14DF69D8A4AADBBF2FF88304F1485A9D90AAB365DB31AD45CF50
                                              Function 082024DC Relevance: .4, Instructions: 423COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c51ed538543fca13924fc7ee8691245789697dc7807f8f5431c444df8c04e441
                                              • Instruction ID: 9d75ae26cb7124e5f1568dbede6a86d3838d76e4cceb959c9973ce561cfd1aad
                                              • Opcode Fuzzy Hash: c51ed538543fca13924fc7ee8691245789697dc7807f8f5431c444df8c04e441
                                              • Instruction Fuzzy Hash: C102F576A10104DFCB0ACF98D988D59BBB2FF48325B5A8099E609AB372C731EC51DF50
                                              Function 05D1E0C3 Relevance: .4, Instructions: 391COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2192934036.0000000005D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D10000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d10000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 31cefbe86ed3d4174d8a3465375320d78bac7ba428bc0edf4f8035f6ec51fb96
                                              • Instruction ID: a10231ccf69465c31877126b65ba346866a0c9cec6c5cfeec1de479d112cb220
                                              • Opcode Fuzzy Hash: 31cefbe86ed3d4174d8a3465375320d78bac7ba428bc0edf4f8035f6ec51fb96
                                              • Instruction Fuzzy Hash: 82024C30A00215DFDB14DF68D884AA9BBF6FF85310F5585A9E809AB266DB30ED85CF50
                                              Function 0820EA78 Relevance: .4, Instructions: 364COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1f61e060db4b6c95e4dff2ebf5960fbaeeff60669ead1b2ab37bfe2cc018021d
                                              • Instruction ID: 7d8e1e014dd141789147632c58796c6d7fe25e263b66973309163863194fff48
                                              • Opcode Fuzzy Hash: 1f61e060db4b6c95e4dff2ebf5960fbaeeff60669ead1b2ab37bfe2cc018021d
                                              • Instruction Fuzzy Hash: CCE14C74B00209DFDB05DBB8D894BAEBBB2FBC8310F148469D905A7396CA75AD81CF51
                                              Function 05D1D900 Relevance: .3, Instructions: 321COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2192934036.0000000005D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D10000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d10000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5c7573c5badb54f21c085e9861ecd9e480d456bdba88165c0992c0cdfec119c1
                                              • Instruction ID: 362f0cfa6622cdedf214d9bdd625ed1c9d359de7c1b82f7800c7b1c5144f8c54
                                              • Opcode Fuzzy Hash: 5c7573c5badb54f21c085e9861ecd9e480d456bdba88165c0992c0cdfec119c1
                                              • Instruction Fuzzy Hash: 56C11671604305EFC711DF28D984AAAFBF2FF85310F14856AD846DB252DB70E94ACBA4
                                              Function 05D18F00 Relevance: .3, Instructions: 268COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2192934036.0000000005D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D10000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d10000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1648f128177945073b0d5247fd48ff5c439c05a225f6ca767446ba57161b463f
                                              • Instruction ID: 5087487c9c7e246666786c25474b0cbece852c5961a962d29c8b04483bd9e26d
                                              • Opcode Fuzzy Hash: 1648f128177945073b0d5247fd48ff5c439c05a225f6ca767446ba57161b463f
                                              • Instruction Fuzzy Hash: 99C10C34A00619DFCB14DF64D894A9DB7B2FF89304F5186AAD849AB361EB30ED85CF50
                                              Function 05D1D103 Relevance: .3, Instructions: 267COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2192934036.0000000005D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D10000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d10000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4774c7a3ae45c91a94e8973cd05b25a70e5fad406f2da93cd27107dc22daad46
                                              • Instruction ID: 2a0c5f378f2e00d60bf450c6b8a9d36d38610a25e4b48f8f22363054fbd46aaf
                                              • Opcode Fuzzy Hash: 4774c7a3ae45c91a94e8973cd05b25a70e5fad406f2da93cd27107dc22daad46
                                              • Instruction Fuzzy Hash: 49A1CF31F04606AFCB15EFA9D8849AEBBF3FF89210F10456AD815EB255DB30D841CB95
                                              Function 08201698 Relevance: .2, Instructions: 229COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f62626c80d112d0236af9a4560cf3f49a817761480dfa25ddee74a12f9657e79
                                              • Instruction ID: a944bef295f10f5f9dcbe4cfc332b85001a3efa2c9d7ecadef8ad73f1ca16e04
                                              • Opcode Fuzzy Hash: f62626c80d112d0236af9a4560cf3f49a817761480dfa25ddee74a12f9657e79
                                              • Instruction Fuzzy Hash: 63915035A002199FCB05DFA8D8909AEBBF5FF89310B14846AE804EB366E735DD16CB51
                                              Function 05D18EF0 Relevance: .2, Instructions: 212COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2192934036.0000000005D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D10000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d10000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 367749fed14626d6b518f26bb709646451d7c3388fd664bb055c80a7ce694643
                                              • Instruction ID: 30abf11bb8005de5adcc0196c43b67deb9027f2ff35ebc7f04dadf2ce7c0f3f8
                                              • Opcode Fuzzy Hash: 367749fed14626d6b518f26bb709646451d7c3388fd664bb055c80a7ce694643
                                              • Instruction Fuzzy Hash: 99A10A34A10219DFCB14DF64C894A9DF7B1FF89304F1586AAE849AB321EB31AD85CF50
                                              Function 0820111B Relevance: .2, Instructions: 198COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 37292c459c3f9220da94c1b318e504791fbb70c85c3d073f600c1bb0f7bbf38d
                                              • Instruction ID: 15d2d960dbc056019352db0622539f6ab16ce441326c742e311d8e7f15a47515
                                              • Opcode Fuzzy Hash: 37292c459c3f9220da94c1b318e504791fbb70c85c3d073f600c1bb0f7bbf38d
                                              • Instruction Fuzzy Hash: 67811634200A008FD749EF78C458AAABBE6FFC9301F1185ADD54A9B361EF71AD45CB90
                                              Function 05D173B8 Relevance: .2, Instructions: 197COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2192934036.0000000005D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D10000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d10000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 73233b3536a13c4a21b867b360c0408c0366e04853314d177101429c5daba006
                                              • Instruction ID: 478ea03c8c6a1c1e17a262f88670ce3edc511e0968e676b8bd383f39f4679d7a
                                              • Opcode Fuzzy Hash: 73233b3536a13c4a21b867b360c0408c0366e04853314d177101429c5daba006
                                              • Instruction Fuzzy Hash: DD91E87190071ADFCB01EF68D884999FBF5FF49310B14879AE819AB255EB70E985CF80
                                              Function 08201128 Relevance: .2, Instructions: 195COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 64eca82fa3fc0bc4e55695e99149a436e44caa70f29c12102da2d06a1c71df76
                                              • Instruction ID: 202a393e4654820d74e6457b345d2b4b04c131f63df50bed1b6e56ca5d785c8e
                                              • Opcode Fuzzy Hash: 64eca82fa3fc0bc4e55695e99149a436e44caa70f29c12102da2d06a1c71df76
                                              • Instruction Fuzzy Hash: 1A810634200A048FC749EF78C458AAABBE6FFC9301F11856DD55A9B361EF71AD45CB90
                                              Function 05D16320 Relevance: .2, Instructions: 176COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2192934036.0000000005D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D10000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d10000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a52b4af9da62be7a849ad9f857d89555a0a935156a12a85cd043a5163c4e851b
                                              • Instruction ID: 40adc1a5bfadf700d5b9b5e9c6ad7ac554298370b8c7bd7c4eb5e8340b8b0abf
                                              • Opcode Fuzzy Hash: a52b4af9da62be7a849ad9f857d89555a0a935156a12a85cd043a5163c4e851b
                                              • Instruction Fuzzy Hash: 6371AAB9700A008FCB18DF29C598959BBF2FF8921471589A9E54ACB772DB72EC41CB50
                                              Function 05D16130 Relevance: .2, Instructions: 172COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2192934036.0000000005D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D10000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d10000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3d508ad4fb02ebdb4158ccbca2206413b3251130c7bbb9c237d9d0d72729f9d8
                                              • Instruction ID: 14be252fc6847242683873bc1ec3061c9fe8b8b62cbc5deb1904acf612fba121
                                              • Opcode Fuzzy Hash: 3d508ad4fb02ebdb4158ccbca2206413b3251130c7bbb9c237d9d0d72729f9d8
                                              • Instruction Fuzzy Hash: 0E71A0B4A012069FCB04CF68D584999FBF1FF48314B4986AAE84ADB712D774EC85CF94
                                              Function 05D16310 Relevance: .2, Instructions: 172COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2192934036.0000000005D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D10000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d10000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e8064ee99977445ff107191b9e3152fd76709872140718fac24dc2b918939484
                                              • Instruction ID: d743f39547a35d65de9fbe348f4fa4e77283fa3c731cdeda791b72858656a55f
                                              • Opcode Fuzzy Hash: e8064ee99977445ff107191b9e3152fd76709872140718fac24dc2b918939484
                                              • Instruction Fuzzy Hash: 8E71BE79600A00CFC718DF29C498959BBF2FF89314B1589A9E54ACB772DB72EC45CB50
                                              Function 05D1CEF0 Relevance: .2, Instructions: 164COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2192934036.0000000005D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D10000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d10000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2d28e8532e09377afd908deca43ad7574e57750abb7f10efb7019db546ed8189
                                              • Instruction ID: 0ee9443a76c01f6494bf0c7c1ae4156fcb518b61e27b734dce083a5edd44aaa9
                                              • Opcode Fuzzy Hash: 2d28e8532e09377afd908deca43ad7574e57750abb7f10efb7019db546ed8189
                                              • Instruction Fuzzy Hash: 5F616331A10619DFDB01EFA8D9589ADFBB5FF89300F10861EE446A7355EB30A985CF81
                                              Function 05D192B9 Relevance: .2, Instructions: 164COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2192934036.0000000005D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D10000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d10000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f9b4b734154d5d5d597690450b904371b3435c3bf44915974ac5cb01b50da648
                                              • Instruction ID: 5fb93e67dfc5d3282247093be94c06a73dd7aee17458ee4f3b51ffb3a4d90e52
                                              • Opcode Fuzzy Hash: f9b4b734154d5d5d597690450b904371b3435c3bf44915974ac5cb01b50da648
                                              • Instruction Fuzzy Hash: 01514830710201DFDB14EF69D8A8B9D7BF2FF89210F5486B9D9169B3A0DB70A805CB64
                                              Function 082035BC Relevance: .2, Instructions: 161COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 29833a0c998942bd706acbd201658dcd01ccd30fd35564fd73caa9beb23f70d7
                                              • Instruction ID: b783ce9e168be3989e03f6f0ec1e5c1240709aef61ee509d09c75ece7b697653
                                              • Opcode Fuzzy Hash: 29833a0c998942bd706acbd201658dcd01ccd30fd35564fd73caa9beb23f70d7
