Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
z68ORDER.scr.exe

Overview

General Information

Sample name:z68ORDER.scr.exe
Analysis ID:1507912
MD5:a04e6ee334556cebd31e9ae152ddbed1
SHA1:68dbddadad1c6c40b8f824ee44726fea87118fcc
SHA256:5c875f9d28eae5afce4aac472b0825edef8cac3119d2991d3dd08a1fd32bd424
Tags:exescr
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • z68ORDER.scr.exe (PID: 7492 cmdline: "C:\Users\user\Desktop\z68ORDER.scr.exe" MD5: A04E6EE334556CEBD31E9AE152DDBED1)
    • powershell.exe (PID: 7672 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z68ORDER.scr.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7948 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • z68ORDER.scr.exe (PID: 7688 cmdline: "C:\Users\user\Desktop\z68ORDER.scr.exe" MD5: A04E6EE334556CEBD31E9AE152DDBED1)
    • z68ORDER.scr.exe (PID: 7712 cmdline: "C:\Users\user\Desktop\z68ORDER.scr.exe" MD5: A04E6EE334556CEBD31E9AE152DDBED1)
    • z68ORDER.scr.exe (PID: 7732 cmdline: "C:\Users\user\Desktop\z68ORDER.scr.exe" MD5: A04E6EE334556CEBD31E9AE152DDBED1)
  • mpTrle.exe (PID: 8116 cmdline: "C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe" MD5: A04E6EE334556CEBD31E9AE152DDBED1)
    • mpTrle.exe (PID: 8160 cmdline: "C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe" MD5: A04E6EE334556CEBD31E9AE152DDBED1)
  • mpTrle.exe (PID: 6388 cmdline: "C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe" MD5: A04E6EE334556CEBD31E9AE152DDBED1)
    • mpTrle.exe (PID: 7380 cmdline: "C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe" MD5: A04E6EE334556CEBD31E9AE152DDBED1)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "us2.smtp.mailhostbox.com", "Username": "wethem@aklaneah-sa.com", "Password": "Password:  )NYyffR0   "}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.1525325777.0000000002E93000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000D.00000002.2546108508.0000000002CC0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0000000A.00000002.1521450126.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        0000000A.00000002.1521450126.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000007.00000002.2545303921.0000000002C4C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 25 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            10.2.mpTrle.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              10.2.mpTrle.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                10.2.mpTrle.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x339d0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x33a42:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x33acc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x33b5e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x33bc8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x33c3a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x33cd0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x33d60:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                0.2.z68ORDER.scr.exe.39cbc58.4.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.2.z68ORDER.scr.exe.39cbc58.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 12 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z68ORDER.scr.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z68ORDER.scr.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\z68ORDER.scr.exe", ParentImage: C:\Users\user\Desktop\z68ORDER.scr.exe, ParentProcessId: 7492, ParentProcessName: z68ORDER.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z68ORDER.scr.exe", ProcessId: 7672, ProcessName: powershell.exe
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\z68ORDER.scr.exe, ProcessId: 7732, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mpTrle
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z68ORDER.scr.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z68ORDER.scr.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\z68ORDER.scr.exe", ParentImage: C:\Users\user\Desktop\z68ORDER.scr.exe, ParentProcessId: 7492, ParentProcessName: z68ORDER.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z68ORDER.scr.exe", ProcessId: 7672, ProcessName: powershell.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 208.91.198.143, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\z68ORDER.scr.exe, Initiated: true, ProcessId: 7732, Protocol: tcp, SourceIp: 192.168.2.11, SourceIsIpv6: false, SourcePort: 49715
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z68ORDER.scr.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z68ORDER.scr.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\z68ORDER.scr.exe", ParentImage: C:\Users\user\Desktop\z68ORDER.scr.exe, ParentProcessId: 7492, ParentProcessName: z68ORDER.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z68ORDER.scr.exe", ProcessId: 7672, ProcessName: powershell.exe

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 0.2.z68ORDER.scr.exe.39cbc58.4.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "us2.smtp.mailhostbox.com", "Username": "wethem@aklaneah-sa.com", "Password": "Password: )NYyffR0 "}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeReversingLabs: Detection: 34%
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeVirustotal: Detection: 33%Perma Link
                    Multi AV Scanner detection for submitted file
                    Source: z68ORDER.scr.exeReversingLabs: Detection: 34%
                    Source: z68ORDER.scr.exeVirustotal: Detection: 33%Perma Link
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: z68ORDER.scr.exeJoe Sandbox ML: detected
                    Source: z68ORDER.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.11:49713 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.11:49718 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.11:49726 version: TLS 1.2
                    Source: z68ORDER.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: befV.pdbSHA256r source: z68ORDER.scr.exe, mpTrle.exe.7.dr
                    Source: Binary string: befV.pdb source: z68ORDER.scr.exe, mpTrle.exe.7.dr

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 0.2.z68ORDER.scr.exe.39cbc58.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.z68ORDER.scr.exe.3990c38.5.raw.unpack, type: UNPACKEDPE
                    Source: global trafficTCP traffic: 192.168.2.11:49715 -> 208.91.198.143:587
                    Source: Joe Sandbox ViewIP Address: 208.91.198.143 208.91.198.143
                    Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                    Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                    Source: Joe Sandbox ViewASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: global trafficTCP traffic: 192.168.2.11:49715 -> 208.91.198.143:587
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                    Source: global trafficDNS traffic detected: DNS query: us2.smtp.mailhostbox.com
                    Source: z68ORDER.scr.exe, 00000007.00000002.2542470162.0000000000E80000.00000004.00000020.00020000.00000000.sdmp, z68ORDER.scr.exe, 00000007.00000002.2545303921.0000000002C54000.00000004.00000800.00020000.00000000.sdmp, z68ORDER.scr.exe, 00000007.00000002.2542470162.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000A.00000002.1525325777.0000000002E93000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000A.00000002.1523301310.00000000011CB000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000A.00000002.1523301310.00000000011F7000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000D.00000002.2558716244.00000000060CF000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000D.00000002.2546108508.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000D.00000002.2542735415.0000000000FF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                    Source: z68ORDER.scr.exe, 00000007.00000002.2542470162.0000000000E80000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000A.00000002.1523301310.00000000011CB000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000A.00000002.1532698130.0000000006732000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000D.00000002.2558716244.00000000060CF000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000D.00000002.2558475079.0000000006070000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000D.00000002.2542735415.0000000000FF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                    Source: z68ORDER.scr.exe, 00000007.00000002.2545303921.0000000002C54000.00000004.00000800.00020000.00000000.sdmp, z68ORDER.scr.exe, 00000007.00000002.2542470162.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000A.00000002.1525325777.0000000002E93000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000A.00000002.1523301310.00000000011CB000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000A.00000002.1523301310.00000000011F7000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000D.00000002.2546108508.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000D.00000002.2558475079.0000000006070000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000D.00000002.2542735415.0000000000FF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                    Source: z68ORDER.scr.exe, 00000007.00000002.2542470162.0000000000E80000.00000004.00000020.00020000.00000000.sdmp, z68ORDER.scr.exe, 00000007.00000002.2545303921.0000000002C54000.00000004.00000800.00020000.00000000.sdmp, z68ORDER.scr.exe, 00000007.00000002.2542470162.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000A.00000002.1525325777.0000000002E93000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000A.00000002.1523301310.00000000011CB000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000A.00000002.1523301310.00000000011F7000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000D.00000002.2558716244.00000000060CF000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000D.00000002.2546108508.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000D.00000002.2542735415.0000000000FF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                    Source: z68ORDER.scr.exe, 00000007.00000002.2545303921.0000000002C54000.00000004.00000800.00020000.00000000.sdmp, z68ORDER.scr.exe, 00000007.00000002.2542470162.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000A.00000002.1525325777.0000000002E93000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000A.00000002.1523301310.00000000011CB000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000A.00000002.1532698130.0000000006732000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000A.00000002.1523301310.00000000011F7000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000D.00000002.2546108508.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000D.00000002.2558475079.0000000006070000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000D.00000002.2542735415.0000000000FF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0A
                    Source: z68ORDER.scr.exe, 00000000.00000002.1320773433.0000000002969000.00000004.00000800.00020000.00000000.sdmp, z68ORDER.scr.exe, 00000007.00000002.2545303921.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000009.00000002.1440089925.0000000002EA9000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000A.00000002.1525325777.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.1523574938.000000000287D000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000D.00000002.2546108508.0000000002C3C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: z68ORDER.scr.exe, 00000007.00000002.2545303921.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000A.00000002.1525325777.0000000002E89000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000D.00000002.2546108508.0000000002CAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                    Source: z68ORDER.scr.exe, 00000000.00000002.1322262193.0000000003909000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000A.00000002.1521450126.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: z68ORDER.scr.exe, 00000000.00000002.1322262193.0000000003909000.00000004.00000800.00020000.00000000.sdmp, z68ORDER.scr.exe, 00000007.00000002.2545303921.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000A.00000002.1525325777.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000A.00000002.1521450126.0000000000402000.00000040.00000400.00020000.00000000.sdmp, mpTrle.exe, 0000000D.00000002.2546108508.0000000002C3C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                    Source: z68ORDER.scr.exe, 00000007.00000002.2545303921.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000A.00000002.1525325777.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000D.00000002.2546108508.0000000002C3C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                    Source: z68ORDER.scr.exe, 00000007.00000002.2545303921.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000A.00000002.1525325777.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000D.00000002.2546108508.0000000002C3C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                    Source: z68ORDER.scr.exe, 00000007.00000002.2545303921.0000000002C54000.00000004.00000800.00020000.00000000.sdmp, z68ORDER.scr.exe, 00000007.00000002.2542470162.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000A.00000002.1525325777.0000000002E93000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000A.00000002.1523301310.00000000011CB000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000A.00000002.1523301310.00000000011F7000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000D.00000002.2546108508.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000D.00000002.2558475079.0000000006070000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000D.00000002.2542735415.0000000000FF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.11:49713 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.11:49718 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.11:49726 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.z68ORDER.scr.exe.39cbc58.4.raw.unpack, 3DlgK9re6m.cs.Net Code: sIJKyc
                    Source: 0.2.z68ORDER.scr.exe.3990c38.5.raw.unpack, 3DlgK9re6m.cs.Net Code: sIJKyc

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 10.2.mpTrle.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.z68ORDER.scr.exe.39cbc58.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.z68ORDER.scr.exe.3990c38.5.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.z68ORDER.scr.exe.39cbc58.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.z68ORDER.scr.exe.3990c38.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Initial sample is a PE file and has a suspicious name
                    Source: initial sampleStatic PE information: Filename: z68ORDER.scr.exe
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeCode function: 0_2_00FED5BC0_2_00FED5BC
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeCode function: 0_2_04DB77500_2_04DB7750
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeCode function: 0_2_04DB00400_2_04DB0040
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeCode function: 0_2_04DB00070_2_04DB0007
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeCode function: 0_2_04DB77400_2_04DB7740
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeCode function: 0_2_04DBBC430_2_04DBBC43
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeCode function: 0_2_06A8E3200_2_06A8E320
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeCode function: 0_2_06A88AA80_2_06A88AA8
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeCode function: 0_2_06A8A1B80_2_06A8A1B8
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeCode function: 0_2_06A881E00_2_06A881E0
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeCode function: 0_2_06A881D10_2_06A881D1
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeCode function: 0_2_06A87DA80_2_06A87DA8
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeCode function: 0_2_06A87D980_2_06A87D98
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeCode function: 0_2_06A898880_2_06A89888
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeCode function: 0_2_06A879700_2_06A87970
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeCode function: 0_2_06A879570_2_06A87957
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeCode function: 7_2_011CB3087_2_011CB308
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeCode function: 7_2_011CAB407_2_011CAB40
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeCode function: 7_2_011C4AD07_2_011C4AD0
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeCode function: 7_2_011C3EB87_2_011C3EB8
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeCode function: 7_2_011C42007_2_011C4200
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeCode function: 7_2_067CC5207_2_067CC520
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeCode function: 7_2_067CAEFC7_2_067CAEFC
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeCode function: 7_2_068227807_2_06822780
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeCode function: 7_2_068255C87_2_068255C8
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeCode function: 7_2_068265E07_2_068265E0
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeCode function: 7_2_0682C5687_2_0682C568
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeCode function: 7_2_0682B2207_2_0682B220
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeCode function: 7_2_06825CE87_2_06825CE8
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeCode function: 7_2_06827D687_2_06827D68
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeCode function: 7_2_068276887_2_06827688
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeCode function: 7_2_0682E7887_2_0682E788
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeCode function: 7_2_068200077_2_06820007
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeCode function: 7_2_068200407_2_06820040
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 9_2_02E2D5BC9_2_02E2D5BC
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 9_2_054377509_2_05437750
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 9_2_054300409_2_05430040
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 9_2_054300069_2_05430006
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 9_2_054377409_2_05437740
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 9_2_0702DDD89_2_0702DDD8
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 9_2_0702A1B89_2_0702A1B8
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 9_2_070281E09_2_070281E0
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 9_2_07027DA89_2_07027DA8
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 9_2_070298889_2_07029888
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 9_2_074DA15F9_2_074DA15F
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 9_2_074DA1709_2_074DA170
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 9_2_074DDE389_2_074DDE38
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 10_2_02C24AD010_2_02C24AD0
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 10_2_02C2EAD810_2_02C2EAD8
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 10_2_02C23EB810_2_02C23EB8
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 10_2_02C2420010_2_02C24200
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 10_2_02C2AD0810_2_02C2AD08
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 10_2_069BACDC10_2_069BACDC
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 10_2_069B96B010_2_069B96B0
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 10_2_069BDBF010_2_069BDBF0
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 10_2_069D349010_2_069D3490
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 10_2_069D55D010_2_069D55D0
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 10_2_069D65E810_2_069D65E8
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 10_2_069DB22010_2_069DB220
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 10_2_069DC17810_2_069DC178
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 10_2_069D7D7010_2_069D7D70
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 10_2_069D769010_2_069D7690
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 10_2_069DE39810_2_069DE398
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 10_2_069D004010_2_069D0040
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 10_2_069D5CDF10_2_069D5CDF
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 12_2_0263D5BC12_2_0263D5BC
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 12_2_04C6775012_2_04C67750
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 12_2_04C6004012_2_04C60040
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 12_2_04C6000712_2_04C60007
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 12_2_04C6774012_2_04C67740
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 12_2_052CDDD812_2_052CDDD8
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 12_2_052C8AA812_2_052C8AA8
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 12_2_052CA1B812_2_052CA1B8
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 12_2_052C81E012_2_052C81E0
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 12_2_052C7DA812_2_052C7DA8
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 12_2_052C793E12_2_052C793E
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 12_2_052C988812_2_052C9888
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 13_2_02A3420013_2_02A34200
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 13_2_02A34AD013_2_02A34AD0
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 13_2_02A3EAD813_2_02A3EAD8
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 13_2_02A33EB813_2_02A33EB8
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 13_2_02A3AD0813_2_02A3AD08
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 13_2_066FACDC13_2_066FACDC
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 13_2_066F96B013_2_066F96B0
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 13_2_066FDBFB13_2_066FDBFB
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 13_2_0670349013_2_06703490
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 13_2_067065E813_2_067065E8
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 13_2_067055D013_2_067055D0
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 13_2_0670B23013_2_0670B230
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 13_2_0670C17813_2_0670C178
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 13_2_06707D7013_2_06707D70
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 13_2_0670769013_2_06707690
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 13_2_0670E39813_2_0670E398
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 13_2_0670004013_2_06700040
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 13_2_06705CF013_2_06705CF0
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 13_2_0670001F13_2_0670001F
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 13_2_0670000713_2_06700007
                    Source: z68ORDER.scr.exe, 00000000.00000002.1322262193.0000000003909000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename64af20ca-f267-4570-b8a1-6b375e9c5566.exe4 vs z68ORDER.scr.exe
                    Source: z68ORDER.scr.exe, 00000000.00000002.1322262193.0000000003909000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs z68ORDER.scr.exe
                    Source: z68ORDER.scr.exe, 00000000.00000002.1320773433.000000000297D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameGB-lesson-forms.dll@ vs z68ORDER.scr.exe
                    Source: z68ORDER.scr.exe, 00000000.00000002.1325062760.0000000005170000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameGB-lesson-forms.dll@ vs z68ORDER.scr.exe
                    Source: z68ORDER.scr.exe, 00000000.00000002.1326999884.0000000006D70000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs z68ORDER.scr.exe
                    Source: z68ORDER.scr.exe, 00000000.00000002.1320773433.0000000002969000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename64af20ca-f267-4570-b8a1-6b375e9c5566.exe4 vs z68ORDER.scr.exe
                    Source: z68ORDER.scr.exe, 00000000.00000002.1320773433.0000000002993000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameGB-lesson-forms.dll@ vs z68ORDER.scr.exe
                    Source: z68ORDER.scr.exe, 00000000.00000002.1317755984.0000000000A5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs z68ORDER.scr.exe
                    Source: z68ORDER.scr.exe, 00000000.00000002.1320773433.0000000002901000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameGB-lesson-forms.dll@ vs z68ORDER.scr.exe
                    Source: z68ORDER.scr.exe, 00000007.00000002.2542231438.00000000009C8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs z68ORDER.scr.exe
                    Source: z68ORDER.scr.exeBinary or memory string: OriginalFilenamebefV.exeN vs z68ORDER.scr.exe
                    Source: z68ORDER.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 10.2.mpTrle.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.z68ORDER.scr.exe.39cbc58.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.z68ORDER.scr.exe.3990c38.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.z68ORDER.scr.exe.39cbc58.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.z68ORDER.scr.exe.3990c38.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: z68ORDER.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.z68ORDER.scr.exe.39cbc58.4.raw.unpack, slKb.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.z68ORDER.scr.exe.39cbc58.4.raw.unpack, mAKJ.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.z68ORDER.scr.exe.39cbc58.4.raw.unpack, xQRSe0Fg.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                    Source: 0.2.z68ORDER.scr.exe.39cbc58.4.raw.unpack, n3rhMa.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.z68ORDER.scr.exe.39cbc58.4.raw.unpack, MQzE4FWn.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.z68ORDER.scr.exe.39cbc58.4.raw.unpack, nSmgRyX5a1.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.z68ORDER.scr.exe.39cbc58.4.raw.unpack, 6IMLmJtk.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.z68ORDER.scr.exe.39cbc58.4.raw.unpack, 6IMLmJtk.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 0.2.z68ORDER.scr.exe.39cbc58.4.raw.unpack, 3HroK7qN.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.z68ORDER.scr.exe.39cbc58.4.raw.unpack, 3HroK7qN.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.z68ORDER.scr.exe.6d70000.7.raw.unpack, jsLdnKeIcMR46DDMhl.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.z68ORDER.scr.exe.3b119d0.3.raw.unpack, CYMPDo4J6Cy7nmhfYl.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.z68ORDER.scr.exe.3b119d0.3.raw.unpack, CYMPDo4J6Cy7nmhfYl.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.z68ORDER.scr.exe.3b119d0.3.raw.unpack, CYMPDo4J6Cy7nmhfYl.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.z68ORDER.scr.exe.3b119d0.3.raw.unpack, jsLdnKeIcMR46DDMhl.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.z68ORDER.scr.exe.6d70000.7.raw.unpack, CYMPDo4J6Cy7nmhfYl.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.z68ORDER.scr.exe.6d70000.7.raw.unpack, CYMPDo4J6Cy7nmhfYl.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.z68ORDER.scr.exe.6d70000.7.raw.unpack, CYMPDo4J6Cy7nmhfYl.csSecurity API names: _0020.AddAccessRule
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@17/9@2/2
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\z68ORDER.scr.exe.logJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7680:120:WilError_03
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mw2fwdi2.m3a.ps1Jump to behavior
                    Source: z68ORDER.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: z68ORDER.scr.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: z68ORDER.scr.exeReversingLabs: Detection: 34%
                    Source: z68ORDER.scr.exeVirustotal: Detection: 33%
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeFile read: C:\Users\user\Desktop\z68ORDER.scr.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\z68ORDER.scr.exe "C:\Users\user\Desktop\z68ORDER.scr.exe"
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z68ORDER.scr.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess created: C:\Users\user\Desktop\z68ORDER.scr.exe "C:\Users\user\Desktop\z68ORDER.scr.exe"
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess created: C:\Users\user\Desktop\z68ORDER.scr.exe "C:\Users\user\Desktop\z68ORDER.scr.exe"
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess created: C:\Users\user\Desktop\z68ORDER.scr.exe "C:\Users\user\Desktop\z68ORDER.scr.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe "C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe"
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess created: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe "C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe "C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe"
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess created: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe "C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe"
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z68ORDER.scr.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess created: C:\Users\user\Desktop\z68ORDER.scr.exe "C:\Users\user\Desktop\z68ORDER.scr.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess created: C:\Users\user\Desktop\z68ORDER.scr.exe "C:\Users\user\Desktop\z68ORDER.scr.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess created: C:\Users\user\Desktop\z68ORDER.scr.exe "C:\Users\user\Desktop\z68ORDER.scr.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess created: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe "C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess created: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe "C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe"
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: dwrite.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: textshaping.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: windowscodecs.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: rasapi32.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: rasman.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: rtutils.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: winhttp.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: rasadhlp.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: fwpuclnt.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: secur32.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: schannel.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: mskeyprotect.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: ntasn1.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: ncrypt.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: ncryptsslp.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: vaultcli.dll
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: z68ORDER.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: z68ORDER.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: z68ORDER.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: befV.pdbSHA256r source: z68ORDER.scr.exe, mpTrle.exe.7.dr
                    Source: Binary string: befV.pdb source: z68ORDER.scr.exe, mpTrle.exe.7.dr

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: z68ORDER.scr.exe, Form1.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.z68ORDER.scr.exe.6d70000.7.raw.unpack, CYMPDo4J6Cy7nmhfYl.cs.Net Code: CfiaETEDsX System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.z68ORDER.scr.exe.3b119d0.3.raw.unpack, CYMPDo4J6Cy7nmhfYl.cs.Net Code: CfiaETEDsX System.Reflection.Assembly.Load(byte[])
                    Source: z68ORDER.scr.exeStatic PE information: 0xFF39ACF5 [Wed Sep 9 20:05:09 2105 UTC]
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeCode function: 0_2_00FE9C40 push C8027D93h; iretd 0_2_00FE9C6D
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeCode function: 0_2_00FE9C20 push C8027D93h; iretd 0_2_00FE9C6D
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeCode function: 0_2_06A8D16E push es; ret 0_2_06A8D174
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeCode function: 0_2_06A8793E push es; retf A877h0_2_06A87954
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeCode function: 7_2_011C0C55 push edi; retf 7_2_011C0C7A
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeCode function: 7_2_067C4F00 push esp; retf 7_2_067C4F0D
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeCode function: 7_2_067C588F push es; ret 7_2_067C5890
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 9_2_02E25E0A pushfd ; iretd 9_2_02E25E19
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 9_2_02E29C61 push C8053993h; iretd 9_2_02E29C6D
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 9_2_074D1688 push eax; iretd 9_2_074D1689
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 9_2_074D0527 push FFFFFF8Bh; iretd 9_2_074D0529
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 9_2_074DE384 push ds; retf 9_2_074DE387
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 9_2_074D1260 push esp; retf 9_2_074D12E9
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 9_2_074D12E2 push esp; retf 9_2_074D12E9
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 9_2_074D0D92 pushad ; retf 9_2_074D0DA1
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 9_2_074D4C49 push 780542F5h; iretd 9_2_074D4C55
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 10_2_02C20C55 push edi; retf 10_2_02C20C7A
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 10_2_069B53E0 push es; ret 10_2_069B53F0
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 10_2_069BFEF9 push es; retf 10_2_069BFEFC
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 13_2_02A30C55 push edi; retf 13_2_02A30C7A
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 13_2_066F85F8 push ss; retf 13_2_066F85FA
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 13_2_066F858B push ss; retf 13_2_066F8592
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 13_2_066F8588 push ss; retf 13_2_066F858A
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 13_2_066F8251 push cs; retf 13_2_066F8252
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 13_2_066F81B1 push cs; retf 13_2_066F81B2
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 13_2_066F8181 push cs; retf 13_2_066F8182
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 13_2_066FADAF push ecx; retf 0006h13_2_066FADBA
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 13_2_066FADBF push ecx; retf 0006h13_2_066FADCA
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 13_2_066FED88 push eax; retf 13_2_066FED92
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 13_2_066FE903 push eax; retf 13_2_066FE90A
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeCode function: 13_2_066FE900 push eax; retf 13_2_066FE902
                    Source: z68ORDER.scr.exeStatic PE information: section name: .text entropy: 7.850671263446786
                    Source: 0.2.z68ORDER.scr.exe.6d70000.7.raw.unpack, dWktre6SEl2SD8D3hGe.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'dN1rGpbakK', 'gmFryfuiDk', 'giZrxZJnB2', 'SAlrX11k9i', 'e3tro3giX9', 'LuorKC0G9k', 't5LrObbMwY'
                    Source: 0.2.z68ORDER.scr.exe.6d70000.7.raw.unpack, vg8sasKIPGHmhif1OC.csHigh entropy of concatenated method names: 'UQcNhr9qHn', 'TK0NBM6jyy', 'Np3294LoWg', 'x6Z26Msapq', 'tATNVHLPil', 'KENNpode5M', 'NuUNTfA9YJ', 'ArgNGvWdvY', 'rxQNyIWjFf', 'sZPNxChwxy'
                    Source: 0.2.z68ORDER.scr.exe.6d70000.7.raw.unpack, NIishf6qk0DcA9LexFc.csHigh entropy of concatenated method names: 'QXkrQcIbk0', 'l1UrP3Edyu', 'DdxrElXRwa', 'qTgNiDFeyjfsmWGD84A', 'gne36rFqNymdEvsFsHx', 'Hp6HlMFYEHoGO3xXWDc', 'LVQnq8FZKt2OUsuqt9s'
                    Source: 0.2.z68ORDER.scr.exe.6d70000.7.raw.unpack, DxBFYMqtM6hl4HetuK.csHigh entropy of concatenated method names: 'lYgEZP3MV', 'nVmv6DFlr', 'Qw4fwSa1e', 'aylsAIZS9', 'BrdcstqiR', 'BF7JY14HJ', 'IOa7pej5WnO0O9w0vn', 'c3F2JYhoha9ufFI6rm', 'NAH2eupXj', 'MvIrvnMI3'
                    Source: 0.2.z68ORDER.scr.exe.6d70000.7.raw.unpack, CYMPDo4J6Cy7nmhfYl.csHigh entropy of concatenated method names: 'CNwSLuq0cF', 'AHfSFhXVYZ', 'IR7S8FnqFE', 'UkQSWM4yl2', 'vtuSRCGarC', 'amfSC2jEb4', 'fBwS11bfiK', 'nkxS4tXQaf', 'UnHSZwN89J', 'C06Sd4TxYq'
                    Source: 0.2.z68ORDER.scr.exe.6d70000.7.raw.unpack, DmQhGwiPicP2QJ6WXW.csHigh entropy of concatenated method names: 'kDV1F40qd4', 'Lxb1W2ubko', 'PkN1C1KqWM', 'qmgCBt9NDC', 'iMkCz698pE', 'KFA19h63lt', 'xXN162IPrv', 'PXL1qlFice', 'tfM1S9W8Vu', 'rsp1atfDTS'
                    Source: 0.2.z68ORDER.scr.exe.6d70000.7.raw.unpack, vuE4LvaIEDGTZI5pvQ.csHigh entropy of concatenated method names: 'lG161sLdnK', 'XcM64R46DD', 'Fys6dXY1ee', 'QpE6tXbebQ', 'UTk6lWUY7L', 'Fhf657oNOI', 'dleNH7WKLQACxZmjVr', 'Y6qE1v2ZPqmOMDWZtQ', 'TeV66kg5EK', 'oeB6SK2RWU'
                    Source: 0.2.z68ORDER.scr.exe.6d70000.7.raw.unpack, ihdDFM7LfSDIFZy3OO.csHigh entropy of concatenated method names: 'sR81QIuJhy', 'APO1P6b2kP', 'RCW1E6cGtb', 'eRA1vJ1MLC', 'RP11mnOOpT', 'oC11ft48HW', 'o6U1scbwgG', 'oBF1eCG109', 'xaI1cHkS4o', 'qUY1JsooqO'
                    Source: 0.2.z68ORDER.scr.exe.6d70000.7.raw.unpack, jsLdnKeIcMR46DDMhl.csHigh entropy of concatenated method names: 'IcR8GGvQ7V', 'eui8ys48u4', 'VDy8xM0FXs', 'gwh8Xkr7cE', 'DLb8oxRPfy', 'vCG8K4Sn6y', 'vKy8OU9RK7', 'P8s8hwPyNC', 'qJU8ImVxv8', 'zev8BGHZ8o'
                    Source: 0.2.z68ORDER.scr.exe.6d70000.7.raw.unpack, lW6hafzrDrkg3FckJ0.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'hYyU3unnss', 'zKYUlrYWr8', 'MR4U5gqRva', 'q0YUN4emUi', 'LJuU24QMjl', 'iykUU3bba5', 'yAAUrYQ1nq'
                    Source: 0.2.z68ORDER.scr.exe.6d70000.7.raw.unpack, MebQhaJGjo6pLoTkWU.csHigh entropy of concatenated method names: 'mCnRmeoCHA', 'k23Rs0Pq5u', 'f8IWjLjib0', 'qpgWuPG7uc', 'dehWMocj22', 'cdZW0pp5S2', 'LwNWi9p4G2', 'jqsWbYJegn', 'EJWW7lubTf', 'iTLWD8lx0B'
                    Source: 0.2.z68ORDER.scr.exe.6d70000.7.raw.unpack, FGXur1TCVU5a0ZPpW9.csHigh entropy of concatenated method names: 'yNF3eJydEX', 'bGU3cE5DTO', 'V8s3kS66aZ', 'o7f3nEyWGT', 'xOg3u7SxJC', 'HFo3M1PwZ2', 'S8K3iculg0', 'xTo3brBAHV', 'bIM3DlYIFF', 'WA23VZjLdX'
                    Source: 0.2.z68ORDER.scr.exe.6d70000.7.raw.unpack, amAd90hqHLq47wcWBA.csHigh entropy of concatenated method names: 'YYY2FobhQq', 'N3M28cQBel', 'r5m2Wx0ltQ', 'Exm2Rht8LR', 'WiM2CNZpUn', 'er121Asss4', 'A8H24phREm', 'yl82ZtlAuU', 'iRc2dcrrl2', 'aS92t4qiMu'
                    Source: 0.2.z68ORDER.scr.exe.6d70000.7.raw.unpack, pZDAEa69iNvXYYB9Qwy.csHigh entropy of concatenated method names: 'iwvUQHVhWv', 'KIfUPnT3vK', 'Qq4UEgPcqG', 'coCUv10GtN', 'iW0UmxG8mI', 'rsuUflLVaR', 'PTVUsULNfq', 'kV6UeZxfg8', 'AgfUcZ7Pt0', 'NTlUJpRCf5'
                    Source: 0.2.z68ORDER.scr.exe.6d70000.7.raw.unpack, fvtIhYxFwnvgHyg39B.csHigh entropy of concatenated method names: 'ToString', 'xGN5Vqc9iy', 'f5Z5nEw4nI', 'lGX5jZrkcD', 'hI85uE9kSL', 'Ad75MuZcRI', 'IOf50Sb2HT', 'GG35iHGmqi', 'ARm5bJ59pn', 'eU657dWcnh'
                    Source: 0.2.z68ORDER.scr.exe.6d70000.7.raw.unpack, hiQgtPuGlgF8Rbms0T.csHigh entropy of concatenated method names: 'e4xCAvPFww', 'lppCQwR0qg', 'wIFCEU5GoE', 'DqdCv1ek8o', 'KnHCfPj5y3', 'b7rCspRW7b', 'nexCcWwIPT', 'vYBCJ6kYrD', 'vrJrQBtG9RoSICEFThk', 'JVMmGFtSeYER32aU2hm'
                    Source: 0.2.z68ORDER.scr.exe.6d70000.7.raw.unpack, uYDe3JcysXY1eeTpEX.csHigh entropy of concatenated method names: 'uGxWvYQXkt', 'HxuWfwRFG3', 'qtXWeVuogx', 'gBHWcM4YlM', 'SeMWl9D4L1', 'G5eW53pIox', 'JQuWNZ4gXd', 'rAvW2SwGwv', 'wwKWUb0qWt', 'WY3WrFKFCh'
                    Source: 0.2.z68ORDER.scr.exe.6d70000.7.raw.unpack, rcLuWpIfHAd4gVs5Yj.csHigh entropy of concatenated method names: 'lih2kkSCDN', 'GI82nb4BC9', 'Iod2jlMrFC', 'cjf2uQEX4i', 'P7r2GZXHO2', 'SUV2MFKPJk', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.z68ORDER.scr.exe.6d70000.7.raw.unpack, Lix3e3B7qxWaq0NNDb.csHigh entropy of concatenated method names: 'qYsU6aas5Y', 'YnZUStUypS', 'MdKUajUHiV', 'r59UFI8x2I', 'uJXU8fVmLF', 'IhkURwp2UU', 'ijaUCvBqJh', 'zBC2O4f91I', 'PSK2h3CsHm', 'zut2Ixc6RG'
                    Source: 0.2.z68ORDER.scr.exe.6d70000.7.raw.unpack, gxlfI78xVO1oZG8f74.csHigh entropy of concatenated method names: 'Dispose', 'qhf6Io2WJn', 'WvlqnpmYiN', 'tuQFFutNro', 'q6m6BAd90q', 'vLq6z47wcW', 'ProcessDialogKey', 'YA2q9cLuWp', 'BHAq6d4gVs', 'pYjqqiix3e'
                    Source: 0.2.z68ORDER.scr.exe.6d70000.7.raw.unpack, w7LJhfk7oNOIHoA3aF.csHigh entropy of concatenated method names: 'O8wCLA6hko', 'DKxC8JP06d', 'RWECRoCKE3', 'z7IC1dDO2s', 'oMuC4WaDhx', 'xc3RolGFNv', 'GOXRK2ydaj', 'V3vROlgLDF', 'zyvRhradv6', 'O8gRIYMugB'
                    Source: 0.2.z68ORDER.scr.exe.6d70000.7.raw.unpack, acCfZnGC0hTeE98x1E.csHigh entropy of concatenated method names: 'ImUlDMu61K', 'iwjlp1Y5w6', 'a0nlGVVmcn', 'xXNlyDamqQ', 'Fd5lnxbseD', 'WTEljKAkTH', 'B7rlu8SIEW', 'CZtlMnIFBa', 'Huol0KZIvc', 'SGplilG7UL'
                    Source: 0.2.z68ORDER.scr.exe.3b119d0.3.raw.unpack, dWktre6SEl2SD8D3hGe.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'dN1rGpbakK', 'gmFryfuiDk', 'giZrxZJnB2', 'SAlrX11k9i', 'e3tro3giX9', 'LuorKC0G9k', 't5LrObbMwY'
                    Source: 0.2.z68ORDER.scr.exe.3b119d0.3.raw.unpack, vg8sasKIPGHmhif1OC.csHigh entropy of concatenated method names: 'UQcNhr9qHn', 'TK0NBM6jyy', 'Np3294LoWg', 'x6Z26Msapq', 'tATNVHLPil', 'KENNpode5M', 'NuUNTfA9YJ', 'ArgNGvWdvY', 'rxQNyIWjFf', 'sZPNxChwxy'
                    Source: 0.2.z68ORDER.scr.exe.3b119d0.3.raw.unpack, NIishf6qk0DcA9LexFc.csHigh entropy of concatenated method names: 'QXkrQcIbk0', 'l1UrP3Edyu', 'DdxrElXRwa', 'qTgNiDFeyjfsmWGD84A', 'gne36rFqNymdEvsFsHx', 'Hp6HlMFYEHoGO3xXWDc', 'LVQnq8FZKt2OUsuqt9s'
                    Source: 0.2.z68ORDER.scr.exe.3b119d0.3.raw.unpack, DxBFYMqtM6hl4HetuK.csHigh entropy of concatenated method names: 'lYgEZP3MV', 'nVmv6DFlr', 'Qw4fwSa1e', 'aylsAIZS9', 'BrdcstqiR', 'BF7JY14HJ', 'IOa7pej5WnO0O9w0vn', 'c3F2JYhoha9ufFI6rm', 'NAH2eupXj', 'MvIrvnMI3'
                    Source: 0.2.z68ORDER.scr.exe.3b119d0.3.raw.unpack, CYMPDo4J6Cy7nmhfYl.csHigh entropy of concatenated method names: 'CNwSLuq0cF', 'AHfSFhXVYZ', 'IR7S8FnqFE', 'UkQSWM4yl2', 'vtuSRCGarC', 'amfSC2jEb4', 'fBwS11bfiK', 'nkxS4tXQaf', 'UnHSZwN89J', 'C06Sd4TxYq'
                    Source: 0.2.z68ORDER.scr.exe.3b119d0.3.raw.unpack, DmQhGwiPicP2QJ6WXW.csHigh entropy of concatenated method names: 'kDV1F40qd4', 'Lxb1W2ubko', 'PkN1C1KqWM', 'qmgCBt9NDC', 'iMkCz698pE', 'KFA19h63lt', 'xXN162IPrv', 'PXL1qlFice', 'tfM1S9W8Vu', 'rsp1atfDTS'
                    Source: 0.2.z68ORDER.scr.exe.3b119d0.3.raw.unpack, vuE4LvaIEDGTZI5pvQ.csHigh entropy of concatenated method names: 'lG161sLdnK', 'XcM64R46DD', 'Fys6dXY1ee', 'QpE6tXbebQ', 'UTk6lWUY7L', 'Fhf657oNOI', 'dleNH7WKLQACxZmjVr', 'Y6qE1v2ZPqmOMDWZtQ', 'TeV66kg5EK', 'oeB6SK2RWU'
                    Source: 0.2.z68ORDER.scr.exe.3b119d0.3.raw.unpack, ihdDFM7LfSDIFZy3OO.csHigh entropy of concatenated method names: 'sR81QIuJhy', 'APO1P6b2kP', 'RCW1E6cGtb', 'eRA1vJ1MLC', 'RP11mnOOpT', 'oC11ft48HW', 'o6U1scbwgG', 'oBF1eCG109', 'xaI1cHkS4o', 'qUY1JsooqO'
                    Source: 0.2.z68ORDER.scr.exe.3b119d0.3.raw.unpack, jsLdnKeIcMR46DDMhl.csHigh entropy of concatenated method names: 'IcR8GGvQ7V', 'eui8ys48u4', 'VDy8xM0FXs', 'gwh8Xkr7cE', 'DLb8oxRPfy', 'vCG8K4Sn6y', 'vKy8OU9RK7', 'P8s8hwPyNC', 'qJU8ImVxv8', 'zev8BGHZ8o'
                    Source: 0.2.z68ORDER.scr.exe.3b119d0.3.raw.unpack, lW6hafzrDrkg3FckJ0.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'hYyU3unnss', 'zKYUlrYWr8', 'MR4U5gqRva', 'q0YUN4emUi', 'LJuU24QMjl', 'iykUU3bba5', 'yAAUrYQ1nq'
                    Source: 0.2.z68ORDER.scr.exe.3b119d0.3.raw.unpack, MebQhaJGjo6pLoTkWU.csHigh entropy of concatenated method names: 'mCnRmeoCHA', 'k23Rs0Pq5u', 'f8IWjLjib0', 'qpgWuPG7uc', 'dehWMocj22', 'cdZW0pp5S2', 'LwNWi9p4G2', 'jqsWbYJegn', 'EJWW7lubTf', 'iTLWD8lx0B'
                    Source: 0.2.z68ORDER.scr.exe.3b119d0.3.raw.unpack, FGXur1TCVU5a0ZPpW9.csHigh entropy of concatenated method names: 'yNF3eJydEX', 'bGU3cE5DTO', 'V8s3kS66aZ', 'o7f3nEyWGT', 'xOg3u7SxJC', 'HFo3M1PwZ2', 'S8K3iculg0', 'xTo3brBAHV', 'bIM3DlYIFF', 'WA23VZjLdX'
                    Source: 0.2.z68ORDER.scr.exe.3b119d0.3.raw.unpack, amAd90hqHLq47wcWBA.csHigh entropy of concatenated method names: 'YYY2FobhQq', 'N3M28cQBel', 'r5m2Wx0ltQ', 'Exm2Rht8LR', 'WiM2CNZpUn', 'er121Asss4', 'A8H24phREm', 'yl82ZtlAuU', 'iRc2dcrrl2', 'aS92t4qiMu'
                    Source: 0.2.z68ORDER.scr.exe.3b119d0.3.raw.unpack, pZDAEa69iNvXYYB9Qwy.csHigh entropy of concatenated method names: 'iwvUQHVhWv', 'KIfUPnT3vK', 'Qq4UEgPcqG', 'coCUv10GtN', 'iW0UmxG8mI', 'rsuUflLVaR', 'PTVUsULNfq', 'kV6UeZxfg8', 'AgfUcZ7Pt0', 'NTlUJpRCf5'
                    Source: 0.2.z68ORDER.scr.exe.3b119d0.3.raw.unpack, fvtIhYxFwnvgHyg39B.csHigh entropy of concatenated method names: 'ToString', 'xGN5Vqc9iy', 'f5Z5nEw4nI', 'lGX5jZrkcD', 'hI85uE9kSL', 'Ad75MuZcRI', 'IOf50Sb2HT', 'GG35iHGmqi', 'ARm5bJ59pn', 'eU657dWcnh'
                    Source: 0.2.z68ORDER.scr.exe.3b119d0.3.raw.unpack, hiQgtPuGlgF8Rbms0T.csHigh entropy of concatenated method names: 'e4xCAvPFww', 'lppCQwR0qg', 'wIFCEU5GoE', 'DqdCv1ek8o', 'KnHCfPj5y3', 'b7rCspRW7b', 'nexCcWwIPT', 'vYBCJ6kYrD', 'vrJrQBtG9RoSICEFThk', 'JVMmGFtSeYER32aU2hm'
                    Source: 0.2.z68ORDER.scr.exe.3b119d0.3.raw.unpack, uYDe3JcysXY1eeTpEX.csHigh entropy of concatenated method names: 'uGxWvYQXkt', 'HxuWfwRFG3', 'qtXWeVuogx', 'gBHWcM4YlM', 'SeMWl9D4L1', 'G5eW53pIox', 'JQuWNZ4gXd', 'rAvW2SwGwv', 'wwKWUb0qWt', 'WY3WrFKFCh'
                    Source: 0.2.z68ORDER.scr.exe.3b119d0.3.raw.unpack, rcLuWpIfHAd4gVs5Yj.csHigh entropy of concatenated method names: 'lih2kkSCDN', 'GI82nb4BC9', 'Iod2jlMrFC', 'cjf2uQEX4i', 'P7r2GZXHO2', 'SUV2MFKPJk', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.z68ORDER.scr.exe.3b119d0.3.raw.unpack, Lix3e3B7qxWaq0NNDb.csHigh entropy of concatenated method names: 'qYsU6aas5Y', 'YnZUStUypS', 'MdKUajUHiV', 'r59UFI8x2I', 'uJXU8fVmLF', 'IhkURwp2UU', 'ijaUCvBqJh', 'zBC2O4f91I', 'PSK2h3CsHm', 'zut2Ixc6RG'
                    Source: 0.2.z68ORDER.scr.exe.3b119d0.3.raw.unpack, gxlfI78xVO1oZG8f74.csHigh entropy of concatenated method names: 'Dispose', 'qhf6Io2WJn', 'WvlqnpmYiN', 'tuQFFutNro', 'q6m6BAd90q', 'vLq6z47wcW', 'ProcessDialogKey', 'YA2q9cLuWp', 'BHAq6d4gVs', 'pYjqqiix3e'
                    Source: 0.2.z68ORDER.scr.exe.3b119d0.3.raw.unpack, w7LJhfk7oNOIHoA3aF.csHigh entropy of concatenated method names: 'O8wCLA6hko', 'DKxC8JP06d', 'RWECRoCKE3', 'z7IC1dDO2s', 'oMuC4WaDhx', 'xc3RolGFNv', 'GOXRK2ydaj', 'V3vROlgLDF', 'zyvRhradv6', 'O8gRIYMugB'
                    Source: 0.2.z68ORDER.scr.exe.3b119d0.3.raw.unpack, acCfZnGC0hTeE98x1E.csHigh entropy of concatenated method names: 'ImUlDMu61K', 'iwjlp1Y5w6', 'a0nlGVVmcn', 'xXNlyDamqQ', 'Fd5lnxbseD', 'WTEljKAkTH', 'B7rlu8SIEW', 'CZtlMnIFBa', 'Huol0KZIvc', 'SGplilG7UL'
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeFile created: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeJump to dropped file
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mpTrleJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mpTrleJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Hides that the sample has been downloaded from the Internet (zone.identifier)
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeFile opened: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe:Zone.Identifier read attributes | deleteJump to behavior
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: z68ORDER.scr.exe PID: 7492, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: mpTrle.exe PID: 8116, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: mpTrle.exe PID: 6388, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeMemory allocated: FE0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeMemory allocated: 2900000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeMemory allocated: 2650000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeMemory allocated: 88C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeMemory allocated: 98C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeMemory allocated: 9AC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeMemory allocated: AAC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeMemory allocated: 11C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeMemory allocated: 2BD0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeMemory allocated: 2A10000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeMemory allocated: 2DD0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeMemory allocated: 2E40000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeMemory allocated: 4E40000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeMemory allocated: 8A40000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeMemory allocated: 9A40000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeMemory allocated: 9C30000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeMemory allocated: AC30000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeMemory allocated: 2C20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeMemory allocated: 2E10000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeMemory allocated: 4E10000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeMemory allocated: 25F0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeMemory allocated: 2810000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeMemory allocated: 2660000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeMemory allocated: 8260000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeMemory allocated: 9260000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeMemory allocated: 9440000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeMemory allocated: A440000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeMemory allocated: 2990000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeMemory allocated: 2C30000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeMemory allocated: 2990000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6079Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3603Jump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeWindow / User API: threadDelayed 3482Jump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeWindow / User API: threadDelayed 1796Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeWindow / User API: threadDelayed 1586Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeWindow / User API: threadDelayed 3489Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeWindow / User API: threadDelayed 945
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeWindow / User API: threadDelayed 4331
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exe TID: 7512Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7908Thread sleep time: -9223372036854770s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exe TID: 7944Thread sleep time: -21213755684765971s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exe TID: 7944Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exe TID: 7992Thread sleep count: 3482 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exe TID: 7944Thread sleep time: -99874s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exe TID: 7992Thread sleep count: 1796 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exe TID: 7944Thread sleep time: -99765s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exe TID: 7944Thread sleep time: -99656s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exe TID: 7944Thread sleep time: -99545s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exe TID: 7944Thread sleep time: -99437s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exe TID: 7944Thread sleep time: -99328s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exe TID: 7944Thread sleep time: -99218s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exe TID: 7944Thread sleep time: -99109s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exe TID: 7944Thread sleep time: -99000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exe TID: 7944Thread sleep time: -98890s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exe TID: 7944Thread sleep time: -98781s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exe TID: 7944Thread sleep time: -98669s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exe TID: 7944Thread sleep time: -98557s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exe TID: 7944Thread sleep time: -98438s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exe TID: 7944Thread sleep time: -98313s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exe TID: 7944Thread sleep time: -98188s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exe TID: 7944Thread sleep time: -98063s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exe TID: 7944Thread sleep time: -97953s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exe TID: 7944Thread sleep time: -97844s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exe TID: 7944Thread sleep time: -97719s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exe TID: 7944Thread sleep time: -97609s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exe TID: 7944Thread sleep time: -97499s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exe TID: 7944Thread sleep time: -97390s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exe TID: 7944Thread sleep time: -97281s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exe TID: 7944Thread sleep time: -97143s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exe TID: 7944Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 8140Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6992Thread sleep time: -17524406870024063s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6992Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7044Thread sleep count: 1586 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6992Thread sleep time: -99874s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6992Thread sleep time: -99765s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7044Thread sleep count: 3489 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6992Thread sleep time: -99656s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6992Thread sleep time: -99547s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6992Thread sleep time: -99437s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6992Thread sleep time: -99328s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6992Thread sleep time: -99219s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6992Thread sleep time: -99109s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6992Thread sleep time: -99000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6992Thread sleep time: -98890s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6992Thread sleep time: -98781s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6992Thread sleep time: -98672s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6992Thread sleep time: -98562s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6992Thread sleep time: -98450s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6992Thread sleep time: -98344s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6992Thread sleep time: -98234s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6992Thread sleep time: -98124s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6992Thread sleep time: -98015s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6992Thread sleep time: -97906s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6992Thread sleep time: -97796s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6992Thread sleep time: -97687s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6992Thread sleep time: -97578s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6992Thread sleep time: -97460s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6992Thread sleep time: -97359s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 4780Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7888Thread sleep time: -16602069666338586s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7888Thread sleep time: -100000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7888Thread sleep time: -99890s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7648Thread sleep count: 945 > 30
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7648Thread sleep count: 4331 > 30
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7888Thread sleep time: -99781s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7888Thread sleep time: -99672s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7888Thread sleep time: -99563s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7888Thread sleep time: -99438s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7888Thread sleep time: -99313s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7888Thread sleep time: -99188s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7888Thread sleep time: -99063s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7888Thread sleep time: -98953s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7888Thread sleep time: -98844s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7888Thread sleep time: -98719s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7888Thread sleep time: -98610s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7888Thread sleep time: -98485s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7888Thread sleep time: -98360s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7888Thread sleep time: -98235s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7888Thread sleep time: -98108s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7888Thread sleep time: -98000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7888Thread sleep time: -97891s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7888Thread sleep time: -97781s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7888Thread sleep time: -97672s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7888Thread sleep time: -97563s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7888Thread sleep time: -97438s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7888Thread sleep time: -97328s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7888Thread sleep time: -97219s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7888Thread sleep time: -97108s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7888Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeThread delayed: delay time: 99874Jump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeThread delayed: delay time: 99765Jump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeThread delayed: delay time: 99656Jump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeThread delayed: delay time: 99545Jump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeThread delayed: delay time: 99437Jump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeThread delayed: delay time: 99328Jump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeThread delayed: delay time: 99218Jump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeThread delayed: delay time: 99109Jump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeThread delayed: delay time: 99000Jump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeThread delayed: delay time: 98890Jump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeThread delayed: delay time: 98781Jump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeThread delayed: delay time: 98669Jump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeThread delayed: delay time: 98557Jump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeThread delayed: delay time: 98438Jump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeThread delayed: delay time: 98313Jump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeThread delayed: delay time: 98188Jump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeThread delayed: delay time: 98063Jump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeThread delayed: delay time: 97953Jump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeThread delayed: delay time: 97844Jump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeThread delayed: delay time: 97719Jump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeThread delayed: delay time: 97609Jump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeThread delayed: delay time: 97499Jump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeThread delayed: delay time: 97390Jump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeThread delayed: delay time: 97281Jump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeThread delayed: delay time: 97143Jump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 99874Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 99765Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 99656Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 99547Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 99437Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 99328Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 99219Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 99109Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 99000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 98890Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 98781Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 98672Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 98562Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 98450Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 98344Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 98234Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 98124Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 98015Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 97906Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 97796Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 97687Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 97578Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 97460Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 97359Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 100000
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 99890
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 99781
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 99672
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 99563
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 99438
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 99313
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 99188
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 99063
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 98953
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 98844
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 98719
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 98610
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 98485
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 98360
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 98235
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 98108
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 98000
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 97891
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 97781
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 97672
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 97563
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 97438
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 97328
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 97219
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 97108
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeThread delayed: delay time: 922337203685477
                    Source: z68ORDER.scr.exe, 00000000.00000002.1327850183.00000000086E1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
                    Source: mpTrle.exe, 0000000A.00000002.1523301310.00000000011F7000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000D.00000002.2558475079.0000000006070000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: z68ORDER.scr.exe, 00000007.00000002.2542470162.0000000000E80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllD
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z68ORDER.scr.exe"
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z68ORDER.scr.exe"Jump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeMemory written: C:\Users\user\Desktop\z68ORDER.scr.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeMemory written: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeMemory written: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z68ORDER.scr.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess created: C:\Users\user\Desktop\z68ORDER.scr.exe "C:\Users\user\Desktop\z68ORDER.scr.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess created: C:\Users\user\Desktop\z68ORDER.scr.exe "C:\Users\user\Desktop\z68ORDER.scr.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeProcess created: C:\Users\user\Desktop\z68ORDER.scr.exe "C:\Users\user\Desktop\z68ORDER.scr.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess created: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe "C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeProcess created: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe "C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe"
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeQueries volume information: C:\Users\user\Desktop\z68ORDER.scr.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeQueries volume information: C:\Users\user\Desktop\z68ORDER.scr.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeQueries volume information: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeQueries volume information: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeQueries volume information: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeQueries volume information: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 10.2.mpTrle.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.z68ORDER.scr.exe.39cbc58.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.z68ORDER.scr.exe.3990c38.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.z68ORDER.scr.exe.39cbc58.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.z68ORDER.scr.exe.3990c38.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000A.00000002.1525325777.0000000002E93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.2546108508.0000000002CC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.1521450126.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2545303921.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.2546108508.0000000002CAC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.1525325777.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.1525325777.0000000002E89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.2546108508.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2545303921.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.2546108508.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2545303921.0000000002C54000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1322262193.0000000003909000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2545303921.0000000002C60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.1525325777.0000000002EA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: z68ORDER.scr.exe PID: 7492, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: z68ORDER.scr.exe PID: 7732, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: mpTrle.exe PID: 8160, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: mpTrle.exe PID: 7380, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeFile opened: C:\FTP Navigator\Ftplist.txt
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\z68ORDER.scr.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: Yara matchFile source: 10.2.mpTrle.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.z68ORDER.scr.exe.39cbc58.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.z68ORDER.scr.exe.3990c38.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.z68ORDER.scr.exe.39cbc58.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.z68ORDER.scr.exe.3990c38.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000A.00000002.1521450126.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.1525325777.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2545303921.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.2546108508.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1322262193.0000000003909000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: z68ORDER.scr.exe PID: 7492, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: z68ORDER.scr.exe PID: 7732, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: mpTrle.exe PID: 8160, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: mpTrle.exe PID: 7380, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 10.2.mpTrle.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.z68ORDER.scr.exe.39cbc58.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.z68ORDER.scr.exe.3990c38.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.z68ORDER.scr.exe.39cbc58.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.z68ORDER.scr.exe.3990c38.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000A.00000002.1525325777.0000000002E93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.2546108508.0000000002CC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.1521450126.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2545303921.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.2546108508.0000000002CAC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.1525325777.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.1525325777.0000000002E89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.2546108508.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2545303921.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.2546108508.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2545303921.0000000002C54000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1322262193.0000000003909000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2545303921.0000000002C60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.1525325777.0000000002EA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: z68ORDER.scr.exe PID: 7492, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: z68ORDER.scr.exe PID: 7732, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: mpTrle.exe PID: 8160, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: mpTrle.exe PID: 7380, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/Job1
                    Registry Run Keys / Startup Folder                    		111
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		1
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    Registry Run Keys / Startup Folder                    		2
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		1
                    Query Registry                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                    Software Packing                    		NTDS211
                    Security Software Discovery                    		Distributed Component Object Model1
                    Input Capture                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Timestomp                    		LSA Secrets1
                    Process Discovery                    		SSHKeylogging23
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading                    		Cached Domain Credentials141
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Masquerading                    		DCSync1
                    Application Window Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job141
                    Virtualization/Sandbox Evasion                    		Proc Filesystem1
                    System Network Configuration Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt111
                    Process Injection                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                    Hidden Files and Directories                    		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1507912 Sample: z68ORDER.scr.exe Startdate: 09/09/2024 Architecture: WINDOWS Score: 100 45 us2.smtp.mailhostbox.com 2->45 47 api.ipify.org 2->47 61 Found malware configuration 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 Multi AV Scanner detection for submitted file 2->65 67 9 other signatures 2->67 8 z68ORDER.scr.exe 4 2->8         started        12 mpTrle.exe 3 2->12         started        14 mpTrle.exe 2->14         started        signatures3 process4 file5 39 C:\Users\user\...\z68ORDER.scr.exe.log, ASCII 8->39 dropped 69 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->69 71 Adds a directory exclusion to Windows Defender 8->71 73 Injects a PE file into a foreign processes 8->73 16 z68ORDER.scr.exe 16 5 8->16         started        21 powershell.exe 23 8->21         started        23 z68ORDER.scr.exe 8->23         started        25 z68ORDER.scr.exe 8->25         started        75 Multi AV Scanner detection for dropped file 12->75 77 Machine Learning detection for dropped file 12->77 27 mpTrle.exe 14 2 12->27         started        29 mpTrle.exe 14->29         started        signatures6 process7 dnsIp8 41 us2.smtp.mailhostbox.com 208.91.198.143, 49715, 49719, 49727 PUBLIC-DOMAIN-REGISTRYUS United States 16->41 43 api.ipify.org 104.26.13.205, 443, 49713, 49718 CLOUDFLARENETUS United States 16->43 35 C:\Users\user\AppData\Roaming\...\mpTrle.exe, PE32 16->35 dropped 37 C:\Users\user\...\mpTrle.exe:Zone.Identifier, ASCII 16->37 dropped 49 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->49 51 Tries to steal Mail credentials (via file / registry access) 16->51 53 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->53 55 Loading BitLocker PowerShell Module 21->55 31 conhost.exe 21->31         started        33 WmiPrvSE.exe 21->33         started        57 Tries to harvest and steal ftp login credentials 29->57 59 Tries to harvest and steal browser information (history, passwords, etc) 29->59 file9 signatures10 process11