                                              • Instruction Fuzzy Hash: F251AF35B102068FCB15EB7D98449BEBBF7FFC42217148969E41ADB392DB709D058BA0
                                              Function 05D1CF00 Relevance: .2, Instructions: 160COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2192934036.0000000005D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D10000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d10000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e909334dddda1f69655df3c5a7c2f3b2bf1292f13a15481723dc133b1553f0b8
                                              • Instruction ID: 658c3bc3ab28641a81f4aeb14ee653d2f7825283c7ebf65936ac91da0188bb4b
                                              • Opcode Fuzzy Hash: e909334dddda1f69655df3c5a7c2f3b2bf1292f13a15481723dc133b1553f0b8
                                              • Instruction Fuzzy Hash: E6615130A10619DFDB00EFA8D9589ADFBB5FF89300F10852EE446A7355EB30A985CF81
                                              Function 082039E6 Relevance: .1, Instructions: 149COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ef11c5f7f7d00092ef7dd6efdd41765960ad2b41c25ab0646e68c2c68ba989c9
                                              • Instruction ID: 52d751eaf8a00c80eddd1d70ba6ef65d1fca31567f3dd426dcdd26b1515b7ed4
                                              • Opcode Fuzzy Hash: ef11c5f7f7d00092ef7dd6efdd41765960ad2b41c25ab0646e68c2c68ba989c9
                                              • Instruction Fuzzy Hash: 1651C2B4509384DFC706DB6AE554999BFB0FF4A201B2A81DAC484DF2B3C6359E45CB12
                                              Function 05D173A8 Relevance: .1, Instructions: 147COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2192934036.0000000005D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D10000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d10000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2a14af03e70d4d61d4b9d6f0bcb5ee250afd6e668f36d660820e94570ed02a60
                                              • Instruction ID: eb92332ea7b5a09dc17af5b9d0a0cb7406fdd224a43aeba70cbf1834bd7040ca
                                              • Opcode Fuzzy Hash: 2a14af03e70d4d61d4b9d6f0bcb5ee250afd6e668f36d660820e94570ed02a60
                                              • Instruction Fuzzy Hash: 5851087191070ADFCB01EF68D880999FBB5FF49320B14875AE859EB255EB70E985CBC0
                                              Function 08202091 Relevance: .1, Instructions: 147COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1da76c6c38edc03cb5d2def846d1a425f681cd31f9709f4d78d030aefb437a57
                                              • Instruction ID: 86820f5a941344d2f064e7ae7e9fd70b3271cc4114de00c594da218e4fbbca9a
                                              • Opcode Fuzzy Hash: 1da76c6c38edc03cb5d2def846d1a425f681cd31f9709f4d78d030aefb437a57
                                              • Instruction Fuzzy Hash: 66511D34B10105DFDB45EBA9D958A6EBBB7FFC8211B24802DD906D7386CE359C42CB91
                                              Function 08203BA0 Relevance: .1, Instructions: 125COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e44e7fbcd710d6156ceafe05d11f52870b45a596e7fcbfdcde907fe78bc37943
                                              • Instruction ID: 5cbca7acb70a4de03b3da5c5f05339311cbb90a42b50b81c7c743afafa0a47ec
                                              • Opcode Fuzzy Hash: e44e7fbcd710d6156ceafe05d11f52870b45a596e7fcbfdcde907fe78bc37943
                                              • Instruction Fuzzy Hash: B84138B4E29219DFCB08CFA9E5889EEBBB0FB4D211B015859E816E7352D7709850CF21
                                              Function 082076FA Relevance: .1, Instructions: 118COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9c6422609b587d8149237b563b56f49f145dd198cd3eb0bb05af89d78e0f8ea8
                                              • Instruction ID: 9989a3a0a140704e16c69fdea7eccb34127903f9ddf203c3a476c6b1a776092a
                                              • Opcode Fuzzy Hash: 9c6422609b587d8149237b563b56f49f145dd198cd3eb0bb05af89d78e0f8ea8
                                              • Instruction Fuzzy Hash: 4841B0B4E15219DFCB04CFACD5809EDBBF1BB09305F249529E41AEB256D731A982CF50
                                              Function 08203BB0 Relevance: .1, Instructions: 117COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b64289c88caecab853e895223f5aeed64b83aa9af322fd144c69516e98490975
                                              • Instruction ID: 06b84756e9cc891ee509d6973c266b471efafe970f23c2e5d3d620ff67d7fc47
                                              • Opcode Fuzzy Hash: b64289c88caecab853e895223f5aeed64b83aa9af322fd144c69516e98490975
                                              • Instruction Fuzzy Hash: 044158B4E25219DFCB08CFA9E5889EEBBB0FB4D301B015859E816E7352D7709850CF21
                                              Function 08204473 Relevance: .1, Instructions: 108COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 18f72579de51d04e7073752755544ff26cc0a728e13ccad77f115de00e418ea7
                                              • Instruction ID: f0aef38bf84e3836fb93bc54e136e997adb6dcf7aa736774db4590018439c92c
                                              • Opcode Fuzzy Hash: 18f72579de51d04e7073752755544ff26cc0a728e13ccad77f115de00e418ea7
                                              • Instruction Fuzzy Hash: FA41BC74E102199FCF45EFA8D884AEDBBB2BF49305F10902AE919FB252D7309941CF18
                                              Function 08205D14 Relevance: .1, Instructions: 100COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5736b5d73bb134785f364cb5148240d97c6e5df11869c9a0d2c8514070710724
                                              • Instruction ID: 86367a8958daae6f3d8d3b6d09d77d7abd08b7a2250926355033e74483011efa
                                              • Opcode Fuzzy Hash: 5736b5d73bb134785f364cb5148240d97c6e5df11869c9a0d2c8514070710724
                                              • Instruction Fuzzy Hash: 81315972914309AFCF04CFA9D948A9EBFF5EF48320F10842AE909A7251D775A950CFA1
                                              Function 08201688 Relevance: .1, Instructions: 98COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 910369e62c8a097e9806df48e33dc83ce7d3fb6d93cdf2dc94f564fb550c9570
                                              • Instruction ID: bb0cf9884f9e464fc62dceeae436aa0e8c523c79e3914cf7000e51d1db65235d
                                              • Opcode Fuzzy Hash: 910369e62c8a097e9806df48e33dc83ce7d3fb6d93cdf2dc94f564fb550c9570
                                              • Instruction Fuzzy Hash: B7316635600209DFCB01DF68C884AEA7BF2EF89301F5484A9E805AB2A2DB35ED05CF50
                                              Function 05D16120 Relevance: .1, Instructions: 97COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2192934036.0000000005D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D10000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d10000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 956f6d65d4890b56e86b22c0152af1429a46e6b4fe7a45e5b2100959250470f3
                                              • Instruction ID: da0c0420bbfc18432f832e2445f7072256c26ce1358d8780858ece05da2a304f
                                              • Opcode Fuzzy Hash: 956f6d65d4890b56e86b22c0152af1429a46e6b4fe7a45e5b2100959250470f3
                                              • Instruction Fuzzy Hash: 19414D74A04206DFCB14CF68D584A99FBF1FF49310B0986AAE84ADB752D734EC85CB54
                                              Function 08206B50 Relevance: .1, Instructions: 95COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4f2f1fda712021bed20da645534d20ed8a66e1a78bcf813b378008045fb7a069
                                              • Instruction ID: 6ec81a3532dab842c8224ba3b0cbbb517b53dee0953a21be7c2c4ebba9170861
                                              • Opcode Fuzzy Hash: 4f2f1fda712021bed20da645534d20ed8a66e1a78bcf813b378008045fb7a069
                                              • Instruction Fuzzy Hash: 9731F2B5A18348AFCF09CB78CC489AD7BF9EF41210B1440EAD805EB252EA31AD128B50
                                              Function 08201EFA Relevance: .1, Instructions: 93COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c4887a6c39446160aea29b4f611e28c872455a0dd2ef9d33edc65edc541e2fe9
                                              • Instruction ID: 8e9ecc19db54f2e6e87c384b491ea6387f98a31219c63355619887204fcced5e
                                              • Opcode Fuzzy Hash: c4887a6c39446160aea29b4f611e28c872455a0dd2ef9d33edc65edc541e2fe9
                                              • Instruction Fuzzy Hash: C4317A34614205DBD749EB9CC868B69B7B2FFD9305F24806ED5069B3C6CBB5AC02CB40
                                              Function 05D1AD20 Relevance: .1, Instructions: 91COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2192934036.0000000005D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D10000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d10000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cb6da6f9e6443056d369ab063f1f869c700224a0cb405f05a931f8c4dc97890f
                                              • Instruction ID: 08d6be792d2f1fc3e55b4edfef4288f4435f6c1e45d46a822a5b884d1b1d0cb8
                                              • Opcode Fuzzy Hash: cb6da6f9e6443056d369ab063f1f869c700224a0cb405f05a931f8c4dc97890f
                                              • Instruction Fuzzy Hash: EA21793270A6505FDB09A729A42577D6BD7EFC6221F48446AC90ADF3D1DE388C02879A
                                              Function 082072D2 Relevance: .1, Instructions: 86COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0d8c03ebd971e2beb402f961f84ae6168dbc39fa8472fb87dfabc28ec98ab495
                                              • Instruction ID: 5f8b1e8daf0974926ffbc2aab6227708ef9a6cb9f1ae09a6b29a67eaba5faef0
                                              • Opcode Fuzzy Hash: 0d8c03ebd971e2beb402f961f84ae6168dbc39fa8472fb87dfabc28ec98ab495
                                              • Instruction Fuzzy Hash: 2E3102346006029FD755DB89C890A9AB7F2FFC8724B24C468E95A9B795CB36FC02CF50
                                              Function 08209FD4 Relevance: .1, Instructions: 85COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 535354ab6f45325ad861efb259b6a8bdedcc7ae2b89a16dd72591ac7f3b0d0db
                                              • Instruction ID: 0729d4be3361868e730ed3acf4499971891aee45873aaf5935040d2795f202a4
                                              • Opcode Fuzzy Hash: 535354ab6f45325ad861efb259b6a8bdedcc7ae2b89a16dd72591ac7f3b0d0db
                                              • Instruction Fuzzy Hash: 4431C174E14219DFCB08CFA9C8809EDFBB6BF4C311F209129E91AAB256C7315905CF50
                                              Function 0820D441 Relevance: .1, Instructions: 85COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5483090a634fe55e76338793def37fe436d805b298ac4f362eb09d66e1bb4f27
                                              • Instruction ID: 497faf2fba0f94263d0bcb7357554eb3f5b4673bc3d3254e5084880893b41065
                                              • Opcode Fuzzy Hash: 5483090a634fe55e76338793def37fe436d805b298ac4f362eb09d66e1bb4f27
                                              • Instruction Fuzzy Hash: C331A474A16215CFD705CFECE258AAEBBB1FF84311B045268D4159B363DBB49882CF40
                                              Function 0151D3D8 Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2172838570.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_151d000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 50e1e8c464ffce397844ac8cad9a9e60b3d80207c777d2656a525829f4e1a4e7
                                              • Instruction ID: d947e83ed020fb105adbe61f731ab4dbda4ad7a7650cc8dc7ca3c5b188f78efe
                                              • Opcode Fuzzy Hash: 50e1e8c464ffce397844ac8cad9a9e60b3d80207c777d2656a525829f4e1a4e7
                                              • Instruction Fuzzy Hash: 0E212771140204DFEB06DF44D5C4B5ABFB5FB84314F20C568D9090F21AC3BAE456CAA1
                                              Function 08202A28 Relevance: .1, Instructions: 73COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e3d1aebf8663f2d1672b316eab89ea097ca22a82b8e08db8474eda6e0cde422f
                                              • Instruction ID: d7a02258b1c4595527ed3efaf985091c98890c13120f66fd847b11e1fced4a44