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    z68ORDER.scr.exe34%ReversingLabsWin32.Trojan.Leonem
                    z68ORDER.scr.exe34%VirustotalBrowse
                    z68ORDER.scr.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe34%ReversingLabsWin32.Trojan.Leonem
                    C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe34%VirustotalBrowse

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    us2.smtp.mailhostbox.com1%VirustotalBrowse
                    api.ipify.org0%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    https://sectigo.com/CPS00%Avira URL Cloudsafe
                    https://api.ipify.org/0%Avira URL Cloudsafe
                    https://api.ipify.org0%Avira URL Cloudsafe
                    http://ocsp.sectigo.com0A0%Avira URL Cloudsafe
                    http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%Avira URL Cloudsafe
                    https://account.dyn.com/0%Avira URL Cloudsafe
                    https://api.ipify.org/t0%Avira URL Cloudsafe
                    http://us2.smtp.mailhostbox.com0%Avira URL Cloudsafe
                    https://api.ipify.org0%VirustotalBrowse
                    https://api.ipify.org/0%VirustotalBrowse
                    https://sectigo.com/CPS00%VirustotalBrowse
                    https://api.ipify.org/t0%VirustotalBrowse
                    http://us2.smtp.mailhostbox.com1%VirustotalBrowse
                    http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%VirustotalBrowse
                    https://account.dyn.com/0%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    us2.smtp.mailhostbox.com
                    		208.91.198.143
                    		truetrueunknown
                    api.ipify.org
                    		104.26.13.205
                    		truefalseunknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://api.ipify.org/false
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#z68ORDER.scr.exe, 00000007.00000002.2545303921.0000000002C54000.00000004.00000800.00020000.00000000.sdmp, z68ORDER.scr.exe, 00000007.00000002.2542470162.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000A.00000002.1525325777.0000000002E93000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000A.00000002.1523301310.00000000011CB000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000A.00000002.1523301310.00000000011F7000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000D.00000002.2546108508.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000D.00000002.2558475079.0000000006070000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000D.00000002.2542735415.0000000000FF2000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://ocsp.sectigo.com0Az68ORDER.scr.exe, 00000007.00000002.2545303921.0000000002C54000.00000004.00000800.00020000.00000000.sdmp, z68ORDER.scr.exe, 00000007.00000002.2542470162.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000A.00000002.1525325777.0000000002E93000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000A.00000002.1523301310.00000000011CB000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000A.00000002.1532698130.0000000006732000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000A.00000002.1523301310.00000000011F7000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000D.00000002.2546108508.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000D.00000002.2558475079.0000000006070000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000D.00000002.2542735415.0000000000FF2000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://api.ipify.orgz68ORDER.scr.exe, 00000000.00000002.1322262193.0000000003909000.00000004.00000800.00020000.00000000.sdmp, z68ORDER.scr.exe, 00000007.00000002.2545303921.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000A.00000002.1525325777.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000A.00000002.1521450126.0000000000402000.00000040.00000400.00020000.00000000.sdmp, mpTrle.exe, 0000000D.00000002.2546108508.0000000002C3C000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://sectigo.com/CPS0z68ORDER.scr.exe, 00000007.00000002.2545303921.0000000002C54000.00000004.00000800.00020000.00000000.sdmp, z68ORDER.scr.exe, 00000007.00000002.2542470162.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000A.00000002.1525325777.0000000002E93000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000A.00000002.1523301310.00000000011CB000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000A.00000002.1523301310.00000000011F7000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000D.00000002.2546108508.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000D.00000002.2558475079.0000000006070000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000D.00000002.2542735415.0000000000FF2000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://account.dyn.com/z68ORDER.scr.exe, 00000000.00000002.1322262193.0000000003909000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000A.00000002.1521450126.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://api.ipify.org/tz68ORDER.scr.exe, 00000007.00000002.2545303921.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000A.00000002.1525325777.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000D.00000002.2546108508.0000000002C3C000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://us2.smtp.mailhostbox.comz68ORDER.scr.exe, 00000007.00000002.2545303921.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000A.00000002.1525325777.0000000002E89000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000D.00000002.2546108508.0000000002CAC000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 1%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namez68ORDER.scr.exe, 00000000.00000002.1320773433.0000000002969000.00000004.00000800.00020000.00000000.sdmp, z68ORDER.scr.exe, 00000007.00000002.2545303921.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000009.00000002.1440089925.0000000002EA9000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000A.00000002.1525325777.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.1523574938.000000000287D000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000D.00000002.2546108508.0000000002C3C000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    208.91.198.143
                    		us2.smtp.mailhostbox.comUnited States
                    		394695PUBLIC-DOMAIN-REGISTRYUStrue
                    104.26.13.205
                    		api.ipify.orgUnited States
                    		13335CLOUDFLARENETUSfalse

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1507912
                    Start date and time:2024-09-09 14:15:43 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 7m 57s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:17
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:z68ORDER.scr.exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@17/9@2/2
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 299
                    • Number of non-executed functions: 30
                    Cookbook Comments:
                    • Found application associated with file extension: .exe

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size getting too big, too many NtCreateKey calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    08:16:38API Interceptor28x Sleep call for process: z68ORDER.scr.exe modified
                    08:16:40API Interceptor14x Sleep call for process: powershell.exe modified
                    08:16:51API Interceptor55x Sleep call for process: mpTrle.exe modified
                    14:16:42AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run mpTrle C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe
                    14:16:50AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run mpTrle C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    208.91.198.143z17invoice.exeGet hashmaliciousAgentTeslaBrowse
                      z47maaaaaaaaaaaaax.exeGet hashmaliciousAgentTeslaBrowse
                        SecuriteInfo.com.PDF.Phishing.7B6B.tr.8047.20915.xlsxGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                          product_list.xlsGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                            SecuriteInfo.com.Other.Malware-gen.12504.4949.xlsxGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                              giehjhgjzJ.htaGet hashmaliciousCobalt Strike, MassLogger RAT, Snake KeyloggerBrowse
                                NGL1Of0ZkJ.htaGet hashmaliciousCobalt Strike, AgentTeslaBrowse
                                  SecuriteInfo.com.Win32.PWSX-gen.19673.26192.exeGet hashmaliciousAgentTeslaBrowse
                                    Edsha_PO.xlsGet hashmaliciousAgentTeslaBrowse
                                      SecuriteInfo.com.Exploit.CVE-2017-0199.04.Gen.20726.10183.xlsxGet hashmaliciousSnake KeyloggerBrowse
                                        104.26.13.205fptlVDDPkS.dllGet hashmaliciousQuasarBrowse
                                        • api.ipify.org/
                                        vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                                        • api.ipify.org/
                                        vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                                        • api.ipify.org/
                                        SecuriteInfo.com.Win64.Evo-gen.28044.10443.exeGet hashmaliciousUnknownBrowse
                                        • api.ipify.org/
                                        vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                                        • api.ipify.org/
                                        golang-modules.exeGet hashmaliciousUnknownBrowse
                                        • api.ipify.org/
                                        SecuriteInfo.com.Trojan.Win64.Agent.14415.19839.exeGet hashmaliciousUnknownBrowse
                                        • api.ipify.org/
                                        242764.exeGet hashmaliciousFicker Stealer, Rusty StealerBrowse
                                        • api.ipify.org/?format=wef
                                        Ransom.exeGet hashmaliciousTargeted Ransomware, TrojanRansomBrowse
                                        • api.ipify.org/
                                        ld.exeGet hashmaliciousTargeted Ransomware, TrojanRansomBrowse
                                        • api.ipify.org/

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        us2.smtp.mailhostbox.comSecuriteInfo.com.Win32.PWSX-gen.12778.1808.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 208.91.199.225
                                        EXmRyGiPUc.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.91.199.223
                                        z17invoice.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.91.198.143
                                        love.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.91.199.225
                                        z47maaaaaaaaaaaaax.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.91.198.143
                                        z55enyioma.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.91.199.224
                                        Statement of Account.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 208.91.199.224
                                        SOA-Al Daleel -Star Electromechanical.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 208.91.199.223
                                        RFQ for RIyadh City Water Line Diversion.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 208.91.199.223
                                        New PO pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 208.91.199.224
                                        api.ipify.orgBooking_261.exeGet hashmaliciousAgentTesla, Clipboard HijackerBrowse
                                        • 104.26.13.205
                                        New PO#2729217048.exeGet hashmaliciousAgentTeslaBrowse
                                        • 172.67.74.152
                                        shipping doc for Invoice No. 61-FK-24.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                        • 104.26.13.205
                                        DBG1435766.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                        • 172.67.74.152
                                        Documenti di spedizione 00028384.bat.exeGet hashmaliciousAgentTeslaBrowse
                                        • 104.26.13.205
                                        DBG1475766.pdf.scr.exeGet hashmaliciousAgentTeslaBrowse
                                        • 172.67.74.152
                                        http://ct-relevant-violet.pages.dev/help/contact/432501590512485Get hashmaliciousUnknownBrowse
                                        • 104.26.12.205
                                        Public Holiday mem_Notice 2024.exeGet hashmaliciousAgentTeslaBrowse
                                        • 104.26.12.205
                                        https://contact-page-helper.bond/contract/61559135234072Get hashmaliciousUnknownBrowse
                                        • 104.26.13.205
                                        http://buaguhidjn28d.vercel.app/Get hashmaliciousUnknownBrowse
                                        • 104.26.13.205

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        PUBLIC-DOMAIN-REGISTRYUSPO# 81136575.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 199.79.62.115
                                        SecuriteInfo.com.Win32.CrypterX-gen.29913.30159.exeGet hashmaliciousFormBookBrowse
                                        • 103.76.228.3
                                        SecuriteInfo.com.Win32.PWSX-gen.12778.1808.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 208.91.199.225
                                        EXmRyGiPUc.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.91.199.223
                                        AN.exeGet hashmaliciousAgentTeslaBrowse
                                        • 162.251.85.202
                                        z17invoice.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.91.198.143
                                        PO_GM_list_30082024202003180817418300824.exeGet hashmaliciousAgentTeslaBrowse
                                        • 199.79.62.115
                                        love.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.91.199.225
                                        QUOTE-4K892388-A-C422.exeGet hashmaliciousAgentTeslaBrowse
                                        • 199.79.62.115
                                        sZlfJ6FDY9.exeGet hashmaliciousAgentTeslaBrowse
                                        • 199.79.62.115
                                        CLOUDFLARENETUShttps://navexglobal.navexone.com/content/dotNet/documents/?docid=9960&public=trueGet hashmaliciousUnknownBrowse
                                        • 162.247.243.29
                                        rNEWOREDR726738877288882877737.exeGet hashmaliciousFormBookBrowse
                                        • 188.114.96.3
                                        z1PO_200040058.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 188.114.96.3
                                        Jsn496Em5T.exeGet hashmaliciousFormBookBrowse
                                        • 188.114.96.3
                                        MV ALIADO-S-REQ-19-000640.exeGet hashmaliciousFormBookBrowse
                                        • 104.21.88.99
                                        ungziped_file.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 188.114.96.3
                                        Booking_261.exeGet hashmaliciousAgentTesla, Clipboard HijackerBrowse
                                        • 172.67.74.152
                                        dekont.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 188.114.97.3
                                        EGCS-875-S5-SMO M2A.exeGet hashmaliciousFormBookBrowse
                                        • 188.114.97.3
                                        http://masdd.line.pm/Get hashmaliciousUnknownBrowse
                                        • 172.67.170.224

                                        JA3 Fingerprints

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        3b5074b1b5d032e5620f69f9f700ff0etK6E2PJw16.exeGet hashmaliciousUnknownBrowse
                                        • 104.26.13.205
                                        rNEWOREDR726738877288882877737.exeGet hashmaliciousFormBookBrowse
                                        • 104.26.13.205
                                        ungziped_file.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 104.26.13.205
                                        Booking_261.exeGet hashmaliciousAgentTesla, Clipboard HijackerBrowse
                                        • 104.26.13.205
                                        New PO#2729217048.exeGet hashmaliciousAgentTeslaBrowse
                                        • 104.26.13.205
                                        ProjectSpecificationRequirement06092024.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 104.26.13.205
                                        shipping doc for Invoice No. 61-FK-24.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                        • 104.26.13.205
                                        HN0825H3De2.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                        • 104.26.13.205
                                        http://om.ciheam.org/om/pdf/a79/00800645.pdfGet hashmaliciousUnknownBrowse
                                        • 104.26.13.205
                                        #U0130#U015eLEM #U00d6ZET#U0130_110602407178699-1034 nolu TICARI -e-Banka_563028621286.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 104.26.13.205

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\mpTrle.exe.log

                                        Download File
                                        Process:C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1216
                                        Entropy (8bit):5.34331486778365
                                        Encrypted:false
                                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                        MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                        SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                        SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                        SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                        Malicious:false
                                        Reputation:high, very likely benign file
                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\z68ORDER.scr.exe.log

                                        Download File
                                        Process:C:\Users\user\Desktop\z68ORDER.scr.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1216
                                        Entropy (8bit):5.34331486778365
                                        Encrypted:false
                                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                        MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                        SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                        SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                        SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                        Malicious:true
                                        Reputation:high, very likely benign file
                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):2232
                                        Entropy (8bit):5.3797706053345555
                                        Encrypted:false
                                        SSDEEP:48:fWSU4xympx4RfoUP7gZ9tK8NPZHUx7u1iMugeC/ZPUyus:fLHxv/IwLZ2KRH6Oug8s
                                        MD5:B1B3D1207A89A4A3D09468D86D9B7EB5
                                        SHA1:C589E8ABEA7671751DCB907F565BD24BC02D63B6
                                        SHA-256:BF59D42A981F2AEE59CA10B06AFB3ED9DDCAE5E6BA2437244F1B18BF900DA108
                                        SHA-512:85A712941C9A993E8FA547A8FD1262370CE646A48FFB5E4CB1FBFA74DEA7B57FD1FB74A09DF1ABC154419026D4667AE25079617D2B3031704D1B87F6D1C9D10B
                                        Malicious:false
                                        Reputation:low
                                        Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dhnjtjw2.guz.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fxjaekof.nwf.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mfgv3m3h.5oe.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mw2fwdi2.m3a.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\z68ORDER.scr.exe
                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):665088
                                        Entropy (8bit):7.840903651570537
                                        Encrypted:false
                                        SSDEEP:12288:BSHUDLjHP7ZRvNRwNKIJHp3SaFq4YdoAu3YlRsrKbypq60Ok8c11igY69i72l:JjHP7vMzpiP4YdoOVbypq9OncTW6kE
                                        MD5:A04E6EE334556CEBD31E9AE152DDBED1
                                        SHA1:68DBDDADAD1C6C40B8F824EE44726FEA87118FCC
                                        SHA-256:5C875F9D28EAE5AFCE4AAC472B0825EDEF8CAC3119D2991D3DD08A1FD32BD424
                                        SHA-512:6734F4D8E7E124B5080B6AA00EDD980021AD76ADE679E4A9B55C30F86A0E5E916947DCB80AB1D4EC41F31B9A9A4F45CCA5C52002BA1A440767A000DFFDC2142E
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 34%
                                        • Antivirus: Virustotal, Detection: 34%, Browse
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....9...............0..............9... ...@....@.. ....................................@.................................59..O....@..L....................`..........p............................................ ............... ..H............text........ ...................... ..`.rsrc...L....@......................@..@.reloc.......`.......$..............@..B................i9......H.......x^..Lb...............Y..........................................^..}.....(.......(.....*.0..-.........{....o......,...{.....o......{.....o......*>..{.....o.....*..*.0..H.........{....o....o......{....o....o....o....r...p(......,D..{....o....r...po....&.{....o....r!..po....&.{....o....r;..po....&..{....o....o....o....rQ..p(......,D..{....o....rc..po....&.{....o....rq..po....&.{....o....r...po....&..{....o....o....o....r...p(......,D..{....o....r...po....&.{....o....r..

                                        C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe:Zone.Identifier

                                        Download File
                                        Process:C:\Users\user\Desktop\z68ORDER.scr.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:modified
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:true
                                        Preview:[ZoneTransfer]....ZoneId=0

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Entropy (8bit):7.840903651570537
                                        TrID:
                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                        • Win32 Executable (generic) a (10002005/4) 49.75%
                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                        • Windows Screen Saver (13104/52) 0.07%
                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                        File name:z68ORDER.scr.exe
                                        File size:665'088 bytes
                                        MD5:a04e6ee334556cebd31e9ae152ddbed1
                                        SHA1:68dbddadad1c6c40b8f824ee44726fea87118fcc
                                        SHA256:5c875f9d28eae5afce4aac472b0825edef8cac3119d2991d3dd08a1fd32bd424
                                        SHA512:6734f4d8e7e124b5080b6aa00edd980021ad76ade679e4a9b55c30f86a0e5e916947dcb80ab1d4ec41f31b9a9a4f45cca5c52002ba1a440767a000dffdc2142e
                                        SSDEEP:12288:BSHUDLjHP7ZRvNRwNKIJHp3SaFq4YdoAu3YlRsrKbypq60Ok8c11igY69i72l:JjHP7vMzpiP4YdoOVbypq9OncTW6kE
                                        TLSH:E0E4122E2528EA52D6BA07744A70D3B607B47E5DF520D30A8FDEECF738163A46520793
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....9...............0..............9... ...@....@.. ....................................@................................

                                        File Icon

                                        Icon Hash:90cececece8e8eb0

                                        Static PE Info

                                        General

                                        Entrypoint:0x4a398a
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                        Time Stamp:0xFF39ACF5 [Wed Sep 9 20:05:09 2105 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                        Entrypoint Preview

                                        Instruction
                                        jmp dword ptr [00402000h]
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xa39350x4f.text
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xa40000x64c.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xa60000xc.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0xa19cc0x70.text
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x20000xa19900xa1a000ce8e7d3cfa8999cc69180ee3f2e12c0False0.9237133241492653data7.850671263446786IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .rsrc0xa40000x64c0x800c8830a9ac83404506d567e631239832aFalse0.33984375data3.4934075118761108IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0xa60000xc0x200af52b086362df3acea72fefb4d208accFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                        RT_VERSION0xa40900x3bcdata0.4110878661087866
                                        RT_MANIFEST0xa445c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                        Imports

                                        DLLImport
                                        mscoree.dll_CorExeMain

                                        Network Behavior

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Sep 9, 2024 14:16:41.175216913 CEST49713443192.168.2.11104.26.13.205
                                        Sep 9, 2024 14:16:41.175252914 CEST44349713104.26.13.205192.168.2.11
                                        Sep 9, 2024 14:16:41.175312996 CEST49713443192.168.2.11104.26.13.205
                                        Sep 9, 2024 14:16:41.182682037 CEST49713443192.168.2.11104.26.13.205
                                        Sep 9, 2024 14:16:41.182718992 CEST44349713104.26.13.205192.168.2.11
                                        Sep 9, 2024 14:16:41.647231102 CEST44349713104.26.13.205192.168.2.11
                                        Sep 9, 2024 14:16:41.647319078 CEST49713443192.168.2.11104.26.13.205
                                        Sep 9, 2024 14:16:41.651725054 CEST49713443192.168.2.11104.26.13.205
                                        Sep 9, 2024 14:16:41.651746035 CEST44349713104.26.13.205192.168.2.11
                                        Sep 9, 2024 14:16:41.652044058 CEST44349713104.26.13.205192.168.2.11
                                        Sep 9, 2024 14:16:41.698199034 CEST49713443192.168.2.11104.26.13.205
                                        Sep 9, 2024 14:16:41.750840902 CEST49713443192.168.2.11104.26.13.205
                                        Sep 9, 2024 14:16:41.791402102 CEST44349713104.26.13.205192.168.2.11
                                        Sep 9, 2024 14:16:41.860845089 CEST44349713104.26.13.205192.168.2.11
                                        Sep 9, 2024 14:16:41.861016035 CEST44349713104.26.13.205192.168.2.11
                                        Sep 9, 2024 14:16:41.861793041 CEST49713443192.168.2.11104.26.13.205
                                        Sep 9, 2024 14:16:41.873680115 CEST49713443192.168.2.11104.26.13.205
                                        Sep 9, 2024 14:16:42.466207027 CEST49715587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:16:42.472604036 CEST58749715208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:42.472896099 CEST49715587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:16:43.188369989 CEST58749715208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:43.188568115 CEST49715587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:16:43.193669081 CEST58749715208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:43.347160101 CEST58749715208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:43.347338915 CEST49715587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:16:43.352591991 CEST58749715208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:43.506031990 CEST58749715208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:43.506618023 CEST49715587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:16:43.512326956 CEST58749715208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:43.666176081 CEST58749715208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:43.666220903 CEST58749715208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:43.666259050 CEST58749715208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:43.666295052 CEST58749715208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:43.666323900 CEST58749715208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:43.666640043 CEST49715587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:16:43.666640043 CEST49715587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:16:43.713825941 CEST49715587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:16:43.756941080 CEST58749715208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:43.807605982 CEST49715587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:16:43.822472095 CEST49715587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:16:43.827533960 CEST58749715208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:43.981472969 CEST58749715208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:43.984637976 CEST49715587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:16:43.990089893 CEST58749715208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:44.143506050 CEST58749715208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:44.144742012 CEST49715587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:16:44.150721073 CEST58749715208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:44.307658911 CEST58749715208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:44.308562994 CEST49715587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:16:44.315433025 CEST58749715208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:44.474113941 CEST58749715208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:44.475414991 CEST49715587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:16:44.484107971 CEST58749715208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:44.636239052 CEST58749715208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:44.636517048 CEST49715587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:16:44.642755985 CEST58749715208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:44.823168039 CEST58749715208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:44.823407888 CEST49715587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:16:44.829786062 CEST58749715208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:44.983468056 CEST58749715208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:44.984117031 CEST49715587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:16:44.984189034 CEST49715587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:16:44.984240055 CEST49715587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:16:44.984240055 CEST49715587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:16:44.988928080 CEST58749715208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:44.989139080 CEST58749715208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:44.989149094 CEST58749715208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:44.989160061 CEST58749715208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:45.380031109 CEST58749715208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:45.432610035 CEST49715587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:16:53.278950930 CEST49718443192.168.2.11104.26.13.205
                                        Sep 9, 2024 14:16:53.278992891 CEST44349718104.26.13.205192.168.2.11
                                        Sep 9, 2024 14:16:53.279069901 CEST49718443192.168.2.11104.26.13.205
                                        Sep 9, 2024 14:16:53.282248974 CEST49718443192.168.2.11104.26.13.205
                                        Sep 9, 2024 14:16:53.282263994 CEST44349718104.26.13.205192.168.2.11
                                        Sep 9, 2024 14:16:53.741832972 CEST44349718104.26.13.205192.168.2.11
                                        Sep 9, 2024 14:16:53.741909981 CEST49718443192.168.2.11104.26.13.205
                                        Sep 9, 2024 14:16:53.743741035 CEST49718443192.168.2.11104.26.13.205
                                        Sep 9, 2024 14:16:53.743753910 CEST44349718104.26.13.205192.168.2.11
                                        Sep 9, 2024 14:16:53.744062901 CEST44349718104.26.13.205192.168.2.11
                                        Sep 9, 2024 14:16:53.792058945 CEST49718443192.168.2.11104.26.13.205
                                        Sep 9, 2024 14:16:53.803411007 CEST49718443192.168.2.11104.26.13.205
                                        Sep 9, 2024 14:16:53.851416111 CEST44349718104.26.13.205192.168.2.11
                                        Sep 9, 2024 14:16:53.909851074 CEST44349718104.26.13.205192.168.2.11
                                        Sep 9, 2024 14:16:53.909920931 CEST44349718104.26.13.205192.168.2.11
                                        Sep 9, 2024 14:16:53.909991980 CEST49718443192.168.2.11104.26.13.205
                                        Sep 9, 2024 14:16:53.926599979 CEST49718443192.168.2.11104.26.13.205
                                        Sep 9, 2024 14:16:54.460814953 CEST49719587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:16:54.465823889 CEST58749719208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:54.465971947 CEST49719587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:16:55.013942957 CEST58749719208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:55.014123917 CEST49719587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:16:55.018999100 CEST58749719208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:55.169301033 CEST58749719208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:55.173127890 CEST49719587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:16:55.178339958 CEST58749719208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:55.328422070 CEST58749719208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:55.330039024 CEST49719587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:16:55.335105896 CEST58749719208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:55.485625982 CEST58749719208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:55.485654116 CEST58749719208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:55.485666990 CEST58749719208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:55.485685110 CEST58749719208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:55.485719919 CEST49719587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:16:55.485768080 CEST49719587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:16:55.572938919 CEST58749719208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:55.575407982 CEST49719587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:16:55.580271959 CEST58749719208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:55.730762005 CEST58749719208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:55.736776114 CEST49719587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:16:55.741880894 CEST58749719208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:55.892775059 CEST58749719208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:55.893322945 CEST49719587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:16:55.898909092 CEST58749719208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:56.051353931 CEST58749719208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:56.051672935 CEST49719587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:16:56.056528091 CEST58749719208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:56.211602926 CEST58749719208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:56.211869955 CEST49719587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:16:56.216639996 CEST58749719208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:56.370148897 CEST58749719208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:56.384640932 CEST49719587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:16:56.389496088 CEST58749719208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:56.562619925 CEST58749719208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:56.562833071 CEST49719587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:16:56.567657948 CEST58749719208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:56.719417095 CEST58749719208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:56.720180988 CEST49719587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:16:56.720257044 CEST49719587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:16:56.720279932 CEST49719587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:16:56.720305920 CEST49719587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:16:56.725070953 CEST58749719208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:56.725087881 CEST58749719208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:56.725152016 CEST58749719208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:56.725162029 CEST58749719208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:57.106868982 CEST58749719208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:16:57.151355982 CEST49719587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:17:01.449421883 CEST49726443192.168.2.11104.26.13.205
                                        Sep 9, 2024 14:17:01.449469090 CEST44349726104.26.13.205192.168.2.11
                                        Sep 9, 2024 14:17:01.449526072 CEST49726443192.168.2.11104.26.13.205
                                        Sep 9, 2024 14:17:01.452637911 CEST49726443192.168.2.11104.26.13.205
                                        Sep 9, 2024 14:17:01.452656031 CEST44349726104.26.13.205192.168.2.11
                                        Sep 9, 2024 14:17:01.939183950 CEST44349726104.26.13.205192.168.2.11
                                        Sep 9, 2024 14:17:01.939260960 CEST49726443192.168.2.11104.26.13.205
                                        Sep 9, 2024 14:17:01.943073034 CEST49726443192.168.2.11104.26.13.205
                                        Sep 9, 2024 14:17:01.943084002 CEST44349726104.26.13.205192.168.2.11
                                        Sep 9, 2024 14:17:01.943516970 CEST44349726104.26.13.205192.168.2.11
                                        Sep 9, 2024 14:17:01.995134115 CEST49726443192.168.2.11104.26.13.205
                                        Sep 9, 2024 14:17:02.018538952 CEST49726443192.168.2.11104.26.13.205
                                        Sep 9, 2024 14:17:02.059428930 CEST44349726104.26.13.205192.168.2.11
                                        Sep 9, 2024 14:17:02.134303093 CEST44349726104.26.13.205192.168.2.11
                                        Sep 9, 2024 14:17:02.134401083 CEST44349726104.26.13.205192.168.2.11
                                        Sep 9, 2024 14:17:02.134449005 CEST49726443192.168.2.11104.26.13.205
                                        Sep 9, 2024 14:17:02.147876978 CEST49726443192.168.2.11104.26.13.205
                                        Sep 9, 2024 14:17:02.574071884 CEST49719587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:17:02.645219088 CEST49727587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:17:02.650260925 CEST58749727208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:17:02.650343895 CEST49727587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:17:03.198122978 CEST58749727208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:17:03.198565960 CEST49727587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:17:03.203434944 CEST58749727208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:17:03.354017973 CEST58749727208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:17:03.354640961 CEST49727587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:17:03.360094070 CEST58749727208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:17:03.510963917 CEST58749727208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:17:03.511408091 CEST49727587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:17:03.519680023 CEST58749727208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:17:03.667300940 CEST58749727208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:17:03.667354107 CEST58749727208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:17:03.667418003 CEST58749727208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:17:03.667433023 CEST49727587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:17:03.667454004 CEST58749727208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:17:03.667681932 CEST49727587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:17:03.754806042 CEST58749727208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:17:03.762774944 CEST49727587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:17:03.769156933 CEST58749727208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:17:03.921667099 CEST58749727208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:17:03.926834106 CEST49727587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:17:03.932826042 CEST58749727208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:17:04.085560083 CEST58749727208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:17:04.085875034 CEST49727587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:17:04.090820074 CEST58749727208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:17:04.243761063 CEST58749727208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:17:04.244039059 CEST49727587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:17:04.477647066 CEST58749727208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:17:04.478841066 CEST49727587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:17:04.479166985 CEST58749727208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:17:04.634962082 CEST58749727208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:17:04.636123896 CEST49727587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:17:04.642313957 CEST58749727208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:17:04.796116114 CEST58749727208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:17:04.796457052 CEST49727587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:17:04.801908016 CEST58749727208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:17:04.975657940 CEST58749727208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:17:04.976041079 CEST49727587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:17:04.981059074 CEST58749727208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:17:05.133662939 CEST58749727208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:17:05.134418964 CEST49727587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:17:05.134468079 CEST49727587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:17:05.134506941 CEST49727587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:17:05.134506941 CEST49727587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:17:05.139455080 CEST58749727208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:17:05.139627934 CEST58749727208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:17:05.139637947 CEST58749727208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:17:05.139647007 CEST58749727208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:17:05.528323889 CEST58749727208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:17:05.573263884 CEST49727587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:18:22.480077028 CEST49715587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:18:22.485508919 CEST58749715208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:18:22.663486958 CEST58749715208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:18:22.664377928 CEST49715587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:18:22.664697886 CEST58749715208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:18:22.664709091 CEST58749715208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:18:22.664763927 CEST49715587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:18:22.664777040 CEST49715587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:18:22.669506073 CEST58749715208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:18:22.669559002 CEST49715587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:18:42.667716026 CEST49727587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:18:42.675080061 CEST58749727208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:18:42.823606968 CEST58749727208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:18:42.824327946 CEST58749727208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:18:42.824372053 CEST58749727208.91.198.143192.168.2.11
                                        Sep 9, 2024 14:18:42.824446917 CEST49727587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:18:42.824481964 CEST49727587192.168.2.11208.91.198.143
                                        Sep 9, 2024 14:18:42.824862957 CEST49727587192.168.2.11208.91.198.143

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Sep 9, 2024 14:16:41.150351048 CEST5787353192.168.2.111.1.1.1
                                        Sep 9, 2024 14:16:41.158092976 CEST53578731.1.1.1192.168.2.11
                                        Sep 9, 2024 14:16:42.453589916 CEST5460653192.168.2.111.1.1.1
                                        Sep 9, 2024 14:16:42.465369940 CEST53546061.1.1.1192.168.2.11

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Sep 9, 2024 14:16:41.150351048 CEST192.168.2.111.1.1.10x5f27Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                        Sep 9, 2024 14:16:42.453589916 CEST192.168.2.111.1.1.10xb9aeStandard query (0)us2.smtp.mailhostbox.comA (IP address)IN (0x0001)false

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Sep 9, 2024 14:16:41.158092976 CEST1.1.1.1192.168.2.110x5f27No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                        Sep 9, 2024 14:16:41.158092976 CEST1.1.1.1192.168.2.110x5f27No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                        Sep 9, 2024 14:16:41.158092976 CEST1.1.1.1192.168.2.110x5f27No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                        Sep 9, 2024 14:16:42.465369940 CEST1.1.1.1192.168.2.110xb9aeNo error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)false
                                        Sep 9, 2024 14:16:42.465369940 CEST1.1.1.1192.168.2.110xb9aeNo error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)false
                                        Sep 9, 2024 14:16:42.465369940 CEST1.1.1.1192.168.2.110xb9aeNo error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)false
                                        Sep 9, 2024 14:16:42.465369940 CEST1.1.1.1192.168.2.110xb9aeNo error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)false

                                        HTTP Request Dependency Graph

                                        • api.ipify.org

                                        HTTPS Proxied Packets

                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        0192.168.2.1149713104.26.13.2054437732C:\Users\user\Desktop\z68ORDER.scr.exe
                                        TimestampBytes transferredDirectionData
                                        2024-09-09 12:16:41 UTC155OUTGET / HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                        Host: api.ipify.org
                                        Connection: Keep-Alive
                                        2024-09-09 12:16:41 UTC211INHTTP/1.1 200 OK
                                        Date: Mon, 09 Sep 2024 12:16:41 GMT
                                        Content-Type: text/plain
                                        Content-Length: 11
                                        Connection: close
                                        Vary: Origin
                                        CF-Cache-Status: DYNAMIC
                                        Server: cloudflare
                                        CF-RAY: 8c071c653cc8c481-EWR
                                        2024-09-09 12:16:41 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                        Data Ascii: 8.46.123.33


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        1192.168.2.1149718104.26.13.2054438160C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe
                                        TimestampBytes transferredDirectionData
                                        2024-09-09 12:16:53 UTC155OUTGET / HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                        Host: api.ipify.org
                                        Connection: Keep-Alive
                                        2024-09-09 12:16:53 UTC211INHTTP/1.1 200 OK
                                        Date: Mon, 09 Sep 2024 12:16:53 GMT
                                        Content-Type: text/plain
                                        Content-Length: 11
                                        Connection: close
                                        Vary: Origin
                                        CF-Cache-Status: DYNAMIC
                                        Server: cloudflare
                                        CF-RAY: 8c071cb08afc0f8f-EWR
                                        2024-09-09 12:16:53 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                        Data Ascii: 8.46.123.33


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        2192.168.2.1149726104.26.13.2054437380C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe
                                        TimestampBytes transferredDirectionData
                                        2024-09-09 12:17:02 UTC155OUTGET / HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                        Host: api.ipify.org
                                        Connection: Keep-Alive
                                        2024-09-09 12:17:02 UTC211INHTTP/1.1 200 OK
                                        Date: Mon, 09 Sep 2024 12:17:02 GMT
                                        Content-Type: text/plain
                                        Content-Length: 11
                                        Connection: close
                                        Vary: Origin
                                        CF-Cache-Status: DYNAMIC
                                        Server: cloudflare
                                        CF-RAY: 8c071ce3eb928ccd-EWR
                                        2024-09-09 12:17:02 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                        Data Ascii: 8.46.123.33


                                        SMTP Packets

                                        TimestampSource PortDest PortSource IPDest IPCommands
                                        Sep 9, 2024 14:16:43.188369989 CEST58749715208.91.198.143192.168.2.11220 us2.outbound.mailhostbox.com ESMTP Postfix
                                        Sep 9, 2024 14:16:43.188568115 CEST49715587192.168.2.11208.91.198.143EHLO 287400
                                        Sep 9, 2024 14:16:43.347160101 CEST58749715208.91.198.143192.168.2.11250-us2.outbound.mailhostbox.com
                                        250-PIPELINING
                                        250-SIZE 41648128
                                        250-VRFY
                                        250-ETRN
                                        250-STARTTLS
                                        250-AUTH PLAIN LOGIN
                                        250-AUTH=PLAIN LOGIN
                                        250-ENHANCEDSTATUSCODES
                                        250-8BITMIME
                                        250-DSN
                                        250 CHUNKING
                                        Sep 9, 2024 14:16:43.347338915 CEST49715587192.168.2.11208.91.198.143STARTTLS
                                        Sep 9, 2024 14:16:43.506031990 CEST58749715208.91.198.143192.168.2.11220 2.0.0 Ready to start TLS
                                        Sep 9, 2024 14:16:55.013942957 CEST58749719208.91.198.143192.168.2.11220 us2.outbound.mailhostbox.com ESMTP Postfix
                                        Sep 9, 2024 14:16:55.014123917 CEST49719587192.168.2.11208.91.198.143EHLO 287400
                                        Sep 9, 2024 14:16:55.169301033 CEST58749719208.91.198.143192.168.2.11250-us2.outbound.mailhostbox.com
                                        250-PIPELINING
                                        250-SIZE 41648128
                                        250-VRFY
                                        250-ETRN
                                        250-STARTTLS
                                        250-AUTH PLAIN LOGIN
                                        250-AUTH=PLAIN LOGIN
                                        250-ENHANCEDSTATUSCODES
                                        250-8BITMIME
                                        250-DSN
                                        250 CHUNKING
                                        Sep 9, 2024 14:16:55.173127890 CEST49719587192.168.2.11208.91.198.143STARTTLS
                                        Sep 9, 2024 14:16:55.328422070 CEST58749719208.91.198.143192.168.2.11220 2.0.0 Ready to start TLS
                                        Sep 9, 2024 14:17:03.198122978 CEST58749727208.91.198.143192.168.2.11220 us2.outbound.mailhostbox.com ESMTP Postfix
                                        Sep 9, 2024 14:17:03.198565960 CEST49727587192.168.2.11208.91.198.143EHLO 287400
                                        Sep 9, 2024 14:17:03.354017973 CEST58749727208.91.198.143192.168.2.11250-us2.outbound.mailhostbox.com
                                        250-PIPELINING
                                        250-SIZE 41648128
                                        250-VRFY
                                        250-ETRN
                                        250-STARTTLS
                                        250-AUTH PLAIN LOGIN
                                        250-AUTH=PLAIN LOGIN
                                        250-ENHANCEDSTATUSCODES
                                        250-8BITMIME
                                        250-DSN
                                        250 CHUNKING
                                        Sep 9, 2024 14:17:03.354640961 CEST49727587192.168.2.11208.91.198.143STARTTLS
                                        Sep 9, 2024 14:17:03.510963917 CEST58749727208.91.198.143192.168.2.11220 2.0.0 Ready to start TLS

                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:08:16:38
                                        Start date:09/09/2024
                                        Path:C:\Users\user\Desktop\z68ORDER.scr.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\z68ORDER.scr.exe"
                                        Imagebase:0x480000
                                        File size:665'088 bytes
                                        MD5 hash:A04E6EE334556CEBD31E9AE152DDBED1
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1322262193.0000000003909000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1322262193.0000000003909000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:3
                                        Start time:08:16:39
                                        Start date:09/09/2024
                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z68ORDER.scr.exe"
                                        Imagebase:0xd00000
                                        File size:433'152 bytes
                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:4
                                        Start time:08:16:39
                                        Start date:09/09/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff68cce0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:5
                                        Start time:08:16:39
                                        Start date:09/09/2024
                                        Path:C:\Users\user\Desktop\z68ORDER.scr.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Users\user\Desktop\z68ORDER.scr.exe"
                                        Imagebase:0x360000
                                        File size:665'088 bytes
                                        MD5 hash:A04E6EE334556CEBD31E9AE152DDBED1
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:6
                                        Start time:08:16:39
                                        Start date:09/09/2024
                                        Path:C:\Users\user\Desktop\z68ORDER.scr.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Users\user\Desktop\z68ORDER.scr.exe"
                                        Imagebase:0x3a0000
                                        File size:665'088 bytes
                                        MD5 hash:A04E6EE334556CEBD31E9AE152DDBED1
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:7
                                        Start time:08:16:39
                                        Start date:09/09/2024
                                        Path:C:\Users\user\Desktop\z68ORDER.scr.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\z68ORDER.scr.exe"
                                        Imagebase:0x790000
                                        File size:665'088 bytes
                                        MD5 hash:A04E6EE334556CEBD31E9AE152DDBED1
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2545303921.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2545303921.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2545303921.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2545303921.0000000002C54000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2545303921.0000000002C60000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:low
                                        Has exited:false

                                        General

                                        Target ID:8
                                        Start time:08:16:41
                                        Start date:09/09/2024
                                        Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                        Imagebase:0x7ff6220e0000
                                        File size:496'640 bytes
                                        MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                        Has elevated privileges:true
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:false

                                        General

                                        Target ID:9
                                        Start time:08:16:50
                                        Start date:09/09/2024
                                        Path:C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe"
                                        Imagebase:0xaf0000
                                        File size:665'088 bytes
                                        MD5 hash:A04E6EE334556CEBD31E9AE152DDBED1
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Antivirus matches:
                                        • Detection: 100%, Joe Sandbox ML
                                        • Detection: 34%, ReversingLabs
                                        • Detection: 34%, Virustotal, Browse
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:10
                                        Start time:08:16:51
                                        Start date:09/09/2024
                                        Path:C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe"
                                        Imagebase:0xa80000
                                        File size:665'088 bytes
                                        MD5 hash:A04E6EE334556CEBD31E9AE152DDBED1
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.1525325777.0000000002E93000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.1521450126.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.1521450126.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.1525325777.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.1525325777.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.1525325777.0000000002E89000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.1525325777.0000000002EA0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:12
                                        Start time:08:16:58
                                        Start date:09/09/2024
                                        Path:C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe"
                                        Imagebase:0x330000
                                        File size:665'088 bytes
                                        MD5 hash:A04E6EE334556CEBD31E9AE152DDBED1
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:13
                                        Start time:08:16:59
                                        Start date:09/09/2024
                                        Path:C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe"
                                        Imagebase:0x7b0000
                                        File size:665'088 bytes
                                        MD5 hash:A04E6EE334556CEBD31E9AE152DDBED1
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.2546108508.0000000002CC0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.2546108508.0000000002CAC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.2546108508.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.2546108508.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.2546108508.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:low
                                        Has exited:false