                                              • Opcode Fuzzy Hash: e3d1aebf8663f2d1672b316eab89ea097ca22a82b8e08db8474eda6e0cde422f
                                              • Instruction Fuzzy Hash: F921383032C105DBC755D66DE81866A77AAEBC9261F54407FD90A973C3CFB56C028FA0
                                              Function 0820A045 Relevance: .1, Instructions: 73COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 59d596b292bc4e6e80802aaaa88c2dd34813cece7848666429d35beaac432d1e
                                              • Instruction ID: fce1e14838e0ea89235f67c8401d7b997e30a2c7410b35c201c0a725072a1adb
                                              • Opcode Fuzzy Hash: 59d596b292bc4e6e80802aaaa88c2dd34813cece7848666429d35beaac432d1e
                                              • Instruction Fuzzy Hash: 0C21E474E15219DFCB48CFA9C4849EDFBF6BF48301F108029D81AAB296C6305945CF50
                                              Function 0152D1D4 Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2172931159.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_152d000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3029db50e6d05cd650d786a44454889031f03b8c2bc714e3ef5125da83b6657b
                                              • Instruction ID: 078419b955b0ab1d32d652d2df25df03deeed291cdb398e1556f66e2eb95073b
                                              • Opcode Fuzzy Hash: 3029db50e6d05cd650d786a44454889031f03b8c2bc714e3ef5125da83b6657b
                                              • Instruction Fuzzy Hash: 4F213472504200EFDB05DF94D9C0B2ABBB1FB86324F20C96DE90A4F292C77AD406CA61
                                              Function 0152D01C Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2172931159.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_152d000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cddc813ab6775818be3533c3caa05cffcb6137e166bc3fcade846e854ec148d3
                                              • Instruction ID: 4bce137ca46a0044e58e2fcc18fd2a869efdfdba5b750b586b8cb80ea4d5c02d
                                              • Opcode Fuzzy Hash: cddc813ab6775818be3533c3caa05cffcb6137e166bc3fcade846e854ec148d3
                                              • Instruction Fuzzy Hash: CB212276604244EFDB15DF54D9C0B2ABBB1FB85314F20C96DD90A0F2A2D77AD407CA61
                                              Function 05D18568 Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2192934036.0000000005D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D10000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d10000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 11e35c8cc6e9410a0b062f4902d2ff19f056a26098e2f8aef5a45253a084215a
                                              • Instruction ID: b8848e86a102c15192d0cfb8822e48ecb6ec46108eaf7d9fc77c39126c96aa9e
                                              • Opcode Fuzzy Hash: 11e35c8cc6e9410a0b062f4902d2ff19f056a26098e2f8aef5a45253a084215a
                                              • Instruction Fuzzy Hash: BE213032A106099FCB10EF6CD84099EFBB5FF59311B50C26AE958A7200EB30E994CBD1
                                              Function 082055FD Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d0147ac8228de9c18136f6d68cd2b8d692c06c34724812f5cb59a2585a1958ab
                                              • Instruction ID: cce4b637f3d1a812f4514a1dbc9c19c08a99bcd3f763f1239bc1f90961c9dd55
                                              • Opcode Fuzzy Hash: d0147ac8228de9c18136f6d68cd2b8d692c06c34724812f5cb59a2585a1958ab
                                              • Instruction Fuzzy Hash: E631DFB0C11259DFDB20CF99C688BDEBFB0AF48715F24846AE408BB291C7B55845CFA0
                                              Function 0820E9B1 Relevance: .1, Instructions: 67COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 740294a74ac9428ed4cb207d588dbe102a3422d4f70d040ccb6b774842663dc3
                                              • Instruction ID: a479406bb1f136af759c699e5ec9d6eb2b227635f64d357c0c348c056bb0e8d4
                                              • Opcode Fuzzy Hash: 740294a74ac9428ed4cb207d588dbe102a3422d4f70d040ccb6b774842663dc3
                                              • Instruction Fuzzy Hash: 6C112635B242058BDB189ABCD8143BF76A2FBC8221F15853DD806C7382EA70C9828BD0
                                              Function 08201EA0 Relevance: .1, Instructions: 67COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 65945e6a0f5f451eb719d73edd35e533b4925f878b9127af109c275ddaaf1aef
                                              • Instruction ID: 0720dd68af8490271227946a32cc17a9811970b61be10330272c2b83586f9df6
                                              • Opcode Fuzzy Hash: 65945e6a0f5f451eb719d73edd35e533b4925f878b9127af109c275ddaaf1aef
                                              • Instruction Fuzzy Hash: C431F2B0C11218DFDB20DF9AC684B8EBBF4AF48714F248019E408BB281D7B55845CFA4
                                              Function 082077D0 Relevance: .1, Instructions: 67COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8a98b05fd81b0d02433a8b667de657ce2aa2819c472992160aed1fbe20209d00
                                              • Instruction ID: 87affe2a51dfa52331d7026abb953711cf1d719ee10175eb79d5ee25b2c17ea8
                                              • Opcode Fuzzy Hash: 8a98b05fd81b0d02433a8b667de657ce2aa2819c472992160aed1fbe20209d00
                                              • Instruction Fuzzy Hash: F311D630729102DFD7188A4CD850A75B766EBC5266B14806ED40A5B3D3C773FC02EFA1
                                              Function 08205448 Relevance: .1, Instructions: 65COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7851d46f179664f7665c3f4972c3216b6be16b82743574e8be57abb545e7c871
                                              • Instruction ID: b57f38d175709c2088ceff2d294fda8a7c1a534aecbf603737ffa19ce75b393a
                                              • Opcode Fuzzy Hash: 7851d46f179664f7665c3f4972c3216b6be16b82743574e8be57abb545e7c871
                                              • Instruction Fuzzy Hash: 5A11D679A003465BC721DF3C89445BF7BF6FFC5261314456DE459DB382DB3489058B61
                                              Function 0152D006 Relevance: .1, Instructions: 62COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2172931159.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_152d000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 37dca81277c0fa82ed3e7d5122cd31e22f2f9a57ed5b6e18dcced9eb279cd81b
                                              • Instruction ID: e1c3c6af25c36ff4dc4b5056c72057ab75f53f2435d52ba1e8f06d3d028a8e37
                                              • Opcode Fuzzy Hash: 37dca81277c0fa82ed3e7d5122cd31e22f2f9a57ed5b6e18dcced9eb279cd81b
                                              • Instruction Fuzzy Hash: D22180765093808FCB12CF24D990715BF71FB46214F28C5DAD8498F6A7C33AD80ACB62
                                              Function 08203AD8 Relevance: .1, Instructions: 61COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b1d5ecc4dea44fd709d9eceaeca3d55d150b7babf9b76f3079cd4dcae6fe20d1
                                              • Instruction ID: de5cfbaad03e203769da54783d939f3cdd07f9a648dd36b488a5cfdd818be768
                                              • Opcode Fuzzy Hash: b1d5ecc4dea44fd709d9eceaeca3d55d150b7babf9b76f3079cd4dcae6fe20d1
                                              • Instruction Fuzzy Hash: 3B2183B4A01908DFD708DF5AE684A99BBF1FF88310B6281D9D4489B366DB31DE51DB00
                                              Function 08209F5B Relevance: .1, Instructions: 61COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bf0066037daa2636c03ea1b594900936ac3ed5cc7cc005bc2e71f2b64d5dd8eb
                                              • Instruction ID: 5a89013ed03cf1de2a671b587ffe089d2fd78b74ebc017bea166573c17c3baf6
                                              • Opcode Fuzzy Hash: bf0066037daa2636c03ea1b594900936ac3ed5cc7cc005bc2e71f2b64d5dd8eb
                                              • Instruction Fuzzy Hash: AA210B70D142588BDB18DFAAC9442EEBFF6AF89301F14C02AC415AB39ADB7409468F91
                                              Function 0820AEC1 Relevance: .1, Instructions: 60COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 60fb1a02e7ae235f104dec69f7ca8b6c1473a6c2b601e8760583e2baec3101eb
                                              • Instruction ID: ebd451621afa9e9285c1250952ac8a32ca8cdf3c4a7f9e6e77e6a0b831094867
                                              • Opcode Fuzzy Hash: 60fb1a02e7ae235f104dec69f7ca8b6c1473a6c2b601e8760583e2baec3101eb
                                              • Instruction Fuzzy Hash: AB211AB0D046588BEB18CFABC9443DEBFF3AFC9311F04C16AD409A62A5DB750A458F90
                                              Function 0820BF27 Relevance: .1, Instructions: 59COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 99d92fddef306ad32b33c94b1fd2465bb40d3afd185b7012bb40cec0b0935532
                                              • Instruction ID: c23768ac45ac51432998ed656485b51938de83a403665920ed10d82fb2fab95e
                                              • Opcode Fuzzy Hash: 99d92fddef306ad32b33c94b1fd2465bb40d3afd185b7012bb40cec0b0935532
                                              • Instruction Fuzzy Hash: B411FB70D29144DBD718CB59C448AACBBB5EB9A322F149199E84A973D3C7709A81CF40
                                              Function 08205378 Relevance: .1, Instructions: 58COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 161436c68d7c53f410b13c545fb160a02cf1f9b4195adb189f376c66fbf4d3ac
                                              • Instruction ID: 520cc244695fc48d644fd822cf4389c790968e3edfb52b0179e3c4cbc6b1b2e8
                                              • Opcode Fuzzy Hash: 161436c68d7c53f410b13c545fb160a02cf1f9b4195adb189f376c66fbf4d3ac
                                              • Instruction Fuzzy Hash: 36115E31B0021A8BCB14EBBD99506EEB7B6AF89212B504039C504EB381EF718D02CF91
                                              Function 0151D3D3 Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2172838570.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_151d000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f05d2841488eb37086af1a76bd1549c8f91f3616808cfc6c5b9de65714805c93
                                              • Instruction ID: d7e385940aa4df24148b8be88a6257ddf3df8ef68ee8a7dd146b1c94e00d0ec8
                                              • Opcode Fuzzy Hash: f05d2841488eb37086af1a76bd1549c8f91f3616808cfc6c5b9de65714805c93
                                              • Instruction Fuzzy Hash: 6311DFB6404280CFDB16CF44D5C4B5ABF71FB84324F24C6A9D8090F21AC37AE45ACBA1
                                              Function 08205D24 Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0626e282b9bc2c1eb88f7ebffb45eb724f910c3540d8b27d98f4132cdc863bb1
                                              • Instruction ID: db75886b720c063f6919fa5a142f08074f34c89140a25cc78ad04381376c3758
                                              • Opcode Fuzzy Hash: 0626e282b9bc2c1eb88f7ebffb45eb724f910c3540d8b27d98f4132cdc863bb1
                                              • Instruction Fuzzy Hash: 6E2114B5900349DFCB10CF9AC988ADEFBF4FB58320F108429E919A7210C775A954CFA1
                                              Function 08209F68 Relevance: .1, Instructions: 55COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e3f680db9cac9bc1634fdf4a85a3c21eb20fbd8f462b8a98900f77bc0a832c02
                                              • Instruction ID: 029889bb18edaac2e5738a585f1d86133fcfa19c1638649399df43500fe80863
                                              • Opcode Fuzzy Hash: e3f680db9cac9bc1634fdf4a85a3c21eb20fbd8f462b8a98900f77bc0a832c02
                                              • Instruction Fuzzy Hash: 6211C974D146588BDB18DFAAC9446EEFFF6AFC8301F14C02AC419AB399DB7019468F91
                                              Function 0820B5CC Relevance: .1, Instructions: 54COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 212d10c6d06b3476a637e4eb220e5d642ffcc50e6c7d164554419dcb8f0ec89d
                                              • Instruction ID: af1e970db8302399441d17cf23552e564c884083850448d8b54e0541ce0e13ee
                                              • Opcode Fuzzy Hash: 212d10c6d06b3476a637e4eb220e5d642ffcc50e6c7d164554419dcb8f0ec89d
                                              • Instruction Fuzzy Hash: 7011DB70925218CFCB24CF98D684AECB7B6FB4D322F605599D40A77296C3719981CF10
                                              Function 0152D1CF Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2172931159.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_152d000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 50d083bc5706e6f3c6c751c2ef0303d244cd43d9abee0f33a29252d2796e575b
                                              • Instruction ID: d5d39f1546dc47cea64427f9592c08ab8c4e4a742ab3db2a3530876293d2f63f
                                              • Opcode Fuzzy Hash: 50d083bc5706e6f3c6c751c2ef0303d244cd43d9abee0f33a29252d2796e575b
                                              • Instruction Fuzzy Hash: 2A11BB76504280DFDB02CF54C5C0B19BBB1FB86224F24C6A9D8494F296C33AD40ACB61
                                              Function 0820B0A9 Relevance: .1, Instructions: 52COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f0b686a5fd77aacb4e1fafb9b44397dd2bda8654c26711e51f269efeb4d14be2
                                              • Instruction ID: 972eb0322cffe5feae11f718e59d890de4504fe03ede2b91d2a55b0872a36717
                                              • Opcode Fuzzy Hash: f0b686a5fd77aacb4e1fafb9b44397dd2bda8654c26711e51f269efeb4d14be2
                                              • Instruction Fuzzy Hash: F711D874924218CFCB24CF98D584AECBBB6FB4D322F605199D40AB7292C371AD81CF50
                                              Function 08203D69 Relevance: .1, Instructions: 51COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 13c63a5b6a9feb174025646acd8ee9613f0f3f8e12ef4216d917fa173c9aef7e
                                              • Instruction ID: 2d85f0866650a721d007684b7668e797196f5ee7dd188b7f02112a47a5673f7c
                                              • Opcode Fuzzy Hash: 13c63a5b6a9feb174025646acd8ee9613f0f3f8e12ef4216d917fa173c9aef7e
                                              • Instruction Fuzzy Hash: 38115E75D2924EDFCB04CFA8C4889ADBBB4BF0A242F50552AD81AB7392D3B09941CF54
                                              Function 05D19B18 Relevance: .0, Instructions: 49COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2192934036.0000000005D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D10000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d10000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ef0be04cc9510a36d638eb21ca0e57f92d7bd7c634bd9952965b42f7aafa0e0c
                                              • Instruction ID: a4e363d41b6ebad28a40b2efdf695b9c8ee83089ee2cdfc2a792233f55e035d1
                                              • Opcode Fuzzy Hash: ef0be04cc9510a36d638eb21ca0e57f92d7bd7c634bd9952965b42f7aafa0e0c
                                              • Instruction Fuzzy Hash: 9901A131701201DFD315DB29E494A2A7FE6FFC9210B1488ADE44A8B761CF71EC01CB51
                                              Function 0820D46A Relevance: .0, Instructions: 49COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 54c740b80519cbe25eeae6d64bdf4285fef4b74d16f91c594c78ea7ec5214767
                                              • Instruction ID: 6e426300030a69fafdd7b4b50662afe5a27ac11731590c56e157db85a9d98b9c
                                              • Opcode Fuzzy Hash: 54c740b80519cbe25eeae6d64bdf4285fef4b74d16f91c594c78ea7ec5214767
                                              • Instruction Fuzzy Hash: AF117F74A05155CFEB04CFDCE258A6D7BB1FF84311B049228D415AB796CBB49846CF00
                                              Function 0820B674 Relevance: .0, Instructions: 48COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a596f426ddab728bcefb9d7815d151c432dfc36e599c2bebdd91ba0ea4ecb60c
                                              • Instruction ID: 00e91a18f369c7283ddcbd439bc971b9eedce4e8a72b6919801fbf749c122d91
                                              • Opcode Fuzzy Hash: a596f426ddab728bcefb9d7815d151c432dfc36e599c2bebdd91ba0ea4ecb60c
                                              • Instruction Fuzzy Hash: 6611D774A24218CFCB24CF98D684AECB7B6FB4D312FA05599D40AB7286C371AD81CF50
                                              Function 0820BD90 Relevance: .0, Instructions: 46COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5fd99045185cb1edea39769c90eef3c6f7e85a627c29f66cee864702027beb4a
                                              • Instruction ID: 887ded6c5dfb5e4765796e403ebb71d35b5afd6fff5d7ced1a5afcdb66c10889
                                              • Opcode Fuzzy Hash: 5fd99045185cb1edea39769c90eef3c6f7e85a627c29f66cee864702027beb4a
                                              • Instruction Fuzzy Hash: AC010834A28148EFDB04DBA8C694AACBBF5EF49311F298198D5099B3A6C670DE40DF40
                                              Function 05D19B28 Relevance: .0, Instructions: 45COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2192934036.0000000005D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D10000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d10000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1687c259691ec5f36e7733a6b695f699baccf3923650769abc15731bdbd6f544
                                              • Instruction ID: 746b69e7d9cfdb11e7da21fd251a4cc2e22c943ed6807dddbc7ccad597b10dfb
                                              • Opcode Fuzzy Hash: 1687c259691ec5f36e7733a6b695f699baccf3923650769abc15731bdbd6f544
                                              • Instruction Fuzzy Hash: CB017175701201DFC718DB29E59892ABBE6FFC8251714886DE40A8B720CF71EC01C760
                                              Function 0151D759 Relevance: .0, Instructions: 45COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2172838570.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_151d000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b0fec14fc2aeea3d6c35f0bfb07467031d30953b49a950cc0202a45a3f058f01
                                              • Instruction ID: 3e3d0ff2778c1e79970515f76d55d11eaa18053681edd75f5df2e39c56d451bf
                                              • Opcode Fuzzy Hash: b0fec14fc2aeea3d6c35f0bfb07467031d30953b49a950cc0202a45a3f058f01
                                              • Instruction Fuzzy Hash: 7C01DB72404384DAF7524AA9DDC8B66FFE8FF41724F18C81AEE094E25AC7799440C671
                                              Function 05D1AF51 Relevance: .0, Instructions: 44COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2192934036.0000000005D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D10000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d10000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 76c7340dc0e3d195394b6857c50b6818fe5f19d8147a9ad279ede3b21bb6667b
                                              • Instruction ID: 10a980eb2c6a496494f7948da150eeffe7be12f0019e8199a52712640b85e5b9
                                              • Opcode Fuzzy Hash: 76c7340dc0e3d195394b6857c50b6818fe5f19d8147a9ad279ede3b21bb6667b
                                              • Instruction Fuzzy Hash: B401D630305601ABD715E76AF410E2AB7A6EFC1621B54C56EE806CB250DF75DC028BD9
                                              Function 0820BD19 Relevance: .0, Instructions: 44COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 874195eef41b925e4af6f3c82900bf44654e9e90ba0fcc78ddec0dd05e4ed3c6
                                              • Instruction ID: 7747d128fa871ce1b5d83f738ce7ac9e335dd64ae54777b8c78dbb9988abf931
                                              • Opcode Fuzzy Hash: 874195eef41b925e4af6f3c82900bf44654e9e90ba0fcc78ddec0dd05e4ed3c6
                                              • Instruction Fuzzy Hash: 8701843092D148DBC718CF69D5406E9FBB9EF5A311F0492A9D4095B163D3B08A40DF40
                                              Function 05D1AF60 Relevance: .0, Instructions: 43COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2192934036.0000000005D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D10000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d10000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f97c89885ce5cd6c061c8c15e3b80de2ba9a80baed8e09e782d755d3402db878
                                              • Instruction ID: 52b953a462c66117fabfe21a9b6fb987e4c9818ca07f613111f1ee643c239194
                                              • Opcode Fuzzy Hash: f97c89885ce5cd6c061c8c15e3b80de2ba9a80baed8e09e782d755d3402db878
                                              • Instruction Fuzzy Hash: 67F0D6303052009BCB15D66EE814D2AB7A6EFC0621720C52EE805C7254DF70DC028B95
                                              Function 05D1AEC9 Relevance: .0, Instructions: 43COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2192934036.0000000005D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D10000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d10000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: de3b88834d02c96910ce9f52ff23303ea065c0fd05043db8b03faf00cbc90256
                                              • Instruction ID: c582fde242127958292e44019fa25b13d88bc0ea5857d1035102174a0b93b810
                                              • Opcode Fuzzy Hash: de3b88834d02c96910ce9f52ff23303ea065c0fd05043db8b03faf00cbc90256
                                              • Instruction Fuzzy Hash: 6001D130301701DBD628A66DE400BBB7B9AAFC9610F50456EF91AC7791DA719C0087E8
                                              Function 05D19E84 Relevance: .0, Instructions: 43COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2192934036.0000000005D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D10000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d10000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0d3e531b1cea4de1730f7702a1d7f77398a5ebdca71f8b8e3c8cd2f630e2d869
                                              • Instruction ID: b110e778c5d55c99512e6278d074f4b38b6977f9a712e1c3c292351ea129fdd6
                                              • Opcode Fuzzy Hash: 0d3e531b1cea4de1730f7702a1d7f77398a5ebdca71f8b8e3c8cd2f630e2d869
                                              • Instruction Fuzzy Hash: 05F0DC30300201DBC628AA2DE454A7F7BAAAFC8610F50447EEE1AC7780DE709C0083A8
                                              Function 08205A58 Relevance: .0, Instructions: 43COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: da3fee26119e041a0132abae7ebb84dc9af6d5a099fd710593f126731e908cfe
                                              • Instruction ID: 9a24caafa0d168b2e9784ce6daba83740ed0eed2f340788106fd51decca4419e
                                              • Opcode Fuzzy Hash: da3fee26119e041a0132abae7ebb84dc9af6d5a099fd710593f126731e908cfe
                                              • Instruction Fuzzy Hash: 41F0B4727052541FE301D66AAC80DFBBBE9FBC967032542BAE449CB362C9308D06C7A0
                                              Function 0820BDA0 Relevance: .0, Instructions: 41COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 31a8b868eac55fc33cbcde107e3d8405a6e3ae083bfd421f908e23c7f8c9451f
                                              • Instruction ID: 3dda725ff150d57ef6f9afb2ccd3ac868ac83a71c1d0d7196ed882b79d6e61bb
                                              • Opcode Fuzzy Hash: 31a8b868eac55fc33cbcde107e3d8405a6e3ae083bfd421f908e23c7f8c9451f
                                              • Instruction Fuzzy Hash: 1C01E834A28108EFCB04DFA8C654AADBBF5FF89311F558098D5099B396D670DE40DF40
                                              Function 082059BC Relevance: .0, Instructions: 40COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4498eecee28a9cbbfbc1ad7ce287e80ccfc37fd7579aaa8cd289fcb38b494cc2
                                              • Instruction ID: 6fbee90f04f6e6ae8969379a23708c451af4ec132aaa198435e249cfa1c483ca
                                              • Opcode Fuzzy Hash: 4498eecee28a9cbbfbc1ad7ce287e80ccfc37fd7579aaa8cd289fcb38b494cc2
                                              • Instruction Fuzzy Hash: 9201E57182421AEEDB14CF6DC5456EEBBF1AB49321F248229E815BB2A1C7744A84CF90
                                              Function 08202983 Relevance: .0, Instructions: 40COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8efd3074259786c52d9207dd8bf7d510c3865546ce0c2cde51d161329ff05142
                                              • Instruction ID: a08a35db37efca8126231d5e362b00da731521892d3a4cdb274aafda7e7cead8
                                              • Opcode Fuzzy Hash: 8efd3074259786c52d9207dd8bf7d510c3865546ce0c2cde51d161329ff05142