                                        Disassembly

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:11%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:6.1%
                                          Total number of Nodes:343
                                          Total number of Limit Nodes:10
                                          execution_graph 44811 bfd01c 44812 bfd034 44811->44812 44813 bfd08e 44812->44813 44818 4db2818 44812->44818 44823 4db1aa8 44812->44823 44828 4db1a98 44812->44828 44833 4db2808 44812->44833 44819 4db2845 44818->44819 44820 4db2877 44819->44820 44838 4db2991 44819->44838 44843 4db29a0 44819->44843 44824 4db1ace 44823->44824 44826 4db2818 2 API calls 44824->44826 44827 4db2808 2 API calls 44824->44827 44825 4db1aef 44825->44813 44826->44825 44827->44825 44829 4db1a9c 44828->44829 44831 4db2818 2 API calls 44829->44831 44832 4db2808 2 API calls 44829->44832 44830 4db1aef 44830->44813 44831->44830 44832->44830 44834 4db280c 44833->44834 44835 4db2877 44834->44835 44836 4db2991 2 API calls 44834->44836 44837 4db29a0 2 API calls 44834->44837 44836->44835 44837->44835 44840 4db2994 44838->44840 44839 4db2a40 44839->44820 44848 4db2a58 44840->44848 44851 4db2a48 44840->44851 44845 4db29a2 44843->44845 44844 4db2a40 44844->44820 44846 4db2a58 2 API calls 44845->44846 44847 4db2a48 2 API calls 44845->44847 44846->44844 44847->44844 44849 4db2a69 44848->44849 44855 4db401f 44848->44855 44849->44839 44852 4db2a4c 44851->44852 44853 4db2a69 44852->44853 44854 4db401f 2 API calls 44852->44854 44853->44839 44854->44853 44859 4db4040 44855->44859 44863 4db4030 44855->44863 44856 4db402a 44856->44849 44860 4db4082 44859->44860 44862 4db4089 44859->44862 44861 4db40da CallWindowProcW 44860->44861 44860->44862 44861->44862 44862->44856 44864 4db4040 44863->44864 44865 4db40da CallWindowProcW 44864->44865 44866 4db4089 44864->44866 44865->44866 44866->44856 44772 fe4668 44773 fe467a 44772->44773 44776 fe4686 44773->44776 44778 fe4779 44773->44778 44775 fe46a5 44783 fe3e40 44776->44783 44779 fe477c 44778->44779 44787 fe4888 44779->44787 44791 fe4879 44779->44791 44784 fe3e4b 44783->44784 44799 fe5c4c 44784->44799 44786 fe7045 44786->44775 44788 fe48af 44787->44788 44790 fe498c 44788->44790 44795 fe44c4 44788->44795 44793 fe487c 44791->44793 44792 fe498c 44792->44792 44793->44792 44794 fe44c4 CreateActCtxA 44793->44794 44794->44792 44796 fe5918 CreateActCtxA 44795->44796 44798 fe59db 44796->44798 44800 fe5c57 44799->44800 44803 fe5c6c 44800->44803 44802 fe70ed 44802->44786 44804 fe5c77 44803->44804 44807 fe5c9c 44804->44807 44806 fe71c2 44806->44802 44808 fe5ca7 44807->44808 44809 fe5ccc 2 API calls 44808->44809 44810 fe72c5 44809->44810 44810->44806 44869 6a8d490 44870 6a8d61b 44869->44870 44872 6a8d4b6 44869->44872 44872->44870 44873 6a8aaf4 44872->44873 44874 6a8d710 PostMessageW 44873->44874 44876 6a8d77c 44874->44876 44876->44872 44651 4db7750 44652 4db777d 44651->44652 44675 4db73fc 44652->44675 44654 4db7801 44679 4db741c 44654->44679 44656 4db7865 44657 4db741c 2 API calls 44656->44657 44658 4db7897 44657->44658 44659 4db741c 2 API calls 44658->44659 44660 4db78c9 44659->44660 44684 4db742c 44660->44684 44662 4db78fb 44663 4db742c 2 API calls 44662->44663 44664 4db792d 44663->44664 44665 4db742c 2 API calls 44664->44665 44666 4db795f 44665->44666 44667 4db73fc 2 API calls 44666->44667 44668 4db7991 44667->44668 44669 4db741c 2 API calls 44668->44669 44670 4db7a59 44669->44670 44671 4db741c 2 API calls 44670->44671 44672 4db7a8b 44671->44672 44673 4db741c 2 API calls 44672->44673 44674 4db7abd 44673->44674 44676 4db7407 44675->44676 44689 4db75cc 44676->44689 44678 4db9a99 44678->44654 44680 4db7427 44679->44680 44681 4dba9f3 44680->44681 44682 fe5ccc 2 API calls 44680->44682 44683 fe830b 2 API calls 44680->44683 44681->44656 44682->44681 44683->44681 44685 4db7437 44684->44685 44686 fe5ccc 2 API calls 44685->44686 44687 4dbb562 44685->44687 44688 fe830b 2 API calls 44685->44688 44686->44687 44687->44662 44688->44687 44690 4db75d7 44689->44690 44694 fe5ccc 44690->44694 44699 fe830b 44690->44699 44691 4db9b8c 44691->44678 44695 fe5cd7 44694->44695 44696 fe8609 44695->44696 44704 fecd68 44695->44704 44709 fecd77 44695->44709 44696->44691 44700 fe8318 44699->44700 44701 fe8609 44700->44701 44702 fecd68 2 API calls 44700->44702 44703 fecd77 2 API calls 44700->44703 44701->44691 44702->44701 44703->44701 44706 fecd70 44704->44706 44705 fecdbd 44705->44696 44706->44705 44714 fecf28 44706->44714 44718 fecf18 44706->44718 44711 fecd7a 44709->44711 44710 fecdbd 44710->44696 44711->44710 44712 fecf28 2 API calls 44711->44712 44713 fecf18 2 API calls 44711->44713 44712->44710 44713->44710 44715 fecf35 44714->44715 44716 fecf6f 44715->44716 44722 febae0 44715->44722 44716->44705 44719 fecf24 44718->44719 44720 fecf11 44719->44720 44721 febae0 2 API calls 44719->44721 44720->44705 44721->44720 44723 febae5 44722->44723 44725 fedc88 44723->44725 44726 fed2dc 44723->44726 44725->44725 44727 fed2e7 44726->44727 44728 fe5ccc 2 API calls 44727->44728 44729 fedcf7 44728->44729 44733 fefa70 44729->44733 44739 fefa88 44729->44739 44730 fedd31 44730->44725 44735 fefbb9 44733->44735 44736 fefab9 44733->44736 44734 fefac5 44734->44730 44735->44730 44736->44734 44745 4db09b3 44736->44745 44749 4db09c0 44736->44749 44741 fefbb9 44739->44741 44742 fefab9 44739->44742 44740 fefac5 44740->44730 44741->44730 44742->44740 44743 4db09b3 2 API calls 44742->44743 44744 4db09c0 2 API calls 44742->44744 44743->44741 44744->44741 44746 4db09c0 44745->44746 44747 4db0a9a 44746->44747 44753 4db1790 44746->44753 44750 4db09eb 44749->44750 44751 4db0a9a 44750->44751 44752 4db1790 2 API calls 44750->44752 44752->44751 44755 4db1794 44753->44755 44754 4db18d5 44754->44747 44755->44747 44756 4db18f0 CreateWindowExW 44755->44756 44757 4db18e4 CreateWindowExW 44755->44757 44756->44754 44757->44754 44877 6a8b2d3 44878 6a8b27c 44877->44878 44879 6a8b304 44878->44879 44883 6a8c20e 44878->44883 44903 6a8c1a1 44878->44903 44922 6a8c1b0 44878->44922 44884 6a8c19c 44883->44884 44886 6a8c211 44883->44886 44885 6a8c1ee 44884->44885 44941 6a8cd5f 44884->44941 44945 6a8c8dc 44884->44945 44952 6a8c6b8 44884->44952 44956 6a8ca87 44884->44956 44961 6a8cb43 44884->44961 44966 6a8ca63 44884->44966 44971 6a8c882 44884->44971 44976 6a8c621 44884->44976 44981 6a8c98d 44884->44981 44986 6a8c948 44884->44986 44991 6a8c5b7 44884->44991 44995 6a8ca35 44884->44995 45001 6a8c7f4 44884->45001 45006 6a8cdd2 44884->45006 45011 6a8cbd0 44884->45011 45015 6a8c67f 44884->45015 44885->44879 44886->44879 44904 6a8c1ca 44903->44904 44905 6a8c948 2 API calls 44904->44905 44906 6a8c98d 3 API calls 44904->44906 44907 6a8c621 2 API calls 44904->44907 44908 6a8c882 2 API calls 44904->44908 44909 6a8ca63 2 API calls 44904->44909 44910 6a8cb43 2 API calls 44904->44910 44911 6a8ca87 2 API calls 44904->44911 44912 6a8c6b8 2 API calls 44904->44912 44913 6a8c1ee 44904->44913 44914 6a8c8dc 4 API calls 44904->44914 44915 6a8cd5f 2 API calls 44904->44915 44916 6a8c67f 2 API calls 44904->44916 44917 6a8cbd0 2 API calls 44904->44917 44918 6a8cdd2 2 API calls 44904->44918 44919 6a8c7f4 2 API calls 44904->44919 44920 6a8ca35 3 API calls 44904->44920 44921 6a8c5b7 2 API calls 44904->44921 44905->44913 44906->44913 44907->44913 44908->44913 44909->44913 44910->44913 44911->44913 44912->44913 44913->44879 44914->44913 44915->44913 44916->44913 44917->44913 44918->44913 44919->44913 44920->44913 44921->44913 44923 6a8c1ca 44922->44923 44924 6a8c948 2 API calls 44923->44924 44925 6a8c98d 3 API calls 44923->44925 44926 6a8c621 2 API calls 44923->44926 44927 6a8c882 2 API calls 44923->44927 44928 6a8ca63 2 API calls 44923->44928 44929 6a8cb43 2 API calls 44923->44929 44930 6a8ca87 2 API calls 44923->44930 44931 6a8c6b8 2 API calls 44923->44931 44932 6a8c1ee 44923->44932 44933 6a8c8dc 4 API calls 44923->44933 44934 6a8cd5f 2 API calls 44923->44934 44935 6a8c67f 2 API calls 44923->44935 44936 6a8cbd0 2 API calls 44923->44936 44937 6a8cdd2 2 API calls 44923->44937 44938 6a8c7f4 2 API calls 44923->44938 44939 6a8ca35 3 API calls 44923->44939 44940 6a8c5b7 2 API calls 44923->44940 44924->44932 44925->44932 44926->44932 44927->44932 44928->44932 44929->44932 44930->44932 44931->44932 44932->44879 44933->44932 44934->44932 44935->44932 44936->44932 44937->44932 44938->44932 44939->44932 44940->44932 45020 6a8a5f0 44941->45020 45024 6a8a5e9 44941->45024 44942 6a8cd79 45036 6a8a6c8 44945->45036 45040 6a8a6c1 44945->45040 44946 6a8c8bd 44947 6a8c899 44947->44946 45028 6a8a788 44947->45028 45032 6a8a780 44947->45032 44954 6a8a788 WriteProcessMemory 44952->44954 44955 6a8a780 WriteProcessMemory 44952->44955 44953 6a8c6e0 44954->44953 44955->44953 44957 6a8ca8d 44956->44957 45044 6a8a100 44957->45044 45048 6a8a108 44957->45048 44958 6a8cfd4 44962 6a8ca9e 44961->44962 44964 6a8a108 ResumeThread 44962->44964 44965 6a8a100 ResumeThread 44962->44965 44963 6a8cfd4 44964->44963 44965->44963 44967 6a8c62d 44966->44967 44967->44885 44969 6a8a108 ResumeThread 44967->44969 44970 6a8a100 ResumeThread 44967->44970 44968 6a8cfd4 44969->44968 44970->44968 44972 6a8c888 44971->44972 44974 6a8a788 WriteProcessMemory 44972->44974 44975 6a8a780 WriteProcessMemory 44972->44975 44973 6a8c8bd 44974->44973 44975->44973 44977 6a8c62d 44976->44977 44979 6a8a108 ResumeThread 44977->44979 44980 6a8a100 ResumeThread 44977->44980 44978 6a8cfd4 44979->44978 44980->44978 44982 6a8c9c1 44981->44982 45052 6a8a878 44981->45052 45056 6a8a951 44981->45056 45060 6a8a870 44981->45060 44982->44885 44987 6a8c96b 44986->44987 44989 6a8a788 WriteProcessMemory 44987->44989 44990 6a8a780 WriteProcessMemory 44987->44990 44988 6a8cf3d 44989->44988 44990->44988 45064 6a8ae10 44991->45064 45068 6a8ae04 44991->45068 44996 6a8c99f 44995->44996 44998 6a8a878 ReadProcessMemory 44996->44998 44999 6a8a870 ReadProcessMemory 44996->44999 45000 6a8a951 ReadProcessMemory 44996->45000 44997 6a8c9c1 44997->44885 44998->44997 44999->44997 45000->44997 45002 6a8c62d 45001->45002 45002->44885 45004 6a8a108 ResumeThread 45002->45004 45005 6a8a100 ResumeThread 45002->45005 45003 6a8cfd4 45004->45003 45005->45003 45007 6a8c62d 45006->45007 45009 6a8a108 ResumeThread 45007->45009 45010 6a8a100 ResumeThread 45007->45010 45008 6a8cfd4 45009->45008 45010->45008 45013 6a8a5e9 Wow64SetThreadContext 45011->45013 45014 6a8a5f0 Wow64SetThreadContext 45011->45014 45012 6a8c6b5 45012->44885 45013->45012 45014->45012 45016 6a8c62d 45015->45016 45016->44885 45018 6a8a108 ResumeThread 45016->45018 45019 6a8a100 ResumeThread 45016->45019 45017 6a8cfd4 45018->45017 45019->45017 45021 6a8a635 Wow64SetThreadContext 45020->45021 45023 6a8a67d 45021->45023 45023->44942 45025 6a8a5f0 Wow64SetThreadContext 45024->45025 45027 6a8a67d 45025->45027 45027->44942 45029 6a8a7d0 WriteProcessMemory 45028->45029 45031 6a8a827 45029->45031 45031->44946 45033 6a8a788 WriteProcessMemory 45032->45033 45035 6a8a827 45033->45035 45035->44946 45037 6a8a708 VirtualAllocEx 45036->45037 45039 6a8a745 45037->45039 45039->44947 45041 6a8a6c8 VirtualAllocEx 45040->45041 45043 6a8a745 45041->45043 45043->44947 45045 6a8a108 ResumeThread 45044->45045 45047 6a8a179 45045->45047 45047->44958 45049 6a8a148 ResumeThread 45048->45049 45051 6a8a179 45049->45051 45051->44958 45053 6a8a8c3 ReadProcessMemory 45052->45053 45055 6a8a907 45053->45055 45055->44982 45057 6a8a8e5 ReadProcessMemory 45056->45057 45059 6a8a956 45056->45059 45058 6a8a907 45057->45058 45058->44982 45059->44982 45061 6a8a8c3 ReadProcessMemory 45060->45061 45063 6a8a907 45061->45063 45063->44982 45065 6a8ae99 CreateProcessA 45064->45065 45067 6a8b05b 45065->45067 45067->45067 45069 6a8ae99 CreateProcessA 45068->45069 45071 6a8b05b 45069->45071 45071->45071 44758 feacb0 44762 feada8 44758->44762 44767 fead97 44758->44767 44759 feacbf 44763 feaddc 44762->44763 44764 feadb9 44762->44764 44763->44759 44764->44763 44765 feafe0 GetModuleHandleW 44764->44765 44766 feb00d 44765->44766 44766->44759 44769 fead9c 44767->44769 44768 feaddc 44768->44759 44769->44768 44770 feafe0 GetModuleHandleW 44769->44770 44771 feb00d 44770->44771 44771->44759 44867 fed690 DuplicateHandle 44868 fed726 44867->44868 45072 fed040 45073 fed086 GetCurrentProcess 45072->45073 45075 fed0d8 GetCurrentThread 45073->45075 45076 fed0d1 45073->45076 45077 fed10e 45075->45077 45078 fed115 GetCurrentProcess 45075->45078 45076->45075 45077->45078 45079 fed14b 45078->45079 45080 fed173 GetCurrentThreadId 45079->45080 45081 fed1a4 45080->45081