                                              • Instruction Fuzzy Hash: B6F0C830328008DBC709568DD918A76777AEBC5156B30402AE507D73C7DF65AC028B60
                                              Function 0820D899 Relevance: .0, Instructions: 39COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 44d53be49ead5f3ba2b0ea372d45d40c0305fa8747bd74bdd8559c118386f860
                                              • Instruction ID: 0e00d03a7a19d0215226284329a99d6e0132d2f10b30ed699250928246fad99c
                                              • Opcode Fuzzy Hash: 44d53be49ead5f3ba2b0ea372d45d40c0305fa8747bd74bdd8559c118386f860
                                              • Instruction Fuzzy Hash: 06018CB4A1A315CFDB05CFACE5499AEBBB1FB45301B108628D406EB353DB745852CF00
                                              Function 05D16070 Relevance: .0, Instructions: 37COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2192934036.0000000005D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D10000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d10000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7fc95d7b2fdb6eb6bbb0a457297851db811662562f2bf8223684beef8e7a1d51
                                              • Instruction ID: 6a0c78c84aa9ec41673844c16d716b77ddde3c266ef8c2322068e97159bba484
                                              • Opcode Fuzzy Hash: 7fc95d7b2fdb6eb6bbb0a457297851db811662562f2bf8223684beef8e7a1d51
                                              • Instruction Fuzzy Hash: 82F054323047154B96149B6AF88485ABFEAFFC4235304457EE60AC7620DFA1AD4987D4
                                              Function 08203D18 Relevance: .0, Instructions: 37COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fe85a3089857319381522e113d633422b0b7003c888d611ae247eb91b5a67f80
                                              • Instruction ID: bec59556c2869f7736b9cdd8e0ac58ff4278fc97e21894d858942bbd92508b2a
                                              • Opcode Fuzzy Hash: fe85a3089857319381522e113d633422b0b7003c888d611ae247eb91b5a67f80
                                              • Instruction Fuzzy Hash: 70F04F3192924ADFD719DF68C8486FEBBB4EF46202F10455ED426A7393C7B00944CF91
                                              Function 0151D758 Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2172838570.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_151d000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f73d4d0c9957a89b99984a986025448b651f0c650420d45ab4a36e3a3270388a
                                              • Instruction ID: b013c58f92d5b602cb608f176ef33c28d8c801564c443e0046be0cbe330de690
                                              • Opcode Fuzzy Hash: f73d4d0c9957a89b99984a986025448b651f0c650420d45ab4a36e3a3270388a
                                              • Instruction Fuzzy Hash: 4FF068724053449EF7118A59DDC4766FFA8FF81724F18C45AEE484E287C7799844CB71
                                              Function 08206BF8 Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 63827b349d467b353b3563a1c0b408e834585c66b0915d436cd49050ac12324b
                                              • Instruction ID: 8567c3e73b4f8b0a6e5b0736bea962f9f3c98a535e0284ce07bc0a6da54e9401
                                              • Opcode Fuzzy Hash: 63827b349d467b353b3563a1c0b408e834585c66b0915d436cd49050ac12324b
                                              • Instruction Fuzzy Hash: E1F0F032608248AFDB09CB6CD84889E7FE5DF15220B0580AFE449DB263D23088518B45
                                              Function 0820B3E4 Relevance: .0, Instructions: 35COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fa1b6409a1bdf812ea085b85d9367946f5cd65bcc70ea3c39a60b4501e91f053
                                              • Instruction ID: bd68fb614233899593c142d46d9ce38db1250143d131616c8cd54705b4bffcf5
                                              • Opcode Fuzzy Hash: fa1b6409a1bdf812ea085b85d9367946f5cd65bcc70ea3c39a60b4501e91f053
                                              • Instruction Fuzzy Hash: 5A01D670A24218CBC718CF98D694AACBBB6FB49312F905099D40AA7282C3719880CE10
                                              Function 05D16060 Relevance: .0, Instructions: 34COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2192934036.0000000005D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D10000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d10000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a263e5442c5176afa3f8e24c78d27b09c8be90369c24097de6f8335e329cd26d
                                              • Instruction ID: 738fd72b62bdfe8c831a72a9f6c1173a84fccfcc452f2daeebdb32fcad6cf183
                                              • Opcode Fuzzy Hash: a263e5442c5176afa3f8e24c78d27b09c8be90369c24097de6f8335e329cd26d
                                              • Instruction Fuzzy Hash: E2F0E9313007424BD615AB2DF48495A7FEDFBC5220740456DEA4BC7631CFA1AC468798
                                              Function 082059C8 Relevance: .0, Instructions: 34COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fff74fa9d15c15c3c17235735b9d64b5cb167f910414eef9c2bb171c0fd5fe9e
                                              • Instruction ID: 620f0ee9f6f3e9e6921e7e424efa57626be7e21032e712233fab76e859ee8013
                                              • Opcode Fuzzy Hash: fff74fa9d15c15c3c17235735b9d64b5cb167f910414eef9c2bb171c0fd5fe9e
                                              • Instruction Fuzzy Hash: 7B01EC70814219DFDB14CF6EC5453AE7AF1AF45361F208229E414AA191D7744A40CFD0
                                              Function 05D160C8 Relevance: .0, Instructions: 33COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2192934036.0000000005D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D10000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d10000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c1a313dac37c008b1a90ed020486ddf74041a2092379fcd5518fcedf02d1802a
                                              • Instruction ID: 725f08a9b9988f347831d5d9e36b3c50c2032a090c381cae01d071893d9c17e3
                                              • Opcode Fuzzy Hash: c1a313dac37c008b1a90ed020486ddf74041a2092379fcd5518fcedf02d1802a
                                              • Instruction Fuzzy Hash: CEF04931250610CFC304DB2CD449E457BE6FF4A714B1545A9E94ACB732CB66EC40CB80
                                              Function 08202998 Relevance: .0, Instructions: 33COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8d020041cf24af40baa10b7f8897b531f124632f2509a9419ab470a36e59b3f6
                                              • Instruction ID: dd1a5ff082e45cca8b746e8865c93003dbffe0aed9c4ac5b37a2d035e60c8bae
                                              • Opcode Fuzzy Hash: 8d020041cf24af40baa10b7f8897b531f124632f2509a9419ab470a36e59b3f6
                                              • Instruction Fuzzy Hash: 3AF08930338009DB874A969E951883677BAEBC5161770446AE507D73C7CEA16C028B60
                                              Function 05D1DED4 Relevance: .0, Instructions: 32COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2192934036.0000000005D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D10000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d10000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7e9005cabacc80f3ce09d93744bd4da59a8803d3c7c7e591f662cbb4b3ff3d65
                                              • Instruction ID: 0cdba7d795a005d9d279a5bcbe80279707121c5d378a2601ff7d661bac545ba0
                                              • Opcode Fuzzy Hash: 7e9005cabacc80f3ce09d93744bd4da59a8803d3c7c7e591f662cbb4b3ff3d65
                                              • Instruction Fuzzy Hash: 60E0ED36204912C6CB46DE2CA44479B76D6EF87750F894F76E905BF601C9A0694543D4
                                              Function 0820D964 Relevance: .0, Instructions: 32COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 960126c5fbd73266831e2aee6573d88d3e87ac9db71002d44c50d0b026e1822c
                                              • Instruction ID: 285290a6821b6d3000a0d857948ea5090ada804e86f7dd87b615f9728c63d72c
                                              • Opcode Fuzzy Hash: 960126c5fbd73266831e2aee6573d88d3e87ac9db71002d44c50d0b026e1822c
                                              • Instruction Fuzzy Hash: 25F03078A52209CFDB04CBE8D94059CBBB5FB4A302B605329D015E7292DB71A903CF50
                                              Function 08205A68 Relevance: .0, Instructions: 32COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: dae38d8e9c495aae6e9b72bd377c724736bc2afa783ebefb6e13bd9a00e10166
                                              • Instruction ID: 29d6d9ca7d88497aee32a0f2e9a655d37066137030534ed72ebe00b296851b68
                                              • Opcode Fuzzy Hash: dae38d8e9c495aae6e9b72bd377c724736bc2afa783ebefb6e13bd9a00e10166
                                              • Instruction Fuzzy Hash: 13E039727042286FA304EA6AD884D6BBBEEFBCC674311807AE518C7314DA319C01C6A0
                                              Function 08202BFB Relevance: .0, Instructions: 32COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bc61e6d8a52af710d08a9e3b062e295e5fc4c4bc37baba9ac82f1e7fba74d4dd
                                              • Instruction ID: a406b6f33fb4142093177a18858aa74e2a0d9ab95fa2c43abd442d4e6da3cf1f
                                              • Opcode Fuzzy Hash: bc61e6d8a52af710d08a9e3b062e295e5fc4c4bc37baba9ac82f1e7fba74d4dd
                                              • Instruction Fuzzy Hash: 46F0F478A1421ADFC746DF98C58549CFBB1FB58310B24856AC81AAB386DB32A847CF41
                                              Function 0820AE70 Relevance: .0, Instructions: 32COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 81dd9bbefd01156bc0d2ce3c736b7468ecc03e1cce4d56e2d9aaaea0ceb8a147
                                              • Instruction ID: 43004b24486aebda51c4088bb063b276a4cbc69d31f63c6dbfc5c6ecb5549f32
                                              • Opcode Fuzzy Hash: 81dd9bbefd01156bc0d2ce3c736b7468ecc03e1cce4d56e2d9aaaea0ceb8a147
                                              • Instruction Fuzzy Hash: 77F05E32804359EFCF128FA4E9059DD7F32FF06212F5441ADE90516162C33249A4EF91
                                              Function 05D16B68 Relevance: .0, Instructions: 31COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2192934036.0000000005D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D10000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d10000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0d8c037fbf803e65c14a608200ecf5749f6bfd7a32dc110357ec17a8fe30f313
                                              • Instruction ID: 11d343349d1a2693b5b52116809db093a680c2b5c6c89d877f69e7d1b7868aec
                                              • Opcode Fuzzy Hash: 0d8c037fbf803e65c14a608200ecf5749f6bfd7a32dc110357ec17a8fe30f313
                                              • Instruction Fuzzy Hash: 99F0906260D6D4ABD7124B78AE586603F74EE53206F0C40CFD886CB597EB65E405D316
                                              Function 08201EB0 Relevance: .0, Instructions: 31COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c60d0511f49b9213457fb21c70eac427e05b8573de931624b4f2ed5a43464b3a
                                              • Instruction ID: 99233edbfffd44a7be7e01864e898bd754b3247bc66151bd7bed6e8f5d4c4a6a
                                              • Opcode Fuzzy Hash: c60d0511f49b9213457fb21c70eac427e05b8573de931624b4f2ed5a43464b3a
                                              • Instruction Fuzzy Hash: 4FF0E930B181409BD7099BACD4189EA7F76EBC6310F04847EE802677C2CA715C06CF91
                                              Function 05D1FF7B Relevance: .0, Instructions: 29COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2192934036.0000000005D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D10000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d10000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4b319cfb31fe1d447011a3f820eb1f1e5be259c82499358c9a14e6c2139f54b8
                                              • Instruction ID: 6fc6f4b030d8425e01e71829a26ba6ea3688d30551a96defceac79dbbdec26ae
                                              • Opcode Fuzzy Hash: 4b319cfb31fe1d447011a3f820eb1f1e5be259c82499358c9a14e6c2139f54b8
                                              • Instruction Fuzzy Hash: 86E01A3B2009118ACB46DE2CA44079BB2E6AF87750F890B72E900BF601C5A0698583D0
                                              Function 0820D346 Relevance: .0, Instructions: 29COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 422e7e9ec3c45f7228e9a4018ed7fb90c2b9ef6936b6d18f1865542721596e39
                                              • Instruction ID: de1eef8832535ba90908443e08eeaafe3db09900c5ba87f86e2b433aff7f5ebe
                                              • Opcode Fuzzy Hash: 422e7e9ec3c45f7228e9a4018ed7fb90c2b9ef6936b6d18f1865542721596e39
                                              • Instruction Fuzzy Hash: 47F03AB8A06318CFCF04DFA8E5545EDBB75FB8A341B208229E409EB386DB345952CF11
                                              Function 05D160D8 Relevance: .0, Instructions: 28COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2192934036.0000000005D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D10000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d10000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3c731bf9a4394e9a5794c4d8dd16f31f3ecabd465de7b7aa9b4159f671a2e107
                                              • Instruction ID: 1af2353103943d1f5485897d8f259a1a997f363d1621f4356a1b8fa2c6566357
                                              • Opcode Fuzzy Hash: 3c731bf9a4394e9a5794c4d8dd16f31f3ecabd465de7b7aa9b4159f671a2e107
                                              • Instruction Fuzzy Hash: 7DF0F230250610CFC718DB2CD588C59BBEAFF49B1971545A9E90ACB732CBB2EC40CB80
                                              Function 0820E94F Relevance: .0, Instructions: 28COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e95b4826355f80bf4e5d9d4d5f93531c1474c603945eb1d0bc9b62f2ef01f44d
                                              • Instruction ID: 4eeb250fcec532c38cccde0bbadf02325636685fe5ddbc21ab7b860149e1cf3a
                                              • Opcode Fuzzy Hash: e95b4826355f80bf4e5d9d4d5f93531c1474c603945eb1d0bc9b62f2ef01f44d
                                              • Instruction Fuzzy Hash: D5F06D35A0924CAFCB11DFF8C91468CBFB0EF89301F0481AED915A7251D3349A54EF41
                                              Function 0820B7AB Relevance: .0, Instructions: 26COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a17eb41dc9947c23f1e27292df0b40ec19190e161ea899cb1e8392a2c228bdbe
                                              • Instruction ID: 83f9d29dc4338b9ad6355ec28efadd44408f0d1a8b596ceedd1c1407e8a13fb3
                                              • Opcode Fuzzy Hash: a17eb41dc9947c23f1e27292df0b40ec19190e161ea899cb1e8392a2c228bdbe
                                              • Instruction Fuzzy Hash: 94F05E30935214CFC724CF58D298AAC7BB6FB4A322F904594D45A772D3C7759881CF50
                                              Function 0820E960 Relevance: .0, Instructions: 23COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2bcb7a6bd9766adcee87fd5401a4eee4282b4816cd1d25e53daa884e531240e9
                                              • Instruction ID: f566f5a5e10f59e5dd6c5d12039fbe576868924af617d3e7ec91ced9f695e878
                                              • Opcode Fuzzy Hash: 2bcb7a6bd9766adcee87fd5401a4eee4282b4816cd1d25e53daa884e531240e9
                                              • Instruction Fuzzy Hash: C2F01574E0020CEBCB45EFA8D90468CBBB5EF88301F00C1AAA918A6350D7349A90EF81
                                              Function 0820B0C6 Relevance: .0, Instructions: 23COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a5f5d7714ea340f2d9cc0c88be6e3fd0b3251421eed23638833cf69373ae3213
                                              • Instruction ID: 695efd11b1a470f7d13742a65dc4c7067922e724d5bc06c1a163a38f130f1351
                                              • Opcode Fuzzy Hash: a5f5d7714ea340f2d9cc0c88be6e3fd0b3251421eed23638833cf69373ae3213
                                              • Instruction Fuzzy Hash: CDF01C70920214CFC724CF58D288AACBBB6FB4A312F904099D44A77293C371D881CF00
                                              Function 082033B8 Relevance: .0, Instructions: 23COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 06b4a17933f73730374201e7bccbfcc9b916718d0621bf062090ef5878730eee
                                              • Instruction ID: 7abd7891ee8762c986e5579f6ad6fbcb11263c30e53676a4e280d7b332b1aa9b
                                              • Opcode Fuzzy Hash: 06b4a17933f73730374201e7bccbfcc9b916718d0621bf062090ef5878730eee
                                              • Instruction Fuzzy Hash: 82E0DF2122C2409BC319D75CA4E44A63BA9DB86226B0485AFD4068F3C7CEA7DC02CB91
                                              Function 08209561 Relevance: .0, Instructions: 23COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ea6e9d5ed8915fd62197b0f6eb958be762122043053610665bd1ace01f58fe8f
                                              • Instruction ID: 23acb176aa9b6d021b139ee47f99cf91e873a9b18066dfc2011505d6695306b6
                                              • Opcode Fuzzy Hash: ea6e9d5ed8915fd62197b0f6eb958be762122043053610665bd1ace01f58fe8f
                                              • Instruction Fuzzy Hash: 8AE0D8A101D295D7C716436AB9163D83F60EB13117B0402DFD086D6497C2A480D6DB81
                                              Function 0820AE80 Relevance: .0, Instructions: 21COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 327817df6022b0de5a1ed0c817e2f6233f55519a988a077cb3809905824c91bb
                                              • Instruction ID: 8dbfe7388a03ff6bbba6664d04eb65544d570cd42da6b27b8524591fbdfaf065
                                              • Opcode Fuzzy Hash: 327817df6022b0de5a1ed0c817e2f6233f55519a988a077cb3809905824c91bb
                                              • Instruction Fuzzy Hash: 2FE0E53580020DEFCF069FA4D905A9D7F72FF09301F508168FA0522261C7329AA1EB91
                                              Function 08202FE8 Relevance: .0, Instructions: 20COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d624d5fe145fb1319f07b6018512c43e225cb04ea6a381ca35a523fa255fe41c
                                              • Instruction ID: 955a9850164f74f68b149a1b15f4753c505c01b909fb13f0c8852dd0782882d7
                                              • Opcode Fuzzy Hash: d624d5fe145fb1319f07b6018512c43e225cb04ea6a381ca35a523fa255fe41c
                                              • Instruction Fuzzy Hash: 23D01C1123E006C74B4CD4EEA41C23AB9DBC644343E30882BD20B86BC7E8F288A00C42
                                              Function 0820728F Relevance: .0, Instructions: 19COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fcfd52be92b5b00435d40b818744f4b1d92e327027cb29b1ca7e5a4d84ee3647
                                              • Instruction ID: 3ee23be8eaa1d3a797980eb623ca59b0db61cf84fb1e3dc184b9e0bde48fc3e2
                                              • Opcode Fuzzy Hash: fcfd52be92b5b00435d40b818744f4b1d92e327027cb29b1ca7e5a4d84ee3647
                                              • Instruction Fuzzy Hash: 43E08C3006C342DFC35A4EB488414E23FF4EA062313050897E4425E883E2AE3C47CB32
                                              Function 082033C8 Relevance: .0, Instructions: 19COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5a9565c6eb86ba977a19ba571e843b74067c678612ac64c3388dc52f3085b4b7
                                              • Instruction ID: 2b4ca516914f493fb489f45987460a7fa45588e73326366aba7e486e43aed027
                                              • Opcode Fuzzy Hash: 5a9565c6eb86ba977a19ba571e843b74067c678612ac64c3388dc52f3085b4b7
                                              • Instruction Fuzzy Hash: 5AD01220238015978208D74CD4D4466739DD7C5266710806ED50A4B3C6CDE3EC02CBD5
                                              Function 08203E36 Relevance: .0, Instructions: 18COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6cb419eb42d3bd0c1ea11d0f6b7fbf1da3313aa24726337b2bad003c86263047
                                              • Instruction ID: cd0ebffe22d4c8e686ff1f9d99a643d15fe001a6c14501a8df7fd453e516da68
                                              • Opcode Fuzzy Hash: 6cb419eb42d3bd0c1ea11d0f6b7fbf1da3313aa24726337b2bad003c86263047
                                              • Instruction Fuzzy Hash: 7CD05E31A240488B8B04EAACE4484EDBBB0EB8A212B004426C502E3646D3705811CE14
                                              Function 082033F8 Relevance: .0, Instructions: 18COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0db21e447ea800bfd8d70d9c787ff02e695ef9ecf93bff6c5cf179d67c44cece
                                              • Instruction ID: d0ed55ab15e4d388bfd2f8a4fcea5368e7a29b30e61ad1ed974e66d36828536b
                                              • Opcode Fuzzy Hash: 0db21e447ea800bfd8d70d9c787ff02e695ef9ecf93bff6c5cf179d67c44cece
                                              • Instruction Fuzzy Hash: E1D01725378001CBD309EB4CA4E8A267795A785226F10846ED00B4A7C6CEA3D802CA85
                                              Function 0820D58A Relevance: .0, Instructions: 18COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6e439e327bd764af1c3acdcbc092a1fa396455f9d8f066e8db79fcd7c79ef412
                                              • Instruction ID: 63eecad2eca77d23cc649af217ce3f0e6baae5bdc9200a2fc593394b0be8ddf4
                                              • Opcode Fuzzy Hash: 6e439e327bd764af1c3acdcbc092a1fa396455f9d8f066e8db79fcd7c79ef412
                                              • Instruction Fuzzy Hash: 4CE0C9B4A02218CBEF249B24DD55BA9B772FB88281F0083E9D41AD7790DA751D618F51
                                              Function 0820D659 Relevance: .0, Instructions: 18COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 52e02094897ba4aef45db8b26c3f7d9905fedfcb12e264838811fa9a6e7658f1
                                              • Instruction ID: 973ae609c6622b8a0cc6843c3edf6c0ea5f38c854be99db437502a585ca8fe88
                                              • Opcode Fuzzy Hash: 52e02094897ba4aef45db8b26c3f7d9905fedfcb12e264838811fa9a6e7658f1
                                              • Instruction Fuzzy Hash: A7E06DB0A12215CFDF24CF24DA45BA8BB72FB88280F0082E8D40DE7741DA301D628F10
                                              Function 05D16B2F Relevance: .0, Instructions: 17COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2192934036.0000000005D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D10000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d10000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8a0485102351b5d13d99e0f919cf614fa72db835fd7cc3562b013e828597f424
                                              • Instruction ID: b3e84b2aec7d3db23d94cc8ed2d9827d21ab66715a1bd088d332c0c882ba6fc4
                                              • Opcode Fuzzy Hash: 8a0485102351b5d13d99e0f919cf614fa72db835fd7cc3562b013e828597f424
                                              • Instruction Fuzzy Hash: 20D0C2302056489FEB114B74FA54B213B68AE01302F0840ABE81AC7882EB20E400D615
                                              Function 0820F5E8 Relevance: .0, Instructions: 17COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b5f53143980a5968d2b380ed1b713bf3d8250689b599af1666122c14ca794ae3
                                              • Instruction ID: 46c4366aeeeb174e0defa04d9f57b68a543d7bb0a6f4306827e1e508381e6422
                                              • Opcode Fuzzy Hash: b5f53143980a5968d2b380ed1b713bf3d8250689b599af1666122c14ca794ae3
                                              • Instruction Fuzzy Hash: E2E08C30A0420CDBCB14EBA8D60529CBBB4EB84302F1041AD990567391CB708E50DB91
                                              Function 05D16B40 Relevance: .0, Instructions: 16COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2192934036.0000000005D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D10000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d10000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cd2dfbaf3de7b7fa5da57a631ebf8bd8262ffcbc7431eaf42ccaaf24b3e01b05
                                              • Instruction ID: 575367f5cc8b81f83734985066bbe320ae8ff1578c886d1a07a1dd0d7833b866
                                              • Opcode Fuzzy Hash: cd2dfbaf3de7b7fa5da57a631ebf8bd8262ffcbc7431eaf42ccaaf24b3e01b05
                                              • Instruction Fuzzy Hash: ABD0C93031620D97DE155BA5FA586B673ADAF40706B04406AF80EC6A41EB32E851D519
                                              Function 082029F8 Relevance: .0, Instructions: 15COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5485c6a66a21c7195a162918b256febd90b00fa175d2db8bc7f4fdd658989dfe