                                          Executed Functions

                                          Function 04DB7750 Relevance: 4.5, Strings: 2, Instructions: 2009COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 403 4db7750-4db777b 404 4db777d 403->404 405 4db7782-4db7d0f call 4db73fc call 4db740c call 4db741c * 3 call 4db742c * 3 call 4db73fc call 4db740c call 4db743c * 2 call 4db741c * 3 call 4db744c * 3 call 4db745c call 4db746c call 4db747c call 4db748c call 4db749c 403->405 404->405 505 4db7ef7-4db7f20 call 4db74cc 405->505 508 4db7f26-4db81ae call 4db74dc call 4db74ec call 4db74fc call 4db750c * 6 call 4db746c call 4db747c 505->508 509 4db7d14-4db7d1b 505->509 570 4db81b0 508->570 571 4db81b5-4db8214 508->571 511 4db7ec4-4db7eed call 4db74bc 509->511 515 4db7ef3-4db7ef6 511->515 516 4db7d20-4db7e1d call 4db74ac 511->516 515->505 542 4db7e38-4db7e75 516->542 543 4db7e1f-4db7e36 516->543 550 4db7eb1 542->550 551 4db7e77-4db7eb0 542->551 549 4db7eb2-4db7ec3 543->549 549->511 550->549 551->550 570->571 574 4db8272-4db8349 call 4db751c 571->574 575 4db8216-4db826c 571->575 587 4db8354-4db9a42 call 4db748c call 4db749c call 4db752c call 4db746c call 4db747c call 4db748c call 4db749c call 4db746c call 4db747c call 4db748c call 4db749c call 4db746c call 4db747c call 4db748c call 4db749c call 4db753c call 4db754c call 4db746c call 4db747c call 4db748c call 4db749c call 4db755c call 4db753c call 4db746c call 4db747c call 4db748c call 4db749c call 4db755c call 4db753c call 4db754c call 4db746c call 4db747c call 4db748c call 4db749c call 4db746c call 4db747c call 4db748c call 4db749c call 4db74dc call 4db74ec call 4db74fc call 4db750c * 6 call 4db746c call 4db747c call 4db748c call 4db749c call 4db752c call 4db746c call 4db747c call 4db748c call 4db749c call 4db74ec call 4db756c call 4db746c call 4db747c call 4db748c call 4db749c call 4db74ec call 4db756c call 4db746c call 4db747c call 4db748c call 4db749c call 4db746c call 4db747c call 4db748c call 4db749c call 4db746c call 4db747c call 4db748c call 4db749c call 4db746c call 4db747c call 4db748c call 4db749c call 4db746c call 4db747c call 4db748c call 4db749c call 4db746c call 4db747c call 4db748c call 4db749c call 4db757c call 4db758c call 4db759c call 4db750c * 6 call 4db747c call 4db75ac call 4db75bc * 3 574->587 575->574
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1324198058.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4db0000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Pp_q$sd&
                                          • API String ID: 0-203798260
                                          • Opcode ID: ff15a0e43651cfb583c41e20f34b6d4bb3f73e6d8f0333cd73972e9aaa7b589c
                                          • Instruction ID: 1ba3287089a0f595e8b3febb1aabf07fc860839bad6da8e849a2760b23937dcb
                                          • Opcode Fuzzy Hash: ff15a0e43651cfb583c41e20f34b6d4bb3f73e6d8f0333cd73972e9aaa7b589c
                                          • Instruction Fuzzy Hash: C623D434A11259CFDB25EF24C898ADAB7B2FF8A305F1041E9D4096B365DB31AE81CF50
                                          Function 04DB7740 Relevance: 4.4, Strings: 2, Instructions: 1889COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 885 4db7740-4db777b 887 4db777d 885->887 888 4db7782-4db77e6 885->888 887->888 893 4db77f0-4db77fc call 4db73fc 888->893 895 4db7801-4db784a call 4db740c 893->895 901 4db7854-4db7860 call 4db741c 895->901 903 4db7865-4db78e0 call 4db741c * 2 901->903 913 4db78ea-4db78f6 call 4db742c 903->913 915 4db78fb-4db7bc4 call 4db742c * 2 call 4db73fc call 4db740c call 4db743c * 2 call 4db741c * 3 call 4db744c * 3 call 4db745c 913->915 971 4db7bcf-4db7c27 call 4db746c 915->971 975 4db7c2c-4db7c65 call 4db747c 971->975 978 4db7c6f-4db7c83 call 4db748c 975->978 980 4db7c88-4db7c99 call 4db749c 978->980 982 4db7c9e 980->982 983 4db7ca5-4db7d0f 982->983 988 4db7ef7-4db7f20 call 4db74cc 983->988 991 4db7f26-4db7fcd call 4db74dc call 4db74ec call 4db74fc call 4db750c 988->991 992 4db7d14-4db7d1b 988->992 1013 4db7fd2-4db7fec 991->1013 994 4db7ec4-4db7eed call 4db74bc 992->994 998 4db7ef3-4db7ef6 994->998 999 4db7d20-4db7e1d call 4db74ac 994->999 998->988 1025 4db7e38-4db7e75 999->1025 1026 4db7e1f-4db7e36 999->1026 1015 4db7ff2-4db8069 call 4db750c * 3 1013->1015 1031 4db806e-4db8088 1015->1031 1033 4db7eb1 1025->1033 1034 4db7e77-4db7eb0 1025->1034 1032 4db7eb2-4db7ec3 1026->1032 1036 4db808e-4db816c call 4db750c * 2 call 4db746c call 4db747c 1031->1036 1032->994 1033->1032 1034->1033 1050 4db8173-4db8198 1036->1050 1052 4db819e-4db81ae 1050->1052 1053 4db81b0 1052->1053 1054 4db81b5-4db8214 1052->1054 1053->1054 1057 4db8272-4db8320 call 4db751c 1054->1057 1058 4db8216-4db826c 1054->1058 1069 4db832b-4db8349 1057->1069 1058->1057 1070 4db8354-4db9a42 call 4db748c call 4db749c call 4db752c call 4db746c call 4db747c call 4db748c call 4db749c call 4db746c call 4db747c call 4db748c call 4db749c call 4db746c call 4db747c call 4db748c call 4db749c call 4db753c call 4db754c call 4db746c call 4db747c call 4db748c call 4db749c call 4db755c call 4db753c call 4db746c call 4db747c call 4db748c call 4db749c call 4db755c call 4db753c call 4db754c call 4db746c call 4db747c call 4db748c call 4db749c call 4db746c call 4db747c call 4db748c call 4db749c call 4db74dc call 4db74ec call 4db74fc call 4db750c * 6 call 4db746c call 4db747c call 4db748c call 4db749c call 4db752c call 4db746c call 4db747c call 4db748c call 4db749c call 4db74ec call 4db756c call 4db746c call 4db747c call 4db748c call 4db749c call 4db74ec call 4db756c call 4db746c call 4db747c call 4db748c call 4db749c call 4db746c call 4db747c call 4db748c call 4db749c call 4db746c call 4db747c call 4db748c call 4db749c call 4db746c call 4db747c call 4db748c call 4db749c call 4db746c call 4db747c call 4db748c call 4db749c call 4db746c call 4db747c call 4db748c call 4db749c call 4db757c call 4db758c call 4db759c call 4db750c * 6 call 4db747c call 4db75ac call 4db75bc * 3 1069->1070
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1324198058.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4db0000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Pp_q$sd&
                                          • API String ID: 0-203798260
                                          • Opcode ID: 528544750e47b88dcd1a6baadc1ee5b7c050b5d5cb7b1b32c99e85fe5d97704f
                                          • Instruction ID: fa02a52a79183f5102a30549905196c71e079cf58c78eade435e64a6240e660e
                                          • Opcode Fuzzy Hash: 528544750e47b88dcd1a6baadc1ee5b7c050b5d5cb7b1b32c99e85fe5d97704f
                                          • Instruction Fuzzy Hash: CB13D334A11259CFDB25EF24C898ADAB7B1FF8A305F1141E9E4096B365DB31AE81CF50
                                          Function 06A88AA8 Relevance: 1.7, Strings: 1, Instructions: 438COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1631 6a88aa8 1632 6a88aad-6a88ab0 1631->1632 1633 6a88ab1-6a88ab9 1632->1633 1635 6a88abb-6a88ada 1633->1635 1636 6a88b36-6a88b4f 1633->1636 1637 6a88adc-6a88ade 1635->1637 1638 6a88ae0-6a88af0 1635->1638 1639 6a88b58-6a88b5e 1636->1639 1640 6a88b51-6a88b56 1636->1640 1637->1638 1645 6a88a7f-6a88a94 1638->1645 1646 6a88af2-6a88b20 1638->1646 1641 6a88b61-6a88b65 1639->1641 1640->1641 1643 6a88b6e-6a88b74 1641->1643 1644 6a88b67-6a88b6c 1641->1644 1647 6a88b77-6a88b7b 1643->1647 1644->1647 1645->1631 1646->1633 1655 6a88b22-6a88b34 1646->1655 1649 6a88b7d-6a88b9a 1647->1649 1650 6a88b9f-6a88ba3 1647->1650 1662 6a88dbf-6a88dc8 1649->1662 1651 6a88ba5-6a88bc2 1650->1651 1652 6a88bc7-6a88bd2 1650->1652 1651->1662 1656 6a88bda-6a88be0 1652->1656 1657 6a88bd4-6a88bd7 1652->1657 1655->1636 1659 6a88dcb-6a88dde 1656->1659 1660 6a88be6-6a88bf6 1656->1660 1657->1656 1668 6a88ddf-6a88de0 1659->1668 1666 6a88bf8-6a88c16 1660->1666 1667 6a88c1b-6a88c40 1660->1667 1673 6a88d7f-6a88d82 1666->1673 1675 6a88d88-6a88d8d 1667->1675 1676 6a88c46-6a88c4f 1667->1676 1668->1668 1669 6a88de2-6a8906e 1668->1669 1673->1675 1673->1676 1675->1659 1678 6a88d8f-6a88d92 1675->1678 1676->1659 1679 6a88c55-6a88c6d 1676->1679 1681 6a88d94 1678->1681 1682 6a88d96-6a88d99 1678->1682 1687 6a88c7f-6a88c96 1679->1687 1688 6a88c6f-6a88c74 1679->1688 1681->1662 1682->1659 1684 6a88d9b-6a88dbd 1682->1684 1684->1662 1695 6a88c98 1687->1695 1696 6a88c9e-6a88ca8 1687->1696 1688->1659 1690 6a88c7a-6a88c7d 1688->1690 1690->1687 1691 6a88cad-6a88cb2 1690->1691 1691->1659 1697 6a88cb8-6a88cc7 1691->1697 1695->1696 1696->1675 1703 6a88cc9 1697->1703 1704 6a88ccf-6a88cdf 1697->1704 1703->1704 1704->1659 1707 6a88ce5-6a88ce8 1704->1707 1707->1659 1708 6a88cee-6a88cf1 1707->1708 1710 6a88d42-6a88d54 1708->1710 1711 6a88cf3-6a88cf7 1708->1711 1710->1673 1717 6a88d56-6a88d6b 1710->1717 1711->1659 1712 6a88cfd-6a88d03 1711->1712 1714 6a88d14-6a88d1a 1712->1714 1715 6a88d05-6a88d0b 1712->1715 1714->1659 1719 6a88d20 1714->1719 1715->1659 1718 6a88d11 1715->1718 1724 6a88d6d 1717->1724 1725 6a88d73-6a88d7d 1717->1725 1718->1714 1722 6a88d2a-6a88d2c 1719->1722 1726 6a88d34-6a88d40 1722->1726 1724->1725 1725->1675 1726->1710
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1326449579.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6a80000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 4'_q
                                          • API String ID: 0-2033115326
                                          • Opcode ID: 2813c167ae5c6681da8a481179c0112ec0e49661f36ff8ba744d93738f0840d4
                                          • Instruction ID: 07c69de9ef1b433263d53245c194592356a5859083f8fdacc64050c1990fe644
                                          • Opcode Fuzzy Hash: 2813c167ae5c6681da8a481179c0112ec0e49661f36ff8ba744d93738f0840d4
                                          • Instruction Fuzzy Hash: C9F19430A04209DFDB05FFB8C9946AE7BB2FF88304F158499E805AB36ADB359D45CB51
                                          Function 06A87957 Relevance: 1.6, Strings: 1, Instructions: 363COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1326449579.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6a80000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: `6
                                          • API String ID: 0-3354348281
                                          • Opcode ID: 1ae88cb70ef181154e9a957fc208b0c493c49b9c6f51f4af009ee026d699aab4
                                          • Instruction ID: 9ed46c9f6e2a0a3c2be9dc87c40049ae7d5bccd72ff1b78788bebec911e178f6
                                          • Opcode Fuzzy Hash: 1ae88cb70ef181154e9a957fc208b0c493c49b9c6f51f4af009ee026d699aab4
                                          • Instruction Fuzzy Hash: DEF11874E042598FCB54EFA9C9809AEFBF2FF49304F248169D415AB356D730A941CFA0
                                          Function 06A8E320 Relevance: .4, Instructions: 402COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1326449579.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6a80000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 750159e7232875bfd8341e842a9093c8195c231c40d7908003316fceeaff247c
                                          • Instruction ID: fa592f0dffc9b17adcb718d825a9ca48d2ee28b0a503522b61c74aa39a82ecea
                                          • Opcode Fuzzy Hash: 750159e7232875bfd8341e842a9093c8195c231c40d7908003316fceeaff247c
                                          • Instruction Fuzzy Hash: B2E1AA30B01644DFDBA9FB66C950BAEB7FABF89700F144869E1059B291DF35E801CB61
                                          Function 00FED031 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 299 fed031-fed0cf GetCurrentProcess 304 fed0d8-fed10c GetCurrentThread 299->304 305 fed0d1-fed0d7 299->305 306 fed10e-fed114 304->306 307 fed115-fed149 GetCurrentProcess 304->307 305->304 306->307 308 fed14b-fed151 307->308 309 fed152-fed16d call fed618 307->309 308->309 313 fed173-fed1a2 GetCurrentThreadId 309->313 314 fed1ab-fed20d 313->314 315 fed1a4-fed1aa 313->315 315->314
                                          APIs
                                          • GetCurrentProcess.KERNEL32 ref: 00FED0BE
                                          • GetCurrentThread.KERNEL32 ref: 00FED0FB
                                          • GetCurrentProcess.KERNEL32 ref: 00FED138
                                          • GetCurrentThreadId.KERNEL32 ref: 00FED191
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1319967436.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_fe0000_z68ORDER.jbxd
                                          Similarity
                                          • API ID: Current$ProcessThread
                                          • String ID:
                                          • API String ID: 2063062207-0
                                          • Opcode ID: 404042f48dbe08106058dcd20b473c8220de855e8afe2a3408d3c7aab94bc08e
                                          • Instruction ID: 3f74b95bdf85e9672a6554a0b8e92ebbb9a41c0810701ea696846bbd40507d5c
                                          • Opcode Fuzzy Hash: 404042f48dbe08106058dcd20b473c8220de855e8afe2a3408d3c7aab94bc08e
                                          • Instruction Fuzzy Hash: CF5165B0D00249DFDB54DFAAD548BAEBBF1EF48314F208469E409A73A1D7756844CF62
                                          Function 00FED040 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 322 fed040-fed0cf GetCurrentProcess 326 fed0d8-fed10c GetCurrentThread 322->326 327 fed0d1-fed0d7 322->327 328 fed10e-fed114 326->328 329 fed115-fed149 GetCurrentProcess 326->329 327->326 328->329 330 fed14b-fed151 329->330 331 fed152-fed16d call fed618 329->331 330->331 335 fed173-fed1a2 GetCurrentThreadId 331->335 336 fed1ab-fed20d 335->336 337 fed1a4-fed1aa 335->337 337->336
                                          APIs
                                          • GetCurrentProcess.KERNEL32 ref: 00FED0BE
                                          • GetCurrentThread.KERNEL32 ref: 00FED0FB
                                          • GetCurrentProcess.KERNEL32 ref: 00FED138
                                          • GetCurrentThreadId.KERNEL32 ref: 00FED191
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1319967436.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_fe0000_z68ORDER.jbxd
                                          Similarity
                                          • API ID: Current$ProcessThread
                                          • String ID:
                                          • API String ID: 2063062207-0
                                          • Opcode ID: 25ccfc17f94e10be3b15b11242ab777800085d7f71ff6962daed71a364379f66
                                          • Instruction ID: 9f07942d90d2fcf2738128211dfb2966dd3a8af4368d0f84d4d0dd7262ee6abc
                                          • Opcode Fuzzy Hash: 25ccfc17f94e10be3b15b11242ab777800085d7f71ff6962daed71a364379f66
                                          • Instruction Fuzzy Hash: C55164B0D00249CFDB54DFAAD548BAEBBF1EF48314F208469E409A7361D774A944CF66
                                          Function 06A8AE04 Relevance: 1.8, APIs: 1, Instructions: 250processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1456 6a8ae04-6a8aea5 1458 6a8aede-6a8aefe 1456->1458 1459 6a8aea7-6a8aeb1 1456->1459 1464 6a8af00-6a8af0a 1458->1464 1465 6a8af37-6a8af66 1458->1465 1459->1458 1460 6a8aeb3-6a8aeb5 1459->1460 1462 6a8aed8-6a8aedb 1460->1462 1463 6a8aeb7-6a8aec1 1460->1463 1462->1458 1466 6a8aec3 1463->1466 1467 6a8aec5-6a8aed4 1463->1467 1464->1465 1468 6a8af0c-6a8af0e 1464->1468 1475 6a8af68-6a8af72 1465->1475 1476 6a8af9f-6a8b059 CreateProcessA 1465->1476 1466->1467 1467->1467 1469 6a8aed6 1467->1469 1470 6a8af10-6a8af1a 1468->1470 1471 6a8af31-6a8af34 1468->1471 1469->1462 1473 6a8af1c 1470->1473 1474 6a8af1e-6a8af2d 1470->1474 1471->1465 1473->1474 1474->1474 1477 6a8af2f 1474->1477 1475->1476 1478 6a8af74-6a8af76 1475->1478 1487 6a8b05b-6a8b061 1476->1487 1488 6a8b062-6a8b0e8 1476->1488 1477->1471 1479 6a8af78-6a8af82 1478->1479 1480 6a8af99-6a8af9c 1478->1480 1482 6a8af84 1479->1482 1483 6a8af86-6a8af95 1479->1483 1480->1476 1482->1483 1483->1483 1484 6a8af97 1483->1484 1484->1480 1487->1488 1498 6a8b0f8-6a8b0fc 1488->1498 1499 6a8b0ea-6a8b0ee 1488->1499 1501 6a8b10c-6a8b110 1498->1501 1502 6a8b0fe-6a8b102 1498->1502 1499->1498 1500 6a8b0f0 1499->1500 1500->1498 1504 6a8b120-6a8b124 1501->1504 1505 6a8b112-6a8b116 1501->1505 1502->1501 1503 6a8b104 1502->1503 1503->1501 1507 6a8b136-6a8b13d 1504->1507 1508 6a8b126-6a8b12c 1504->1508 1505->1504 1506 6a8b118 1505->1506 1506->1504 1509 6a8b13f-6a8b14e 1507->1509 1510 6a8b154 1507->1510 1508->1507 1509->1510 1512 6a8b155 1510->1512 1512->1512
                                          APIs
                                          • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 06A8B046
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1326449579.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6a80000_z68ORDER.jbxd
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: 5dedf5c0aebcdf850a71e638638bc4e6aefad539c910ef178cd1eb25b51a23d5
                                          • Instruction ID: 6656f960fea3c16a4d97c60594f911cb404077365e573399a5e0f9bf85a216ce
                                          • Opcode Fuzzy Hash: 5dedf5c0aebcdf850a71e638638bc4e6aefad539c910ef178cd1eb25b51a23d5
                                          • Instruction Fuzzy Hash: C9A17B71D00219DFDB60EF68C841BEEBBB2BF49304F14856AE859A7240DB749985CFA1
                                          Function 06A8AE10 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1513 6a8ae10-6a8aea5 1515 6a8aede-6a8aefe 1513->1515 1516 6a8aea7-6a8aeb1 1513->1516 1521 6a8af00-6a8af0a 1515->1521 1522 6a8af37-6a8af66 1515->1522 1516->1515 1517 6a8aeb3-6a8aeb5 1516->1517 1519 6a8aed8-6a8aedb 1517->1519 1520 6a8aeb7-6a8aec1 1517->1520 1519->1515 1523 6a8aec3 1520->1523 1524 6a8aec5-6a8aed4 1520->1524 1521->1522 1525 6a8af0c-6a8af0e 1521->1525 1532 6a8af68-6a8af72 1522->1532 1533 6a8af9f-6a8b059 CreateProcessA 1522->1533 1523->1524 1524->1524 1526 6a8aed6 1524->1526 1527 6a8af10-6a8af1a 1525->1527 1528 6a8af31-6a8af34 1525->1528 1526->1519 1530 6a8af1c 1527->1530 1531 6a8af1e-6a8af2d 1527->1531 1528->1522 1530->1531 1531->1531 1534 6a8af2f 1531->1534 1532->1533 1535 6a8af74-6a8af76 1532->1535 1544 6a8b05b-6a8b061 1533->1544 1545 6a8b062-6a8b0e8 1533->1545 1534->1528 1536 6a8af78-6a8af82 1535->1536 1537 6a8af99-6a8af9c 1535->1537 1539 6a8af84 1536->1539 1540 6a8af86-6a8af95 1536->1540 1537->1533 1539->1540 1540->1540 1541 6a8af97 1540->1541 1541->1537 1544->1545 1555 6a8b0f8-6a8b0fc 1545->1555 1556 6a8b0ea-6a8b0ee 1545->1556 1558 6a8b10c-6a8b110 1555->1558 1559 6a8b0fe-6a8b102 1555->1559 1556->1555 1557 6a8b0f0 1556->1557 1557->1555 1561 6a8b120-6a8b124 1558->1561 1562 6a8b112-6a8b116 1558->1562 1559->1558 1560 6a8b104 1559->1560 1560->1558 1564 6a8b136-6a8b13d 1561->1564 1565 6a8b126-6a8b12c 1561->1565 1562->1561 1563 6a8b118 1562->1563 1563->1561 1566 6a8b13f-6a8b14e 1564->1566 1567 6a8b154 1564->1567 1565->1564 1566->1567 1569 6a8b155 1567->1569 1569->1569
                                          APIs
                                          • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 06A8B046
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1326449579.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6a80000_z68ORDER.jbxd
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: de4c7c858f6805ae00b6ab1ed3a68140d2dd8cc38364db7a1ec4642f4a252aae
                                          • Instruction ID: cef58670300790f6830abe3a80513f169f2fd4a3a5b51eeb762d214fde446858
                                          • Opcode Fuzzy Hash: de4c7c858f6805ae00b6ab1ed3a68140d2dd8cc38364db7a1ec4642f4a252aae
                                          • Instruction Fuzzy Hash: 1A918B71D00219CFDF60EF69C8417EDBBB2BF49304F14856AE819AB240DB749985CFA1
                                          Function 00FEADA8 Relevance: 1.7, APIs: 1, Instructions: 210COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1570 feada8-feadb7 1571 feadb9-feadc6 call fea0cc 1570->1571 1572 feade3-feade7 1570->1572 1578 feaddc 1571->1578 1579 feadc8 1571->1579 1574 feadfb-feae3c 1572->1574 1575 feade9-feadf3 1572->1575 1581 feae3e-feae46 1574->1581 1582 feae49-feae57 1574->1582 1575->1574 1578->1572 1629 feadce call feb040 1579->1629 1630 feadce call feb031 1579->1630 1581->1582 1583 feae7b-feae7d 1582->1583 1584 feae59-feae5e 1582->1584 1589 feae80-feae87 1583->1589 1586 feae69 1584->1586 1587 feae60-feae67 call fea0d8 1584->1587 1585 feadd4-feadd6 1585->1578 1588 feaf18-feaf92 1585->1588 1591 feae6b-feae79 1586->1591 1587->1591 1620 feaf96-feafbe 1588->1620 1621 feaf94 1588->1621 1592 feae89-feae91 1589->1592 1593 feae94-feae9b 1589->1593 1591->1589 1592->1593 1596 feae9d-feaea5 1593->1596 1597 feaea8-feaeaa call fea0e8 1593->1597 1596->1597 1599 feaeaf-feaeb1 1597->1599 1601 feaebe-feaec3 1599->1601 1602 feaeb3-feaebb 1599->1602 1603 feaec5-feaecc 1601->1603 1604 feaee1-feaeee 1601->1604 1602->1601 1603->1604 1606 feaece-feaede call fea0f8 call fea108 1603->1606 1611 feaef0-feaf0e 1604->1611 1612 feaf11-feaf17 1604->1612 1606->1604 1611->1612 1622 feafc0-feafd8 1620->1622 1621->1620 1621->1622 1624 feafda-feafdd 1622->1624 1625 feafe0-feb00b GetModuleHandleW 1622->1625 1624->1625 1626 feb00d-feb013 1625->1626 1627 feb014-feb028 1625->1627 1626->1627 1629->1585 1630->1585
                                          APIs
                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00FEAFFE
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1319967436.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_fe0000_z68ORDER.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: f3a323f8fe75a401cfa67cd35c5a5e42425ad72458f3a362e878536b7b055076
                                          • Instruction ID: a4eb2b8e5782ba72dd278f98a8531c01b990d1d106fcde0b6085bf0ec8c0513b
                                          • Opcode Fuzzy Hash: f3a323f8fe75a401cfa67cd35c5a5e42425ad72458f3a362e878536b7b055076
                                          • Instruction Fuzzy Hash: 83814570A00B858FDB24DF2AC44575ABBF1FF88314F10892ED08A97A51D775F849CB92
                                          Function 04DB18E4 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1755 4db18e4-4db18ea 1756 4db18ee-4db1956 1755->1756 1757 4db18ec 1755->1757 1759 4db1958-4db195e 1756->1759 1760 4db1961-4db1968 1756->1760 1757->1756 1759->1760 1761 4db196a-4db1970 1760->1761 1762 4db1973-4db1a12 CreateWindowExW 1760->1762 1761->1762 1764 4db1a1b-4db1a53 1762->1764 1765 4db1a14-4db1a1a 1762->1765 1769 4db1a60 1764->1769 1770 4db1a55-4db1a58 1764->1770 1765->1764 1771 4db1a61 1769->1771 1770->1769 1771->1771
                                          APIs
                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04DB1A02
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1324198058.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4db0000_z68ORDER.jbxd
                                          Similarity
                                          • API ID: CreateWindow
                                          • String ID:
                                          • API String ID: 716092398-0
                                          • Opcode ID: feaa469f9d71b0a300c97e6c439a8c947f1b3f7edfe860b75ebb3426263f7cc7
                                          • Instruction ID: 5fe7d4a7c0a24f8b0e07852d37505770f7e0216caa767c9224391e436a3c621a
                                          • Opcode Fuzzy Hash: feaa469f9d71b0a300c97e6c439a8c947f1b3f7edfe860b75ebb3426263f7cc7
                                          • Instruction Fuzzy Hash: 9151C2B1D00359EFDB14CF99C894ADEBFB5BF48350F24822AE859AB210D771A945CF90
                                          Function 04DB18F0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1772 4db18f0-4db1956 1773 4db1958-4db195e 1772->1773 1774 4db1961-4db1968 1772->1774 1773->1774 1775 4db196a-4db1970 1774->1775 1776 4db1973-4db1a12 CreateWindowExW 1774->1776 1775->1776 1778 4db1a1b-4db1a53 1776->1778 1779 4db1a14-4db1a1a 1776->1779 1783 4db1a60 1778->1783 1784 4db1a55-4db1a58 1778->1784 1779->1778 1785 4db1a61 1783->1785 1784->1783 1785->1785
                                          APIs
                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04DB1A02
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1324198058.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4db0000_z68ORDER.jbxd
                                          Similarity
                                          • API ID: CreateWindow
                                          • String ID:
                                          • API String ID: 716092398-0
                                          • Opcode ID: df62f91282091aacc8badbca32dd24246b538c8b3d01d129e785cf2aa88620db
                                          • Instruction ID: 6b8b93138000d8f53129ce4d4dc331ff7c01153722cae97973f2513ed788b5f8
                                          • Opcode Fuzzy Hash: df62f91282091aacc8badbca32dd24246b538c8b3d01d129e785cf2aa88620db
                                          • Instruction Fuzzy Hash: 8041B0B1D00359EFDB14CF99C894ADEBBB5BF48350F24822AE819AB210D771A945CF90
                                          Function 00FE590C Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 00FE59C9
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1319967436.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_fe0000_z68ORDER.jbxd
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: 7dff00a4f6fc9a11922ab2f4b890bd00a2ed918cd174dcfacc5a5523ebaa0ed1
                                          • Instruction ID: a43b4dfd283183cc74a02dc280bbf0d42e5ad078ed2dc6e4209f8da0779d4dab
                                          • Opcode Fuzzy Hash: 7dff00a4f6fc9a11922ab2f4b890bd00a2ed918cd174dcfacc5a5523ebaa0ed1
                                          • Instruction Fuzzy Hash: 734134B0C00619CBDB24CFAAC8847DEBBB5BF48708F20806AD409AB255DB745945CF90
                                          Function 00FE44C4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 00FE59C9
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1319967436.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_fe0000_z68ORDER.jbxd
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: a055cf439ad6445b4c11ce417c46643170e4d5fea9a1da18eb66e45e17c1f412
                                          • Instruction ID: 92044cc375e34896f9308f05f3e813e0b7305f2c363a6886e326e62b2816b695
                                          • Opcode Fuzzy Hash: a055cf439ad6445b4c11ce417c46643170e4d5fea9a1da18eb66e45e17c1f412
                                          • Instruction Fuzzy Hash: 804113B1C0075DCBDB24DFAAC884B8EBBF5BF48708F20806AD409AB255DB755945CF90
                                          Function 04DB4040 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                          Download Yara Rule
                                          APIs
                                          • CallWindowProcW.USER32(?,?,?,?,?), ref: 04DB4101
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1324198058.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4db0000_z68ORDER.jbxd
                                          Similarity
                                          • API ID: CallProcWindow
                                          • String ID:
                                          • API String ID: 2714655100-0
                                          • Opcode ID: 79962163860a82328326e7a4af56487be70aa0235745a61d0a93d8c75f09dd06
                                          • Instruction ID: 59ebb695eb2e4d7128c4479ebdc5d275a0ff2118cddfb0ef1cc6dbcc8eed9b8e
                                          • Opcode Fuzzy Hash: 79962163860a82328326e7a4af56487be70aa0235745a61d0a93d8c75f09dd06
                                          • Instruction Fuzzy Hash: 624138B4A00309DFCB14CF99C848AAABBF5FF88314F25C459D559AB322D374A841CFA0
                                          Function 06A8A951 Relevance: 1.6, APIs: 1, Instructions: 81COMMON
                                          Download Yara Rule
                                          APIs
                                          • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 06A8A8F8
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1326449579.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6a80000_z68ORDER.jbxd
                                          Similarity
                                          • API ID: MemoryProcessRead
                                          • String ID:
                                          • API String ID: 1726664587-0
                                          • Opcode ID: e8d3f33190185237ccaba1c9f643b72bfc799f6f8ae39780f999fc0e07a1a091
                                          • Instruction ID: dbedd1860645f2392ff47755cc933786630c372701eca39eb46ff523237b95d2
                                          • Opcode Fuzzy Hash: e8d3f33190185237ccaba1c9f643b72bfc799f6f8ae39780f999fc0e07a1a091
                                          • Instruction Fuzzy Hash: F2319872D043088EDB20EFA9C9057DEFFF1AF88320F21881AC559A7250C779A545CBA0
                                          Function 06A8D7A3 Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1326449579.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6a80000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9a52857ffdbcda1e1650a5cafd1d96493890c7ecad657b73466cb118f1018345
                                          • Instruction ID: 4ceefc68096f7da89fe4bd289996de629a984ef8126275ca82dff010b669ac4a
                                          • Opcode Fuzzy Hash: 9a52857ffdbcda1e1650a5cafd1d96493890c7ecad657b73466cb118f1018345
                                          • Instruction Fuzzy Hash: 8821ED75D042189FDB20FF99D8047EEBBF4AF48700F20401AD544BB280CB755940CBE1
                                          Function 06A8A780 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 06A8A818
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1326449579.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6a80000_z68ORDER.jbxd
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: a2e03ea964854cd0fe1766a8ac839f894d0a44f5833241a3991acd8e5f8e9658
                                          • Instruction ID: a40b6d855570d101fe4961a5a281c260c0a64ab58a01b34ed402de647c5c0770
                                          • Opcode Fuzzy Hash: a2e03ea964854cd0fe1766a8ac839f894d0a44f5833241a3991acd8e5f8e9658
                                          • Instruction Fuzzy Hash: 4B214675D003499FCB10DFA9C885BDEBBF5FF48310F10842AE919A7240D778A955CBA0
                                          Function 06A8A788 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 06A8A818
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1326449579.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6a80000_z68ORDER.jbxd
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: 8551bf952b3437b809458151c797991931035b6bfacef37a126319bc8ea10b9c
                                          • Instruction ID: c503c2271b3d20a5c92b478a758b7d13b4a5adc9d96d30d77764e1cfbddf2705
                                          • Opcode Fuzzy Hash: 8551bf952b3437b809458151c797991931035b6bfacef37a126319bc8ea10b9c
                                          • Instruction Fuzzy Hash: 562136B5D003599FCB10DFA9C985BEEBBF5FF48310F10842AE919A7240D778A955CBA0
                                          Function 06A8A870 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                          Download Yara Rule
                                          APIs
                                          • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 06A8A8F8
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1326449579.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6a80000_z68ORDER.jbxd
                                          Similarity
                                          • API ID: MemoryProcessRead
                                          • String ID:
                                          • API String ID: 1726664587-0
                                          • Opcode ID: 8295c9b8495543920a4dcbfe423fb5d2320e3feeb652e5f4866c5eecd46ec958
                                          • Instruction ID: 08f60379fe94b5e7e4d5448ef24e51805a2a0429dc98ea5f4ac5b57beaab2eb7
                                          • Opcode Fuzzy Hash: 8295c9b8495543920a4dcbfe423fb5d2320e3feeb652e5f4866c5eecd46ec958
                                          • Instruction Fuzzy Hash: 5C2136B1D002499FDB10DFAAC881AEEFBF5FF48310F10842AE519A7240C7359945CBA0
                                          Function 06A8A5E9 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06A8A66E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1326449579.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6a80000_z68ORDER.jbxd
                                          Similarity
                                          • API ID: ContextThreadWow64
                                          • String ID:
                                          • API String ID: 983334009-0
                                          • Opcode ID: fec306896e1727a675be83eeeb8223d4621f0cd6feb730cc31167cefc439967d
                                          • Instruction ID: 4d65dca9b7ec1d13e847b2bdb89b6adc9cde7ce86b6155e3ddca59411928af5b
                                          • Opcode Fuzzy Hash: fec306896e1727a675be83eeeb8223d4621f0cd6feb730cc31167cefc439967d
                                          • Instruction Fuzzy Hash: 62215771D002099FCB50EFAAC4857EEFBF4EF48324F14842AD519A7240DB78A945CFA0
                                          Function 00FED689 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                          Download Yara Rule
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00FED717
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1319967436.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_fe0000_z68ORDER.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: bdac14dcecc0a1b7c7df595d024f78a7f84d7a6a1f805ca0553efba9157fc016
                                          • Instruction ID: ef8e38fdf0684acd9012811dca16686f59eecdc1c17c06b52bdcd1b96b1d1940
                                          • Opcode Fuzzy Hash: bdac14dcecc0a1b7c7df595d024f78a7f84d7a6a1f805ca0553efba9157fc016
                                          • Instruction Fuzzy Hash: 9321E4B5D00248AFDB10CFAAD585ADEBFF8EB48324F14841AE918B3310D374A954CFA0
                                          Function 06A8A5F0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06A8A66E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1326449579.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6a80000_z68ORDER.jbxd
                                          Similarity
                                          • API ID: ContextThreadWow64
                                          • String ID:
                                          • API String ID: 983334009-0
                                          • Opcode ID: f939226342762e5d58bad2bc4e983a9c95251d39c23d00d7a8aa78f68f27a4a1
                                          • Instruction ID: 06dd8276cadf274b1a12028e56f5970912cc413075aff5ed40aed8ccd5a5cf79
                                          • Opcode Fuzzy Hash: f939226342762e5d58bad2bc4e983a9c95251d39c23d00d7a8aa78f68f27a4a1
                                          • Instruction Fuzzy Hash: EA214771D003098FDB50EFAAC4857EEBBF4EF48324F14842AD519A7240D778A945CFA0
                                          Function 06A8A878 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                          Download Yara Rule
                                          APIs
                                          • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 06A8A8F8
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1326449579.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6a80000_z68ORDER.jbxd
                                          Similarity
                                          • API ID: MemoryProcessRead
                                          • String ID:
                                          • API String ID: 1726664587-0
                                          • Opcode ID: 4b866bd605bab82e325ff3a7377a2d7bcce5b60dee10b51470736e1c4e9a7bda
                                          • Instruction ID: 68c691e62a548673182fa23ee4aeb9f6fe72045aa3ea2685e7601521ce049ba3
                                          • Opcode Fuzzy Hash: 4b866bd605bab82e325ff3a7377a2d7bcce5b60dee10b51470736e1c4e9a7bda
                                          • Instruction Fuzzy Hash: C52139B1D003599FCB10DFAAC881ADEFBF5FF48310F10842AE519A7240D7759945CBA0
                                          Function 00FED690 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                          Download Yara Rule
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00FED717
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1319967436.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_fe0000_z68ORDER.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: b25976d9e34434dc7d177e8339ffc10c9ea346a5b844ab780627fc0f80a7dd3b
                                          • Instruction ID: ce18853c2b93228f028da1017f15656237ce74596cdb6416bbc20f97d1181fe5
                                          • Opcode Fuzzy Hash: b25976d9e34434dc7d177e8339ffc10c9ea346a5b844ab780627fc0f80a7dd3b
                                          • Instruction Fuzzy Hash: 2221C4B5D00248AFDB10CFAAD585ADEBFF8EB48310F14841AE918A3350D374A954CFA5
                                          Function 06A8A6C1 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 06A8A736
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1326449579.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6a80000_z68ORDER.jbxd
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: 90b54e9c0a1216bee7e9b47845869ee4419edeba356be215c35491cb7ca23d00
                                          • Instruction ID: 0eeecab8d6144589408ced25ef8f935db1ee98a58a0e222f6964824d339a6a5d
                                          • Opcode Fuzzy Hash: 90b54e9c0a1216bee7e9b47845869ee4419edeba356be215c35491cb7ca23d00
                                          • Instruction Fuzzy Hash: 3C1159719002099FCB14EFA9C845ADEFFF5EF48320F10841AE519A7250C775A554DFA0
                                          Function 06A8A6C8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 06A8A736
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1326449579.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6a80000_z68ORDER.jbxd
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: f49bba2a500a01951765fdb663260dbfd8a813bccf214eb566d0b0ea690f7034
                                          • Instruction ID: 5aca77a34d143b1f9c9a422613caa802866b9f4556a0dfe98302be886afacf85
                                          • Opcode Fuzzy Hash: f49bba2a500a01951765fdb663260dbfd8a813bccf214eb566d0b0ea690f7034
                                          • Instruction Fuzzy Hash: 9F1137719002499FCB10EFAAC845BDEBFF5EF48320F10841AE519A7250C775A944CFA0
                                          Function 06A8A100 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1326449579.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6a80000_z68ORDER.jbxd
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: 0ccb1b69997f9b01e031a00a6e1d345997c854f918205d9730d1e2fc64f58214
                                          • Instruction ID: 8044a0a1594b98f143d0ad95b3fcdd86028c8a666636af2c725cf4fb2198b70f
                                          • Opcode Fuzzy Hash: 0ccb1b69997f9b01e031a00a6e1d345997c854f918205d9730d1e2fc64f58214
                                          • Instruction Fuzzy Hash: 95115B71D002098FCB24DFAAC8457DEFFF4EB49314F24841AD519A7240C7756544CBA4
                                          Function 06A8A108 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1326449579.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6a80000_z68ORDER.jbxd
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: 1bbcbc9797ff7c5efe1ba2460ffcd2438f57dd95a79e8f49d91546f0a17b7e82
                                          • Instruction ID: 4beebb3943dbd585f7b3f97189e419bc9733f4cbd53b820c8e7acc6540d699cd
                                          • Opcode Fuzzy Hash: 1bbcbc9797ff7c5efe1ba2460ffcd2438f57dd95a79e8f49d91546f0a17b7e82
                                          • Instruction Fuzzy Hash: DF1136B1D002488FCB24EFAAC8457DEFBF4EB88324F20841AD519A7240C779A945CBA4
                                          Function 06A8AAF4 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 06A8D76D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1326449579.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6a80000_z68ORDER.jbxd
                                          Similarity
                                          • API ID: MessagePost
                                          • String ID:
                                          • API String ID: 410705778-0
                                          • Opcode ID: a288e2c1288d6266f634534f2f0e42dd8780e1df843c54cce4e4b9d629cd95a4
                                          • Instruction ID: 7e4b7dfb1bf0e4df903ac756801c5b0e3a773cbacf51dba1929d67d929f6934f
                                          • Opcode Fuzzy Hash: a288e2c1288d6266f634534f2f0e42dd8780e1df843c54cce4e4b9d629cd95a4
                                          • Instruction Fuzzy Hash: B21103B58003489FDB50EF9AD889BDEFBF8EB48310F208419E958B7240D375A954CFA5
                                          Function 00FEAF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00FEAFFE
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1319967436.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_fe0000_z68ORDER.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: 794db74a8f9edcbf45808a8a77b873e85c12660d7799a5062f1a6512f261be89
                                          • Instruction ID: 3b063b7ca1b434c21d43141e7e0490af3f23ac53714f368795a0d994a0fefd4a
                                          • Opcode Fuzzy Hash: 794db74a8f9edcbf45808a8a77b873e85c12660d7799a5062f1a6512f261be89
                                          • Instruction Fuzzy Hash: AE11DFB5C006498FCB14DF9AD444B9EFBF5AB88324F11841AD929A7210D375A545CFA1
                                          Function 06A8D708 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 06A8D76D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1326449579.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6a80000_z68ORDER.jbxd
                                          Similarity
                                          • API ID: MessagePost
                                          • String ID:
                                          • API String ID: 410705778-0
                                          • Opcode ID: 89efd79ba3016b27d895324122f57d914b7bc522ab7c2d9676daf1047d3ab632
                                          • Instruction ID: 45d855a2df6f67f1659b881f3e3c8c41283975dc5982139ec2b82f4e88fe12b9
                                          • Opcode Fuzzy Hash: 89efd79ba3016b27d895324122f57d914b7bc522ab7c2d9676daf1047d3ab632
                                          • Instruction Fuzzy Hash: D81103B58003499FDB50EF9AD985BDEBBF4EB48310F20841AD918B7640C374A554CFA1
                                          Function 00BED3D8 Relevance: .1, Instructions: 75COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1319470158.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_bed000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 683f5ba81c01ccbb8e73d834ae02a3c03732ce2e2004477a13cd1dfa23f4d371
                                          • Instruction ID: 99dd27d0084b0040598cbc793ffe45f9d606543626dc2c4a633afbaa844401b2
                                          • Opcode Fuzzy Hash: 683f5ba81c01ccbb8e73d834ae02a3c03732ce2e2004477a13cd1dfa23f4d371
                                          • Instruction Fuzzy Hash: A2214871100284DFCB01DF05C9C0B16BFB5FBA8314F20C1A8E8090B39AC376E806C6A2
                                          Function 00BED4C4 Relevance: .1, Instructions: 75COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1319470158.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_bed000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fa6f75e9cf426b4047065a595622f1cf958b30880966b0f9bcf7b6cd8010779f
                                          • Instruction ID: 930324dcbd6acab7218755f6d8d9e3e751779306dc3dc9ce92b959ae3aca5657
                                          • Opcode Fuzzy Hash: fa6f75e9cf426b4047065a595622f1cf958b30880966b0f9bcf7b6cd8010779f
                                          • Instruction Fuzzy Hash: 43213771504280DFDB05DF15D9C0F26BFE5FBA8318F20C5A9E8090B256C376D816CBA1
                                          Function 00BFD01C Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1319606795.0000000000BFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_bfd000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 22415c227daef370eeada99d210e33eddad9316065bf7192553d425d101136c0
                                          • Instruction ID: 3cd667998fd705f455cb7bbc7971f315df9b0ee171ee8f123b84a4dade83f1b9
                                          • Opcode Fuzzy Hash: 22415c227daef370eeada99d210e33eddad9316065bf7192553d425d101136c0
                                          • Instruction Fuzzy Hash: EE210775504208DFDB14DF24D5D4B26BFA6FB84314F20C5ADEA094B356CB36D80BCA61
                                          Function 00BFD1D4 Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1319606795.0000000000BFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_bfd000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 954f879bfdc1fcfd3feeff955caa8989b0b8c23d024812fdd07e320360c54d59
                                          • Instruction ID: d49b7aa4237a4bf45d07dfc21f12f0d37b461393e3ac9b44fcaf34bdeba568f4
                                          • Opcode Fuzzy Hash: 954f879bfdc1fcfd3feeff955caa8989b0b8c23d024812fdd07e320360c54d59
                                          • Instruction Fuzzy Hash: 48212971604208DFDB05DF14D5C0B36BBE6FB84314F20C5EDEA094B255C376D80ACAA1
                                          Function 00BFD006 Relevance: .1, Instructions: 60COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1319606795.0000000000BFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_bfd000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: dc455448f44cc6c9da7928c7570761a28dfadf4735e1642a9413c969293c4cc2
                                          • Instruction ID: ed080001a3edc55d57786b996d694b02f498c9c698c4bc261bc930959a7c0fee
                                          • Opcode Fuzzy Hash: dc455448f44cc6c9da7928c7570761a28dfadf4735e1642a9413c969293c4cc2
                                          • Instruction Fuzzy Hash: 7721C6755093848FCB06CF20D594715BFB2EB45314F28C5EAD9498B297C33AD80ACB62
                                          Function 00BED4BF Relevance: .1, Instructions: 56COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1319470158.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_bed000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b6d9f8954513a289108155b17418e8e788e8b427863a5550f59da745f4ae8560
                                          • Instruction ID: ffbc094988ac5a82dab0421870e7d68a95c71f358ae1e7788984948a25c251a2
                                          • Opcode Fuzzy Hash: b6d9f8954513a289108155b17418e8e788e8b427863a5550f59da745f4ae8560
                                          • Instruction Fuzzy Hash: AC11D376504280CFCB16CF14D9C4B16BFB1FBA4314F24C6AAD8490B656C336D85ACBA1
                                          Function 00BED3D3 Relevance: .1, Instructions: 56COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1319470158.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_bed000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b6d9f8954513a289108155b17418e8e788e8b427863a5550f59da745f4ae8560
                                          • Instruction ID: 24d3b15d834695a1abaa08dda2effe9c173fa39026fd20e0ffea81e50fb08809
                                          • Opcode Fuzzy Hash: b6d9f8954513a289108155b17418e8e788e8b427863a5550f59da745f4ae8560
                                          • Instruction Fuzzy Hash: 04110376504280CFCB02CF00D5C4B16BFB1FBA4324F24C2A9E8090B356C33AE85ACBA1
                                          Function 00BFD1CF Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1319606795.0000000000BFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_bfd000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a3be7094ea246a7cddba5200c6ce82fad2e7d53e3ec886449491685f026f1607
                                          • Instruction ID: e7c8acf254dc3108d77851e1b2f2327f5a8ea3f7da64cab980fe29b4c0b14e96
                                          • Opcode Fuzzy Hash: a3be7094ea246a7cddba5200c6ce82fad2e7d53e3ec886449491685f026f1607
                                          • Instruction Fuzzy Hash: 0611DD75504284DFCB02CF10C5C4B25FBB2FB84314F24C6AED9494B296C33AD80ACBA1

                                          Non-executed Functions

                                          Function 06A87970 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1326449579.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6a80000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: `6
                                          • API String ID: 0-3354348281
                                          • Opcode ID: 8accfc7463159c237350263ce18b06f9847da66d775d80ebea2a5343b63065d7
                                          • Instruction ID: 3481aeb0653f36b244db971508151951a74e20e99767c50d27cdea0ba308429b
                                          • Opcode Fuzzy Hash: 8accfc7463159c237350263ce18b06f9847da66d775d80ebea2a5343b63065d7
                                          • Instruction Fuzzy Hash: DC510C74E112198FDB14DFA9C5805AEFBF2BF89304F24C16AD418AB315D730AA42CFA1
                                          Function 06A87D98 Relevance: .3, Instructions: 318COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1326449579.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6a80000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 646de908c7a0ef8f3a4f0c30799d75b08d70c952ece7941efc7d7bdeab42d846
                                          • Instruction ID: bc365e53547ae3d85c894ec89d92961874d037ff9fd1c98417521cbf8e055fe0
                                          • Opcode Fuzzy Hash: 646de908c7a0ef8f3a4f0c30799d75b08d70c952ece7941efc7d7bdeab42d846
                                          • Instruction Fuzzy Hash: 9EE11974E051598FCB14EFA9C5809AEFBF2BF89304F248169D414AB355DB34AD82CFA0
                                          Function 04DB0040 Relevance: .3, Instructions: 315COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1324198058.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4db0000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e89bcf5561b30d48e1907ba14a65924cf88284344c5fddce3af985859c9d1170
                                          • Instruction ID: 4d8e9369b466b961f66d97c82f7446f7dc3b2d8156791f0196405f930bcf3d3e
                                          • Opcode Fuzzy Hash: e89bcf5561b30d48e1907ba14a65924cf88284344c5fddce3af985859c9d1170
                                          • Instruction Fuzzy Hash: 5612C7B0D827468AD352DF26E88CB893BB2BB44319FD0CB09D2615F2E1D7B4116ACF44
                                          Function 06A8A1B8 Relevance: .3, Instructions: 312COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1326449579.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6a80000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7c3b1db3d735cb793dcaed075373a653be159cc3fdcd897d476adc38307b700d
                                          • Instruction ID: c0d50f5f26c0a512a2c8dc41065d62befff8acc49f8e3112cef3e8689b598ac7
                                          • Opcode Fuzzy Hash: 7c3b1db3d735cb793dcaed075373a653be159cc3fdcd897d476adc38307b700d
                                          • Instruction Fuzzy Hash: 74E10974E012598FCB14EFA9C5809AEFBB2FF89304F24816AD515AB355D734AD81CFA0
                                          Function 06A881E0 Relevance: .3, Instructions: 312COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1326449579.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6a80000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3c4ed3f346b932cd3c2664b7c920040a3049212dd5402659e67bedc658751020
                                          • Instruction ID: 7f48095b92c6d406658012ae5a6c51eb039f5c9f7fccdc7f84d4bda3662dff5e
                                          • Opcode Fuzzy Hash: 3c4ed3f346b932cd3c2664b7c920040a3049212dd5402659e67bedc658751020
                                          • Instruction Fuzzy Hash: EFE1F8B4E052598FCB14EFA9C5809AEFBB2FF89304F248169D415AB355DB34AD41CFA0
                                          Function 06A89888 Relevance: .3, Instructions: 312COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1326449579.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6a80000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 27e83c1e917b51efef8e7f7bbf66e98a1c30f962907a3a7de17c66018ff4ff6e
                                          • Instruction ID: 5c7ef53668b27092ab7fbefe26d476ea616bdf2d94d39dd2625087c9f91a1bd2
                                          • Opcode Fuzzy Hash: 27e83c1e917b51efef8e7f7bbf66e98a1c30f962907a3a7de17c66018ff4ff6e
                                          • Instruction Fuzzy Hash: 28E109B4E141598FCB14EFA9C5809AEFBF2FF89304F248169D415AB356D731A942CFA0
                                          Function 00FED5BC Relevance: .3, Instructions: 264COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1319967436.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_fe0000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d5795fcb657098d1988c85c10e29a9276deab777e3be10e4c64ae090a79d0152
                                          • Instruction ID: b8ac7b948983bc7a250dbf58b1b424cf284d2a87d1c21cf48b328a2c82b92122
                                          • Opcode Fuzzy Hash: d5795fcb657098d1988c85c10e29a9276deab777e3be10e4c64ae090a79d0152
                                          • Instruction Fuzzy Hash: A8A17F32E00249CFCF09DFB6C84499EB7B2FF85310B25857AE805AB265DB35E959DB40
                                          Function 04DB0007 Relevance: .2, Instructions: 244COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1324198058.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4db0000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ce15b449f5573451e2c94bcd84f624a77687713cf48571ef376144e6758e305a
                                          • Instruction ID: 57c16d8dc9219f48dba3d975a6e6e488ad662c51b21927d46871bff69ca317db
                                          • Opcode Fuzzy Hash: ce15b449f5573451e2c94bcd84f624a77687713cf48571ef376144e6758e305a
                                          • Instruction Fuzzy Hash: 59C12CB0D817468FD712DF66E888A893BB1BB85319F90CB09D1616F2E1DBB4146ACF44
                                          Function 06A881D1 Relevance: .1, Instructions: 128COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1326449579.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6a80000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ba24f2c3bb00425de550b7037fdcf1fac0d72261f28d40c6cfe7267702ba5844
                                          • Instruction ID: cdb921dbf61e766ddc1aa9a5046118f31ab11f61fc68fbe839a5e9829e8aa75e
                                          • Opcode Fuzzy Hash: ba24f2c3bb00425de550b7037fdcf1fac0d72261f28d40c6cfe7267702ba5844
                                          • Instruction Fuzzy Hash: 36510D70E152198FDB14DFAAC5805AEFBF2FF89304F248169D418AB215DB34A942CFA0
                                          Function 06A87DA8 Relevance: .1, Instructions: 127COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1326449579.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6a80000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0c4961aa9a77b510e7e4c7c43137ff8809e262f8f1786413d93b00523fa3688c
                                          • Instruction ID: 2bfff1323a1834ff04163006fb1ec8d874bbfb48cc64b4281506a337badc7fc7
                                          • Opcode Fuzzy Hash: 0c4961aa9a77b510e7e4c7c43137ff8809e262f8f1786413d93b00523fa3688c
                                          • Instruction Fuzzy Hash: D251C874E152198FDB14DFAAC9805AEFBF2BF89304F24C169D418AB315D731A942CFA1
                                          Function 04DBBC43 Relevance: .1, Instructions: 117COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1324198058.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4db0000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 067876b4a4a1e41b502bf401ff515b44ccc91ad2f3197a2065d841857436e635
                                          • Instruction ID: 85aae663d969d60125b979bc8643731b2421a29bce6d14e8ff5b231d1f021d64
                                          • Opcode Fuzzy Hash: 067876b4a4a1e41b502bf401ff515b44ccc91ad2f3197a2065d841857436e635
                                          • Instruction Fuzzy Hash: 76319631850E19CBDF1E4FB684925CDBB70FF27718FA4474CC965A21DAEA6540A3C681

                                          Execution Graph

                                          Execution Coverage:12%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:0%
                                          Total number of Nodes:147
                                          Total number of Limit Nodes:11
                                          execution_graph 41813 67c3a18 41814 67c3a1d GetCurrentProcess 41813->41814 41816 67c3aa9 41814->41816 41817 67c3ab0 GetCurrentThread 41814->41817 41816->41817 41818 67c3aed GetCurrentProcess 41817->41818 41819 67c3ae6 41817->41819 41820 67c3b23 41818->41820 41819->41818 41821 67c3b4b GetCurrentThreadId 41820->41821 41822 67c3b7c 41821->41822 41827 11c0848 41829 11c084e 41827->41829 41828 11c091b 41829->41828 41832 11c138f 41829->41832 41849 11c14bf 41829->41849 41834 11c1332 41832->41834 41835 11c1393 41832->41835 41833 11c14ba 41833->41829 41834->41829 41835->41833 41848 11c14bf 5 API calls 41835->41848 41865 11c8150 41835->41865 41869 11c8160 41835->41869 41873 11c8858 41835->41873 41878 11c7cc4 41835->41878 41883 11c7f32 41835->41883 41888 11c7f91 41835->41888 41893 11c7cd4 41835->41893 41898 11c7c55 41835->41898 41903 11c7ef4 41835->41903 41908 11c7dc8 41835->41908 41913 11c7c80 41835->41913 41918 11c7cb4 41835->41918 41848->41835 41850 11c13a6 41849->41850 41851 11c14ba 41850->41851 41852 11c14bf 5 API calls 41850->41852 41853 11c7dc8 DeleteFileW 41850->41853 41854 11c7cb4 DeleteFileW 41850->41854 41855 11c7cd4 DeleteFileW 41850->41855 41856 11c7cc4 DeleteFileW 41850->41856 41857 11c7ef4 DeleteFileW 41850->41857 41858 11c7c55 DeleteFileW 41850->41858 41859 11c7c80 DeleteFileW 41850->41859 41860 11c7f91 DeleteFileW 41850->41860 41861 11c7f32 DeleteFileW 41850->41861 41862 11c8858 3 API calls 41850->41862 41863 11c8150 MoveFileA 41850->41863 41864 11c8160 MoveFileA 41850->41864 41851->41829 41852->41850 41853->41850 41854->41850 41855->41850 41856->41850 41857->41850 41858->41850 41859->41850 41860->41850 41861->41850 41862->41850 41863->41850 41864->41850 41866 11c817f 41865->41866 41868 11c823a 41866->41868 41923 11c7838 41866->41923 41868->41835 41870 11c817f 41869->41870 41871 11c7838 MoveFileA 41870->41871 41872 11c823a 41870->41872 41871->41872 41872->41835 41874 11c8862 41873->41874 41875 11c887c 41874->41875 41927 682fa0b 41874->41927 41932 682fa18 41874->41932 41875->41835 41880 11c7c7d 41878->41880 41879 11c7bd2 41879->41835 41880->41879 41937 11c8040 41880->41937 41941 11c8031 41880->41941 41885 11c7f37 41883->41885 41884 11c8023 41884->41835 41886 11c8040 DeleteFileW 41885->41886 41887 11c8031 DeleteFileW 41885->41887 41886->41884 41887->41884 41890 11c7f96 41888->41890 41889 11c8023 41889->41835 41891 11c8040 DeleteFileW 41890->41891 41892 11c8031 DeleteFileW 41890->41892 41891->41889 41892->41889 41894 11c7c7d 41893->41894 41895 11c7bd2 41894->41895 41896 11c8040 DeleteFileW 41894->41896 41897 11c8031 DeleteFileW 41894->41897 41895->41835 41896->41895 41897->41895 41900 11c7c5c 41898->41900 41899 11c7bd2 41899->41835 41900->41899 41901 11c8040 DeleteFileW 41900->41901 41902 11c8031 DeleteFileW 41900->41902 41901->41899 41902->41899 41905 11c7ef9 41903->41905 41904 11c8023 41904->41835 41906 11c8040 DeleteFileW 41905->41906 41907 11c8031 DeleteFileW 41905->41907 41906->41904 41907->41904 41910 11c7de1 41908->41910 41909 11c8023 41909->41835 41910->41909 41911 11c8040 DeleteFileW 41910->41911 41912 11c8031 DeleteFileW 41910->41912 41911->41909 41912->41909 41914 11c7c7d 41913->41914 41915 11c7bd2 41914->41915 41916 11c8040 DeleteFileW 41914->41916 41917 11c8031 DeleteFileW 41914->41917 41915->41835 41916->41915 41917->41915 41920 11c7c7d 41918->41920 41919 11c7bd2 41919->41835 41920->41919 41921 11c8040 DeleteFileW 41920->41921 41922 11c8031 DeleteFileW 41920->41922 41921->41919 41922->41919 41925 11c8670 MoveFileA 41923->41925 41926 11c870f 41925->41926 41926->41868 41928 682fa12 41927->41928 41929 682fc42 41928->41929 41930 682fc57 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 41928->41930 41931 682fc68 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 41928->41931 41929->41875 41930->41928 41931->41928 41934 682fa2d 41932->41934 41933 682fc42 41933->41875 41934->41933 41935 682fc57 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 41934->41935 41936 682fc68 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 41934->41936 41935->41934 41936->41934 41938 11c8050 41937->41938 41939 11c8082 41938->41939 41945 11c7810 41938->41945 41939->41879 41942 11c8050 41941->41942 41943 11c8082 41942->41943 41944 11c7810 DeleteFileW 41942->41944 41943->41879 41944->41943 41946 11c80a0 DeleteFileW 41945->41946 41948 11c811f 41946->41948 41948->41939 41823 67ce430 41824 67ce498 CreateWindowExW 41823->41824 41826 67ce554 41824->41826 41949 67c3c60 41950 67c3c66 DuplicateHandle 41949->41950 41951 67c3cf6 41950->41951 41952 67c7b00 41953 67c7b05 41952->41953 41958 67c6784 41953->41958 41956 67c6784 GetModuleHandleW 41957 67c8887 41956->41957 41959 67c678f 41958->41959 41960 67c6789 41958->41960 41959->41960 41962 67c46dc 41959->41962 41960->41956 41963 67c46e7 41962->41963 41968 67c63b4 41963->41968 41965 67c685f 41972 67cbbac 41965->41972 41969 67c63bf 41968->41969 41978 67c752c 41969->41978 41971 67c78c0 41971->41965 41973 67c6899 41972->41973 41974 67cbbc5 41972->41974 41973->41960 41982 67cbdf8 41974->41982 41985 67cbde8 41974->41985 41975 67cbbfd 41979 67c7537 41978->41979 41980 67c6784 GetModuleHandleW 41979->41980 41981 67c8d00 41979->41981 41980->41981 41981->41971 41989 67cbe38 41982->41989 41983 67cbe02 41983->41975 41986 67cbdf8 41985->41986 41988 67cbe38 GetModuleHandleW 41986->41988 41987 67cbe02 41987->41975 41988->41987 41990 67cbe59 41989->41990 41991 67cbe7c 41989->41991 41990->41991 41992 67cc080 GetModuleHandleW 41990->41992 41991->41983 41993 67cc0ad 41992->41993 41993->41983