                                              • Instruction ID: b3e1f30ba9af74a57fa96304044f37ab618f6a72c10299393e9ed5c68c96432f
                                              • Opcode Fuzzy Hash: 5485c6a66a21c7195a162918b256febd90b00fa175d2db8bc7f4fdd658989dfe
                                              • Instruction Fuzzy Hash: 5AD0A72061C288D7D722D7B9B814BA87F58D702115F4441CBC40E535D3CF7209049E92
                                              Function 08202C1E Relevance: .0, Instructions: 15COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 10849efa759ffc4a7ba5649c9fc3114098afd922f31d9df5a2bbdf47ac004d06
                                              • Instruction ID: 46eba43e172ef53fadae6985d06c4f43aa395588ad1bdbe496810c7248aa2675
                                              • Opcode Fuzzy Hash: 10849efa759ffc4a7ba5649c9fc3114098afd922f31d9df5a2bbdf47ac004d06
                                              • Instruction Fuzzy Hash: 63E0FE78E10248DF8B45CFD8C58499CFBB1FB48350B10851AD81AAB349D775A94ACF00
                                              Function 082022AE Relevance: .0, Instructions: 15COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 304645683662623ff2d69d332de51d20d4d50ca46899fb3ecf4d29c1a330d0c1
                                              • Instruction ID: d6a0c66de325fa1ee699cd5acbcf9b5ec2a54c07aa2baaedb3c7969d940fe3c8
                                              • Opcode Fuzzy Hash: 304645683662623ff2d69d332de51d20d4d50ca46899fb3ecf4d29c1a330d0c1
                                              • Instruction Fuzzy Hash: F1D02230B24110DB8B14B2A888080AD7A27EEC4262784860FF816631E3CE604962CDE9
                                              Function 0820B361 Relevance: .0, Instructions: 13COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 23add07af8eb29e4cb5fa7b5923788fb264a15e4e73f86dd4ae521b37c17bf40
                                              • Instruction ID: 5b37c607d8829810cad472e6c27385f41cce9a378c2fdca8c36cf1e2928ef63a
                                              • Opcode Fuzzy Hash: 23add07af8eb29e4cb5fa7b5923788fb264a15e4e73f86dd4ae521b37c17bf40
                                              • Instruction Fuzzy Hash: ABE0E2B0018214CFCB045F28D64CA687B71FF4A302F4000A9D90E6A2A7C7B68881CF50
                                              Function 082075AF Relevance: .0, Instructions: 13COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d65857dd68684a017153b8d8f4786f997f41c942d5ace77496572ec7e660a5d0
                                              • Instruction ID: e7550cdaeed98c8412be13578603977b184b49f4330ae650b4d15429ae30ecc9
                                              • Opcode Fuzzy Hash: d65857dd68684a017153b8d8f4786f997f41c942d5ace77496572ec7e660a5d0
                                              • Instruction Fuzzy Hash: 0CD01778A1822D8FCB14DB64C840BAAB7B0BF86300F0010C4C48AA7306E7701D41CE41
                                              Function 08202A08 Relevance: .0, Instructions: 11COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2caf5416b814d710057129adf397962fdfe3622a26c82b87f2beab406d8aedfc
                                              • Instruction ID: 5fedfba510eb05fb26f023b760162e182bb52424fcd2f8a68398b53cb0f5af32
                                              • Opcode Fuzzy Hash: 2caf5416b814d710057129adf397962fdfe3622a26c82b87f2beab406d8aedfc
                                              • Instruction Fuzzy Hash: EFC08C3082C21CE7C725DAC9D80966DB3ACC740226F000187C80D23283CEB11E10AAA2
                                              Function 08209570 Relevance: .0, Instructions: 10COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e6f206d7126a157f8a6a78f0e58a781c5a8bafd4af9e99d81a3ae0b033b628cb
                                              • Instruction ID: 10f45c52eda9add4b0a4c8c0e2af89c97d5bd81b5c1d89647d0f5d99e0a68409
                                              • Opcode Fuzzy Hash: e6f206d7126a157f8a6a78f0e58a781c5a8bafd4af9e99d81a3ae0b033b628cb
                                              • Instruction Fuzzy Hash: EEC08C3000464AC7C32027D4B60E3697AA8BB45206F000118A20E908638BB084E2DBD1
                                              Function 0820D98B Relevance: .0, Instructions: 9COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ef7a1ab93ff4a29f9b88ab8b1a1f1b40ffc936a27ccf19375a94632760b213e6
                                              • Instruction ID: c50ae9cbe67175339dab8735db036a7e1e1774f6d87a686eba29412882740af8
                                              • Opcode Fuzzy Hash: ef7a1ab93ff4a29f9b88ab8b1a1f1b40ffc936a27ccf19375a94632760b213e6
                                              • Instruction Fuzzy Hash: 95C012B0602016DBDB069FECE1449ACBB66EFC8201B80962AC102E26A2DA7858178B00
                                              Function 08205CCA Relevance: .0, Instructions: 9COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fc2eb491045e1a0de65633bde81ab1b1d4c1aadb70b4678e31f4b8017f617ca0
                                              • Instruction ID: 30301cf1bc737c2f6d331b597b1fdad7725e344a9e9abc9abb2e30f83d7e479d
                                              • Opcode Fuzzy Hash: fc2eb491045e1a0de65633bde81ab1b1d4c1aadb70b4678e31f4b8017f617ca0
                                              • Instruction Fuzzy Hash: A6C09B6517A680E5D705676CC95DD697D409F65701714AC499248550F3C4A05035DA1F
                                              Function 082041D8 Relevance: .0, Instructions: 9COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8adee40bd04dece101cb08dedcecc6c173dc976a89453b93e8f2881b4568672b
                                              • Instruction ID: 5cc93bcce167bc850a75f8633a278d7955ea018900d064e65bb5b5453f27f7b5
                                              • Opcode Fuzzy Hash: 8adee40bd04dece101cb08dedcecc6c173dc976a89453b93e8f2881b4568672b
                                              • Instruction Fuzzy Hash: 89D01278D28208CFCB04EF88D6446EDBBB0FF0830AF209008C51AA3286C3B46E42CF40
                                              Function 082072B5 Relevance: .0, Instructions: 9COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0690d6f17878c652e10a55598f36849d90b4facbd13364a313cf9e5975727f13
                                              • Instruction ID: 48793cfd6efda2cf3de1c3b4f16438f4172d497cc7bbc1cbb71e37f0bda7e999
                                              • Opcode Fuzzy Hash: 0690d6f17878c652e10a55598f36849d90b4facbd13364a313cf9e5975727f13
                                              • Instruction Fuzzy Hash: 1CC02B20724807CF136CBA9841400667EF2F7D81103108427C063EE2CDC431E801CB20
                                              Function 0820D7AC Relevance: .0, Instructions: 9COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: da96be199161a48de2f66aa13b13ef368eba399b427ae348d9ff9689be0ac15e
                                              • Instruction ID: 4890f4950a8caeae6e32f8b8f5b51b65012e5bc3140ebdf5aa89d798aa7f2a21
                                              • Opcode Fuzzy Hash: da96be199161a48de2f66aa13b13ef368eba399b427ae348d9ff9689be0ac15e
                                              • Instruction Fuzzy Hash: 11C08070D13106CFCB05DF98E00459C7F75D78420170092249001FF645C97418134F11
                                              Function 0820995A Relevance: .0, Instructions: 8COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 625757b6413e88a0a744470c39af919e1b04d2b6180993f32dc61ddab2e51986
                                              • Instruction ID: ec4735f9b07a3853d796c282adf54104b20f9eb278fa1cde315fb6bf7bc0c243
                                              • Opcode Fuzzy Hash: 625757b6413e88a0a744470c39af919e1b04d2b6180993f32dc61ddab2e51986
                                              • Instruction Fuzzy Hash: D6C0E97051521A9BC794DB18D994B987B79EB45201F005598900E62166DA741DCACF81
                                              Function 08205CCC Relevance: .0, Instructions: 8COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 33938aaf0e1188a3b29f26cc5a66a66eac668c6d2e32ac81b728d51f8aed3084
                                              • Instruction ID: 3e9251154191f4dd702f9c4bd4fa50ead75fd2159f42dae252ae2f117297316e
                                              • Opcode Fuzzy Hash: 33938aaf0e1188a3b29f26cc5a66a66eac668c6d2e32ac81b728d51f8aed3084
                                              • Instruction Fuzzy Hash: B0B09B65175640A29504255C4555D2574009BA57017105C156304601D1C5909434D92E
                                              Function 08205350 Relevance: .0, Instructions: 5COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2ef95a096458c82f74eac15f8b76a514ec2068b87a04eb68c4838a7b682bd0ea
                                              • Instruction ID: 19ded80c11f0ac4a71c8937d27dddf7cb4888838115fe15eb22075cffd70687b
                                              • Opcode Fuzzy Hash: 2ef95a096458c82f74eac15f8b76a514ec2068b87a04eb68c4838a7b682bd0ea
                                              • Instruction Fuzzy Hash: 01B0023E014504AE8741EB54C544D15BFE5BF59701745C555E1C446171D631D428FF12

                                              Non-executed Functions

                                              Function 05D1E780 Relevance: .9, Instructions: 898COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2192934036.0000000005D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D10000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d10000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fe0c5d1bb1c6c7b1825329a75cc2cff68d6f63272327ada155747cf33baa5378
                                              • Instruction ID: 4c5e3e6319b01a33963f8c996d4a254fe92c25b45ea92e054e4d8e190ededca5
                                              • Opcode Fuzzy Hash: fe0c5d1bb1c6c7b1825329a75cc2cff68d6f63272327ada155747cf33baa5378
                                              • Instruction Fuzzy Hash: 87725C30E00219DFCB10CFA8D984AADBFF6FF84300F1585AAE846AB255DB309995CF55
                                              Function 05D1B988 Relevance: .7, Instructions: 651COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2192934036.0000000005D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D10000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d10000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 54c25509aa6b1964fd3b0dde9adb95ea282ab34d786faa6cb81ea1aa23ad955b
                                              • Instruction ID: 21b74f485a3dc9d0a5233b114088ed4b9790adfe7529e3fc6b2c2db8ae2f30dc
                                              • Opcode Fuzzy Hash: 54c25509aa6b1964fd3b0dde9adb95ea282ab34d786faa6cb81ea1aa23ad955b
                                              • Instruction Fuzzy Hash: BE42E434701210CFDB18DF78D658A697BE2FF89206B2044BEEA47DB366DB759881CB14
                                              Function 032709F0 Relevance: .3, Instructions: 312COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2181329569.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_3270000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d39658fdc5d78ff6f6f9cae510722dbed14f199c1d869f382a38e958554e8697
                                              • Instruction ID: 3540d7d756ee580d7b9927d04dd582c7767d99fdb9760465d7e2c7b7a155046c
                                              • Opcode Fuzzy Hash: d39658fdc5d78ff6f6f9cae510722dbed14f199c1d869f382a38e958554e8697
                                              • Instruction Fuzzy Hash: ACE10974E102598FDB14CF99C580AAEFBB2FF88304F248269D414AB355D731AD86CFA0
                                              Function 03270040 Relevance: .3, Instructions: 312COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2181329569.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_3270000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d1e5faac4a138bf0f603b2c465b20a461196fea647e258fc1c50009e2d3b1126
                                              • Instruction ID: dfed28121fae830d42c71782a5597167d0a440678bc5071b8bf830405dafe17b
                                              • Opcode Fuzzy Hash: d1e5faac4a138bf0f603b2c465b20a461196fea647e258fc1c50009e2d3b1126
                                              • Instruction Fuzzy Hash: 3BE10974E102598FDB14CF99C590AAEFBB2FF89304F248269D414AB355D771AD82CFA0
                                              Function 0820DB60 Relevance: .3, Instructions: 312COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 06bc1d5fa4f4ca31bb28f8ee7e469cb1d3b80bea06c1cc25315c84a52d8c407e
                                              • Instruction ID: f9d63417b1604b290302d4790c60232299029e037f7c40121d8b7df2d02f4632
                                              • Opcode Fuzzy Hash: 06bc1d5fa4f4ca31bb28f8ee7e469cb1d3b80bea06c1cc25315c84a52d8c407e
                                              • Instruction Fuzzy Hash: D5E12C74E112598FDB14CFA8D584AAEFBB2FF89305F248269D404AB356D731AD42CF60
                                              Function 0820DF98 Relevance: .3, Instructions: 312COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 823d73bd41158bf25f5c6f5122947a9362e725a57844c6308ed9f87a1cfb2a23
                                              • Instruction ID: 40c6a79daba06d030ac654f93e55a430060cf50263f44a3f54207ac0da6f2008
                                              • Opcode Fuzzy Hash: 823d73bd41158bf25f5c6f5122947a9362e725a57844c6308ed9f87a1cfb2a23
                                              • Instruction Fuzzy Hash: FAE11C74E102598FDB14CFA8D580AAEFBB2FF89305F248569D414A7356D731AD82CFA0
                                              Function 0820E3D0 Relevance: .3, Instructions: 312COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: dc692df003e4d9a442854a16cfae01a402fb174f1b66809b921aec7219bfbd46
                                              • Instruction ID: b0b9d938f8abc5ba34712faa2f74536f6ccb189df8a82660ff8241d2ed81703c
                                              • Opcode Fuzzy Hash: dc692df003e4d9a442854a16cfae01a402fb174f1b66809b921aec7219bfbd46
                                              • Instruction Fuzzy Hash: 22E11C74E102598FDB14CF98D580AAEFBB2FF88305F248669D414AB356D731AD82CF61
                                              Function 03277D80 Relevance: .3, Instructions: 298COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2181329569.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_3270000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 30d18c4ecb1f3b5e9a4ddeb03298b0ca89e0a1a61fda5cfa0bb6e26ead44ef53
                                              • Instruction ID: cfc63094fdf88d5380e3977970c44b8785208092ed06166525892693934bbfe5
                                              • Opcode Fuzzy Hash: 30d18c4ecb1f3b5e9a4ddeb03298b0ca89e0a1a61fda5cfa0bb6e26ead44ef53
                                              • Instruction Fuzzy Hash: EDD1D234A10605CFDB18CF69C598AA9B7F1BF8D700F2980A8E519EB361DB31AD45CF60
                                              Function 082063AF Relevance: .3, Instructions: 288COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 606602484c71703b6b8ff43c244559a193332ce3646ae519d049ea0a05761a8d
                                              • Instruction ID: c96b33e402c2513e6696ae49d1d3caf26700238d00bb2debc48dc712fffa91e7
                                              • Opcode Fuzzy Hash: 606602484c71703b6b8ff43c244559a193332ce3646ae519d049ea0a05761a8d
                                              • Instruction Fuzzy Hash: EDE1463092075BCADB11EB68D954699B7B1FFD5310F60C7AAD00A3B221EB746AC5CF80
                                              Function 082063E8 Relevance: .3, Instructions: 264COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 77af1677510e364ffbf0c673b4ee615642d12f2026903d45e85c6cba70200ebf
                                              • Instruction ID: 874b35635e08a992e724f2e93374e8b98befe329c86338b6be323dbf9fb4c01d
                                              • Opcode Fuzzy Hash: 77af1677510e364ffbf0c673b4ee615642d12f2026903d45e85c6cba70200ebf
                                              • Instruction Fuzzy Hash: E6D1253092075BCADB10EB68D954699B7B1FFD5310F60C7AAD10A3B221EB746AC4CF90
                                              Function 03270006 Relevance: .2, Instructions: 153COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2181329569.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_3270000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 197957807d5e702e95e0b868425ea9458235ee7a621e57502cc1252b41c977ab
                                              • Instruction ID: d943592aca4faac553fc205e37dd928aeffabb0a2dea2f01ecda0a2a2bbefee8
                                              • Opcode Fuzzy Hash: 197957807d5e702e95e0b868425ea9458235ee7a621e57502cc1252b41c977ab
                                              • Instruction Fuzzy Hash: 7C617070E152598FCB15CF69C9915AEFBF2FF89304F24C1AAD404AB256D7309942CF61
                                              Function 0820936C Relevance: .1, Instructions: 113COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196381430.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8200000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fd206fd1b1a233103466f293fc08591b2ac163dc7be28723d6d1f821adb7eeb7
                                              • Instruction ID: 597087ea7a21143d578654f8ca2e8ed2b721653aeb96edf99f66f7b65fd62536
                                              • Opcode Fuzzy Hash: fd206fd1b1a233103466f293fc08591b2ac163dc7be28723d6d1f821adb7eeb7
                                              • Instruction Fuzzy Hash: 1631E35246F3E09FD70BA73858720D57FB0AD1325630A04CBC082CF1EBD55A998DCBA6
                                              Function 032740A7 Relevance: .0, Instructions: 24COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2181329569.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_3270000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ae12b333ba23125064ef22565fe296e70bf870a307b8e63f79acf7e05a8c3358
                                              • Instruction ID: b922338c58b74f2d5fe8e6eee2ff59b900cab8c4efb093972c925dc6c48eec71
                                              • Opcode Fuzzy Hash: ae12b333ba23125064ef22565fe296e70bf870a307b8e63f79acf7e05a8c3358
                                              • Instruction Fuzzy Hash: 1AE0923496C118CBCB10EF95E5484F8B7B8FB8E312F0120A5950EA7226DB7059CA8B41
                                              Function 03274901 Relevance: .0, Instructions: 14COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2181329569.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_3270000_PO 4500005168 NIKOLA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c2f08dcc53e1aea0fa9c8fb61e327e528236f5315586407f116696c51f3c387e
                                              • Instruction ID: d32e988f9506c5261a438bb362f0928c77a49fe4a66060362fdac38b1dec60ad
                                              • Opcode Fuzzy Hash: c2f08dcc53e1aea0fa9c8fb61e327e528236f5315586407f116696c51f3c387e
                                              • Instruction Fuzzy Hash: CFB09226EBE409E28912AD8A74000F8F3BCE6CB022F1030A2C61EA312543B181A50288

                                              Execution Graph

                                              Execution Coverage:11.9%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:100%
                                              Total number of Nodes:3
                                              Total number of Limit Nodes:0
                                              execution_graph 8611 1056ce0 8612 1056d41 GetUserNameW 8611->8612 8614 1056e2d 8612->8614

                                              Executed Functions

                                              Function 01056CE0 Relevance: 1.6, APIs: 1, Instructions: 132COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 552 1056ce0-1056d3f 553 1056d41-1056d6c 552->553 554 1056daa-1056dae 552->554 563 1056d9c 553->563 564 1056d6e-1056d70 553->564 555 1056db0-1056dd3 554->555 556 1056dd9-1056de4 554->556 555->556 557 1056de6-1056dee 556->557 558 1056df0-1056e2b GetUserNameW 556->558 557->558 561 1056e34-1056e4a 558->561 562 1056e2d-1056e33 558->562 568 1056e60-1056e87 561->568 569 1056e4c-1056e58 561->569 562->561 567 1056da1-1056da4 563->567 565 1056d92-1056d9a 564->565 566 1056d72-1056d7c 564->566 565->567 572 1056d80-1056d8e 566->572 573 1056d7e 566->573 567->554 578 1056e97 568->578 579 1056e89-1056e8d 568->579 569->568 572->572 576 1056d90 572->576 573->572 576->565 582 1056e98 578->582 579->578 580 1056e8f-1056e92 call 1050a00 579->580 580->578 582->582
                                              APIs
                                              • GetUserNameW.ADVAPI32(00000000,00000000), ref: 01056E1B
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4570471884.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1050000_RegSvcs.jbxd
                                              Similarity
                                              • API ID: NameUser
                                              • String ID:
                                              • API String ID: 2645101109-0
                                              • Opcode ID: 96a647365d79450ec243672bfaa119f3c7ab9fc3aae6212cec70f6582e53f372
                                              • Instruction ID: e5a65addfd96c895f5d3203303c39df30013d3aa0ef4be81eb2732d1b85a0e42
                                              • Opcode Fuzzy Hash: 96a647365d79450ec243672bfaa119f3c7ab9fc3aae6212cec70f6582e53f372
                                              • Instruction Fuzzy Hash: 24513470D012188FDB58DFA9C884B9EBBF1BF48310F54851AE859BB350DB75A844CF94
                                              Function 01056CD4 Relevance: 1.6, APIs: 1, Instructions: 136COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 521 1056cd4-1056d3f 522 1056d41-1056d6c 521->522 523 1056daa-1056dae 521->523 532 1056d9c 522->532 533 1056d6e-1056d70 522->533 524 1056db0-1056dd3 523->524 525 1056dd9-1056de4 523->525 524->525 526 1056de6-1056dee 525->526 527 1056df0-1056e2b GetUserNameW 525->527 526->527 530 1056e34-1056e4a 527->530 531 1056e2d-1056e33 527->531 537 1056e60-1056e87 530->537 538 1056e4c-1056e58 530->538 531->530 536 1056da1-1056da4 532->536 534 1056d92-1056d9a 533->534 535 1056d72-1056d7c 533->535 534->536 541 1056d80-1056d8e 535->541 542 1056d7e 535->542 536->523 547 1056e97 537->547 548 1056e89-1056e8d 537->548 538->537 541->541 545 1056d90 541->545 542->541 545->534 551 1056e98 547->551 548->547 549 1056e8f-1056e92 call 1050a00 548->549 549->547 551->551
                                              APIs
                                              • GetUserNameW.ADVAPI32(00000000,00000000), ref: 01056E1B
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4570471884.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1050000_RegSvcs.jbxd
                                              Similarity
                                              • API ID: NameUser
                                              • String ID:
                                              • API String ID: 2645101109-0
                                              • Opcode ID: e2abdb50eb7d9cbc66ff1a328c4eb0ae017baf677afc0c5cb259043cd36bef2f
                                              • Instruction ID: e84223e1c29e49384f258acd85b8b421f2469e7b0a0e45e107dc326ae12c8a29
                                              • Opcode Fuzzy Hash: e2abdb50eb7d9cbc66ff1a328c4eb0ae017baf677afc0c5cb259043cd36bef2f
                                              • Instruction Fuzzy Hash: AE510270D002188FDB98CFA9C884BDEBBF1BF48310F54856AE859AB350D775A844CFA4
                                              Function 0100D030 Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4570278956.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_100d000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d60f8fba4e688ca5c6c6af7839ebe96c1ac2605ca69c694e2134416becdbe679
                                              • Instruction ID: fa8087db7b205f3a10f342725ab71863583ce67395a8f7c02b2c2b2a6742dd06
                                              • Opcode Fuzzy Hash: d60f8fba4e688ca5c6c6af7839ebe96c1ac2605ca69c694e2134416becdbe679
                                              • Instruction Fuzzy Hash: 8A210371504204EFEB16DF94D980B26BBA1EB84314F20C5ADE98D0A292C776D446CB71
                                              Function 0100D02B Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4570278956.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_100d000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 50d083bc5706e6f3c6c751c2ef0303d244cd43d9abee0f33a29252d2796e575b
                                              • Instruction ID: 49282bb32cafb5331cb7d6fe592314f53a599b0f00f2e9880111d27359ada129
                                              • Opcode Fuzzy Hash: 50d083bc5706e6f3c6c751c2ef0303d244cd43d9abee0f33a29252d2796e575b
                                              • Instruction Fuzzy Hash: 5D11BE75504284DFDB12CF94D5C0B15BFA2FB84314F24C6AAE8494B696C33AD44ACB61