                                          Executed Functions

                                          Function 06822780 Relevance: 9.0, Strings: 6, Instructions: 1491COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $_q$$_q$$_q$$_q$$_q$$_q
                                          • API String ID: 0-155944776
                                          • Opcode ID: ee72610afcc536a6696f778ad9164c5ef0349810a627e3d8b89056d4b5f681b7
                                          • Instruction ID: c2b5c372f771edb3843e22895f50fbc7e98158e80c906ae9acb5ed06b992e27b
                                          • Opcode Fuzzy Hash: ee72610afcc536a6696f778ad9164c5ef0349810a627e3d8b89056d4b5f681b7
                                          • Instruction Fuzzy Hash: 70D26B34E0061ACFCB64DB68C594A9DB7B2FF89314F54C5A9D509EB264EB34ED81CB80
                                          Function 06827D68 Relevance: 3.0, Strings: 2, Instructions: 480COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2094 6827d68-6827d86 2097 6827d88-6827d8b 2094->2097 2098 6827dac-6827daf 2097->2098 2099 6827d8d-6827da7 2097->2099 2100 6827db1-6827dbb 2098->2100 2101 6827dbc-6827dbf 2098->2101 2099->2098 2103 6827de2-6827de5 2101->2103 2104 6827dc1-6827ddd 2101->2104 2105 6827de7-6827df5 2103->2105 2106 6827dfc-6827dfe 2103->2106 2104->2103 2112 6827e0e-6827e24 2105->2112 2114 6827df7 2105->2114 2107 6827e00 2106->2107 2108 6827e05-6827e08 2106->2108 2107->2108 2108->2097 2108->2112 2116 6827e2a-6827e33 2112->2116 2117 682803f-6828049 2112->2117 2114->2106 2118 682804a-6828052 2116->2118 2119 6827e39-6827e56 2116->2119 2122 6828054-6828056 2118->2122 2123 682805a 2118->2123 2129 682802c-6828039 2119->2129 2130 6827e5c-6827e84 2119->2130 2125 6828058 2122->2125 2126 682805e 2122->2126 2127 6828062-6828064 2123->2127 2128 682805b-682805d 2123->2128 2125->2123 2131 6828060-6828061 2126->2131 2132 6828065-682807f 2126->2132 2127->2132 2128->2126 2129->2116 2129->2117 2130->2129 2145 6827e8a-6827e93 2130->2145 2131->2127 2133 6828081-6828084 2132->2133 2135 682808a-6828099 2133->2135 2136 68282b9-68282bc 2133->2136 2143 682809b-68280b6 2135->2143 2144 68280b8-68280fc 2135->2144 2137 68282be-68282da 2136->2137 2138 68282df-68282e2 2136->2138 2137->2138 2141 68282e8-68282f4 2138->2141 2142 682838d-682838f 2138->2142 2149 68282ff-6828301 2141->2149 2147 6828391 2142->2147 2148 6828396-6828399 2142->2148 2143->2144 2161 6828102-6828113 2144->2161 2162 682828d-68282a3 2144->2162 2145->2118 2150 6827e99-6827eb5 2145->2150 2147->2148 2148->2133 2151 682839f-68283a8 2148->2151 2152 6828303-6828309 2149->2152 2153 6828319-682831d 2149->2153 2167 682801a-6828026 2150->2167 2168 6827ebb-6827ee5 2150->2168 2157 682830b 2152->2157 2158 682830d-682830f 2152->2158 2159 682832b 2153->2159 2160 682831f-6828329 2153->2160 2157->2153 2158->2153 2165 6828330-6828332 2159->2165 2160->2165 2173 6828278-6828287 2161->2173 2174 6828119-6828136 2161->2174 2162->2136 2169 6828343-682837c 2165->2169 2170 6828334-6828337 2165->2170 2167->2129 2167->2145 2184 6828010-6828015 2168->2184 2185 6827eeb-6827f13 2168->2185 2169->2135 2191 6828382-682838c 2169->2191 2170->2151 2173->2161 2173->2162 2174->2173 2183 682813c-6828232 call 6826590 2174->2183 2237 6828240 2183->2237 2238 6828234-682823e 2183->2238 2184->2167 2185->2184 2194 6827f19-6827f47 2185->2194 2194->2184 2200 6827f4d-6827f56 2194->2200 2200->2184 2201 6827f5c-6827f8e 2200->2201 2209 6827f90-6827f94 2201->2209 2210 6827f99-6827fb5 2201->2210 2209->2184 2211 6827f96 2209->2211 2210->2167 2212 6827fb7-682800e call 6826590 2210->2212 2211->2210 2212->2167 2239 6828245-6828247 2237->2239 2238->2239 2239->2173 2240 6828249-682824e 2239->2240 2241 6828250-682825a 2240->2241 2242 682825c 2240->2242 2243 6828261-6828263 2241->2243 2242->2243 2243->2173 2244 6828265-6828271 2243->2244 2244->2173
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $_q$$_q
                                          • API String ID: 0-458585787
                                          • Opcode ID: bc5905f2644f18aa6c04eac9b1e73412b238ee93fb4fe5416f0015254482890f
                                          • Instruction ID: 12275fa682d0f85ed523d93f8a63805eb9a28a1655056930e3f28f13eca3515b
                                          • Opcode Fuzzy Hash: bc5905f2644f18aa6c04eac9b1e73412b238ee93fb4fe5416f0015254482890f
                                          • Instruction Fuzzy Hash: 0302BD70B002268FDF54DB65D994AAEB7E2FF88314F108929D505EB394DB35EC86CB90
                                          Function 06825CE8 Relevance: 2.9, Strings: 2, Instructions: 416COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2246 6825ce8-6825cf8 2248 6825cfa-6825cfd 2246->2248 2249 6825d34-6825d37 2248->2249 2250 6825cff-6825d1e 2248->2250 2251 6825d40-6825d43 2249->2251 2252 6825d39-6825d3b 2249->2252 2265 6825d23-6825d29 2250->2265 2266 6825d20 2250->2266 2253 6825d61-6825d64 2251->2253 2254 6825d45-6825d4a 2251->2254 2252->2251 2258 6825d73-6825d76 2253->2258 2259 6825d66-6825d6c 2253->2259 2256 6825d4f-6825d5c 2254->2256 2257 6825d4c 2254->2257 2256->2253 2257->2256 2258->2259 2260 6825d78-6825d7b 2258->2260 2259->2250 2262 6825d6e 2259->2262 2263 6825d82-6825d84 2260->2263 2264 6825d7d-6825d7f 2260->2264 2262->2258 2268 6825d86 2263->2268 2269 6825d8b-6825d8e 2263->2269 2264->2263 2270 6825d2b-6825d2f 2265->2270 2271 6825d9d-6825daa 2265->2271 2266->2265 2268->2269 2269->2248 2272 6825d94-6825d9c 2269->2272 2270->2249 2274 6825db2 2271->2274 2275 6825dac-6825dad 2271->2275 2276 6825db4-6825db6 2274->2276 2277 6825dba-6825dbc 2274->2277 2275->2274 2278 6825db8-6825db9 2276->2278 2279 6825dbd-6825dda 2276->2279 2277->2279 2278->2277 2280 6825ddc-6825ddf 2279->2280 2281 6825de1-6825de8 2280->2281 2282 6825def-6825df2 2280->2282 2283 6825e40-6825e47 2281->2283 2284 6825dea 2281->2284 2285 6825e00-6825e03 2282->2285 2286 6825df4-6825dfd 2282->2286 2287 6825f95-6825fa8 2283->2287 2288 6825e4d-6825e94 2283->2288 2284->2282 2289 6825e05-6825e13 2285->2289 2290 6825e18-6825e1b 2285->2290 2306 6825e96-6825ea5 2288->2306 2289->2290 2291 6825e37-6825e3a 2290->2291 2292 6825e1d-6825e32 2290->2292 2291->2283 2293 6825fb4-6825fb6 2291->2293 2292->2291 2298 6825fb8 2293->2298 2299 6825fbd-6825fc0 2293->2299 2298->2299 2299->2280 2300 6825fc6-6825fd0 2299->2300 2308 6825fd3-6825fe2 2306->2308 2309 6825eab-6825ec1 2306->2309 2313 6825fe4-6825fe9 2308->2313 2314 6825fea-6826012 2308->2314 2309->2308 2312 6825ec7-6825ecf 2309->2312 2312->2306 2315 6825ed1-6825ed7 2312->2315 2313->2314 2319 6826014-6826017 2314->2319 2317 6825f37-6825f87 call 6824b08 2315->2317 2318 6825ed9-6825edc 2315->2318 2368 6825f92 2317->2368 2369 6825f89 2317->2369 2318->2308 2320 6825ee2-6825eed 2318->2320 2321 6826019-682602a 2319->2321 2322 682602f-6826032 2319->2322 2320->2308 2325 6825ef3-6825efd 2320->2325 2321->2322 2323 6826034-6826040 2322->2323 2324 6826045-6826048 2322->2324 2323->2324 2328 68260d9-68260dc 2324->2328 2329 682604e-6826055 2324->2329 2325->2308 2330 6825f03-6825f0d 2325->2330 2335 68260de-68260ea 2328->2335 2336 68260ef-68260f2 2328->2336 2332 682610b-682611e 2329->2332 2333 682605b-68260c6 2329->2333 2330->2308 2334 6825f13-6825f28 2330->2334 2377 68260cf-68260d6 2333->2377 2334->2308 2338 6825f2e-6825f35 2334->2338 2335->2336 2339 6826106-6826109 2336->2339 2340 68260f4-68260fb 2336->2340 2338->2317 2338->2318 2339->2332 2343 6826121-6826124 2339->2343 2340->2329 2341 6826101 2340->2341 2341->2339 2347 6826162-6826165 2343->2347 2348 6826126-6826145 2343->2348 2351 6826167-682617a 2347->2351 2352 682617f-6826182 2347->2352 2371 68261c1-68261cb 2348->2371 2351->2352 2353 6826184-6826193 2352->2353 2354 6826198-682619b 2352->2354 2353->2354 2358 68261af-68261b1 2354->2358 2359 682619d-68261aa 2354->2359 2364 68261b3 2358->2364 2365 68261b8-68261bb 2358->2365 2359->2358 2364->2365 2365->2319 2365->2371 2368->2287 2369->2368
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: XPdq$\Odq
                                          • API String ID: 0-770551486
                                          • Opcode ID: e9cc6ff3f1ecf9593d4cd84da921b7e4f46d4d6163720422b729d1a49f6ed81d
                                          • Instruction ID: eeeb22d8da4548d618b0ad89f5050bf62a05474752e6b608a11866ad7025ac82
                                          • Opcode Fuzzy Hash: e9cc6ff3f1ecf9593d4cd84da921b7e4f46d4d6163720422b729d1a49f6ed81d
                                          • Instruction Fuzzy Hash: B9D11631F101268FDB64DB68C484A6EBBF2FF89710F20846AE506DB391DA75DC85C792
                                          Function 068265E0 Relevance: .8, Instructions: 820COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c456410c86649a9c735f0615d92a555e960eed445366b67ebdc6d1351e36f8a1
                                          • Instruction ID: 97df89b9e7045eec7f5ea013451da82e59c3dd0243c062086c3fa59891784adc
                                          • Opcode Fuzzy Hash: c456410c86649a9c735f0615d92a555e960eed445366b67ebdc6d1351e36f8a1
                                          • Instruction Fuzzy Hash: A762B034A002269FDB54DB68D594BADB7F2FF88314F108469E505EB394EB35EC86CB90
                                          Function 0682C568 Relevance: .6, Instructions: 647COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 507be8150f77bfef14ba664ce8a85e84c7ef8ce909d2bbc271ea4e73f83ab9b5
                                          • Instruction ID: 21b0eed8155fb99b1490bfbebb85cbd093fd3794dfaa3b58b9746dc3b3dd0418
                                          • Opcode Fuzzy Hash: 507be8150f77bfef14ba664ce8a85e84c7ef8ce909d2bbc271ea4e73f83ab9b5
                                          • Instruction Fuzzy Hash: 1932C234B1021A9FDF94DB68D590BADBBB2FB88314F108529E505EB354DB35EC82CB91
                                          Function 068255C8 Relevance: .6, Instructions: 594COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 297d4890c7641d65f081434d02dceba404fdde4882b06af549cc93c3624a223e
                                          • Instruction ID: 1b0b4c980c0f0b1f16be3b6e7299a99b32f30ee6ada533f266dd8438ed91b65e
                                          • Opcode Fuzzy Hash: 297d4890c7641d65f081434d02dceba404fdde4882b06af549cc93c3624a223e
                                          • Instruction Fuzzy Hash: 84121571F502269FDB24CB64C88066EB7B2FF84314F248429DA56DB384DB34DC82CB92
                                          Function 0682B220 Relevance: .6, Instructions: 576COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 07ec687f96a9a6b00ca6e4c659822171fae1f69aa88262ec18b97258b03026ee
                                          • Instruction ID: 8aef31b81b73230f1c13ec74ecc47a3b2d234b30d4ee2b23528351131a723f8f
                                          • Opcode Fuzzy Hash: 07ec687f96a9a6b00ca6e4c659822171fae1f69aa88262ec18b97258b03026ee
                                          • Instruction Fuzzy Hash: BE228E30E1122A8FDF64CB68C5907ADB7B2FB49318F248826E519EB395DA34DCC5CB51
                                          Function 0682ACB8 Relevance: 10.4, Strings: 8, Instructions: 389COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 529 682acb8-682acd6 532 682acd8-682acdb 529->532 533 682acf5-682acf8 532->533 534 682acdd-682acf0 532->534 535 682acfa-682ad07 533->535 536 682ad0c-682ad0f 533->536 534->533 535->536 538 682ad11-682ad1a 536->538 539 682ad29-682ad2c 536->539 541 682ad20-682ad24 538->541 542 682aeef-682af26 538->542 543 682ad2e-682ad4a 539->543 544 682ad4f-682ad52 539->544 541->539 554 682af28-682af2b 542->554 543->544 545 682ad62-682ad65 544->545 546 682ad54-682ad5d 544->546 547 682aed5-682aede 545->547 548 682ad6b-682ad6e 545->548 546->545 547->538 551 682aee4-682aeee 547->551 552 682ad70-682ad75 548->552 553 682ad78-682ad7b 548->553 552->553 555 682ad8c-682ad8e 553->555 556 682ad7d-682ad81 553->556 558 682af38-682af3b 554->558 559 682af2d-682af31 554->559 563 682ad90 555->563 564 682ad95-682ad98 555->564 556->551 562 682ad87 556->562 560 682af48-682af4b 558->560 561 682af3d-682af47 558->561 565 682af33 559->565 566 682af51-682af8c 559->566 560->566 567 682b1b4-682b1b7 560->567 562->555 563->564 564->532 568 682ad9e-682adc2 564->568 565->558 575 682af92-682af9e 566->575 576 682b17f-682b192 566->576 569 682b1da-682b1dd 567->569 570 682b1b9-682b1d5 567->570 586 682aed2 568->586 587 682adc8-682add7 568->587 572 682b1df 569->572 573 682b1ec-682b1ee 569->573 570->569 654 682b1df call 682b213 572->654 655 682b1df call 682b220 572->655 578 682b1f0 573->578 579 682b1f5-682b1f8 573->579 588 682afa0-682afb9 575->588 589 682afbe-682b002 575->589 580 682b194 576->580 578->579 579->554 582 682b1fe-682b208 579->582 580->567 581 682b1e5-682b1e7 581->573 586->547 592 682add9-682addf 587->592 593 682adef-682ae2a call 6826590 587->593 588->580 604 682b004-682b016 589->604 605 682b01e-682b05d 589->605 594 682ade3-682ade5 592->594 595 682ade1 592->595 612 682ae42-682ae59 593->612 613 682ae2c-682ae32 593->613 594->593 595->593 604->605 610 682b063-682b13e call 6826590 605->610 611 682b144-682b159 605->611 610->611 611->576 623 682ae71-682ae82 612->623 624 682ae5b-682ae61 612->624 616 682ae36-682ae38 613->616 617 682ae34 613->617 616->612 617->612 629 682ae84-682ae8a 623->629 630 682ae9a-682aecb 623->630 625 682ae63 624->625 626 682ae65-682ae67 624->626 625->623 626->623 632 682ae8e-682ae90 629->632 633 682ae8c 629->633 630->586 632->630 633->630 654->581 655->581
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $_q$$_q$$_q$$_q$$_q$$_q$$_q$$_q
                                          • API String ID: 0-2216122830
                                          • Opcode ID: 16cd17f7d505edeb56b8da6fd3ec842c1e0833bd1d58844cc76dcd8ad24f65ba
                                          • Instruction ID: 6a59d0304d39d72ff79b40259dc3de8f681dd98cc5384d37212d22d56f18e5e6
                                          • Opcode Fuzzy Hash: 16cd17f7d505edeb56b8da6fd3ec842c1e0833bd1d58844cc76dcd8ad24f65ba
                                          • Instruction Fuzzy Hash: 68E17134E1021A8FDB69DF68D9906AEB7B2FF84308F108529E505EB354DB74DC86CB91
                                          Function 067C3A0B Relevance: 6.1, APIs: 4, Instructions: 136threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1115 67c3a0b-67c3a16 1117 67c3a1d-67c3aa7 GetCurrentProcess 1115->1117 1118 67c3a18-67c3a1c 1115->1118 1122 67c3aa9-67c3aaf 1117->1122 1123 67c3ab0-67c3ae4 GetCurrentThread 1117->1123 1118->1117 1122->1123 1124 67c3aed-67c3b21 GetCurrentProcess 1123->1124 1125 67c3ae6-67c3aec 1123->1125 1126 67c3b2a-67c3b45 call 67c3bf3 1124->1126 1127 67c3b23-67c3b29 1124->1127 1125->1124 1131 67c3b4b-67c3b7a GetCurrentThreadId 1126->1131 1127->1126 1132 67c3b7c-67c3b82 1131->1132 1133 67c3b83-67c3be5 1131->1133 1132->1133
                                          APIs
                                          • GetCurrentProcess.KERNEL32 ref: 067C3A96
                                          • GetCurrentThread.KERNEL32 ref: 067C3AD3
                                          • GetCurrentProcess.KERNEL32 ref: 067C3B10
                                          • GetCurrentThreadId.KERNEL32 ref: 067C3B69
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2559941370.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_67c0000_z68ORDER.jbxd
                                          Similarity
                                          • API ID: Current$ProcessThread
                                          • String ID:
                                          • API String ID: 2063062207-0
                                          • Opcode ID: 7e833d2c6cd71fadefd7dda60f7b9cbb0b9b1b1ec5db515349cc6e3883e32e78
                                          • Instruction ID: ada2e713bb4953bc924d5c0da5149099b28b297a7527c5712598239e6d4108f4
                                          • Opcode Fuzzy Hash: 7e833d2c6cd71fadefd7dda60f7b9cbb0b9b1b1ec5db515349cc6e3883e32e78
                                          • Instruction Fuzzy Hash: 2C5175B09013098FDB94CFA9D948BAEBBF1BF88324F20C46DE019A7260D7345944CB66
                                          Function 067C3A18 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1140 67c3a18-67c3aa7 GetCurrentProcess 1145 67c3aa9-67c3aaf 1140->1145 1146 67c3ab0-67c3ae4 GetCurrentThread 1140->1146 1145->1146 1147 67c3aed-67c3b21 GetCurrentProcess 1146->1147 1148 67c3ae6-67c3aec 1146->1148 1149 67c3b2a-67c3b45 call 67c3bf3 1147->1149 1150 67c3b23-67c3b29 1147->1150 1148->1147 1154 67c3b4b-67c3b7a GetCurrentThreadId 1149->1154 1150->1149 1155 67c3b7c-67c3b82 1154->1155 1156 67c3b83-67c3be5 1154->1156 1155->1156
                                          APIs
                                          • GetCurrentProcess.KERNEL32 ref: 067C3A96
                                          • GetCurrentThread.KERNEL32 ref: 067C3AD3
                                          • GetCurrentProcess.KERNEL32 ref: 067C3B10
                                          • GetCurrentThreadId.KERNEL32 ref: 067C3B69
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2559941370.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_67c0000_z68ORDER.jbxd
                                          Similarity
                                          • API ID: Current$ProcessThread
                                          • String ID:
                                          • API String ID: 2063062207-0
                                          • Opcode ID: 93877c278d3e6deabd301419c6784d98962f075ace47d78eab9793996d3aad90
                                          • Instruction ID: b05dd75c2faf126005b14d84752a50a163b1288d6cc2488e098f49ee56b99e46
                                          • Opcode Fuzzy Hash: 93877c278d3e6deabd301419c6784d98962f075ace47d78eab9793996d3aad90
                                          • Instruction Fuzzy Hash: 4F5156B09007099FDB94DFA9D948BAEBBF1FF88324F20C46DE019A7250D7345944CB66
                                          Function 06829140 Relevance: 5.2, Strings: 4, Instructions: 230COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1163 6829140-6829165 1166 6829167-682916a 1163->1166 1167 6829170-6829185 1166->1167 1168 6829a28-6829a2b 1166->1168 1175 6829187-682918d 1167->1175 1176 682919d-68291b3 1167->1176 1169 6829a51-6829a53 1168->1169 1170 6829a2d-6829a4c 1168->1170 1172 6829a55 1169->1172 1173 6829a5a-6829a5d 1169->1173 1170->1169 1172->1173 1173->1166 1177 6829a63-6829a6d 1173->1177 1178 6829191-6829193 1175->1178 1179 682918f 1175->1179 1182 68291be-68291c0 1176->1182 1178->1176 1179->1176 1183 68291c2-68291c8 1182->1183 1184 68291d8-6829249 1182->1184 1185 68291ca 1183->1185 1186 68291cc-68291ce 1183->1186 1195 6829275-6829291 1184->1195 1196 682924b-682926e 1184->1196 1185->1184 1186->1184 1201 6829293-68292b6 1195->1201 1202 68292bd-68292d8 1195->1202 1196->1195 1201->1202 1207 6829303-682931e 1202->1207 1208 68292da-68292fc 1202->1208 1213 6829343-6829351 1207->1213 1214 6829320-682933c 1207->1214 1208->1207 1215 6829353-682935c 1213->1215 1216 6829361-68293db 1213->1216 1214->1213 1215->1177 1222 6829428-682943d 1216->1222 1223 68293dd-68293fb 1216->1223 1222->1168 1227 6829417-6829426 1223->1227 1228 68293fd-682940c 1223->1228 1227->1222 1227->1223 1228->1227
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $_q$$_q$$_q$$_q
                                          • API String ID: 0-1171383116
                                          • Opcode ID: 527b42de2f2b6b03f577d9b2ba7c6431f1a5eb66e3833d8cb5c3dc9a9bb1cc38
                                          • Instruction ID: 573900db27d4b2c75d456c269c604106fb1ebe7343ae1bd8faa2187379a3859e
                                          • Opcode Fuzzy Hash: 527b42de2f2b6b03f577d9b2ba7c6431f1a5eb66e3833d8cb5c3dc9a9bb1cc38
                                          • Instruction Fuzzy Hash: B9914E70F4021A9FDB54DF65D950BAEB3F6BB88204F108469D909EB348EF709D86CB91
                                          Function 0682D328 Relevance: 4.6, Strings: 3, Instructions: 801COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1231 682d328-682d343 1234 682d345-682d348 1231->1234 1235 682d391-682d394 1234->1235 1236 682d34a-682d38c 1234->1236 1237 682d396-682d3a5 1235->1237 1238 682d3dd-682d3e0 1235->1238 1236->1235 1241 682d3a7-682d3ac 1237->1241 1242 682d3b4-682d3c0 1237->1242 1239 682d3e2-682d3e4 1238->1239 1240 682d3ef-682d3f2 1238->1240 1244 682d811 1239->1244 1245 682d3ea 1239->1245 1246 682d3f4-682d40a 1240->1246 1247 682d40f-682d412 1240->1247 1241->1242 1248 682d3c6-682d3d8 1242->1248 1249 682dd45-682dd52 1242->1249 1253 682d814-682d820 1244->1253 1245->1240 1246->1247 1251 682d414-682d456 1247->1251 1252 682d45b-682d45e 1247->1252 1248->1238 1266 682dd54-682dd59 1249->1266 1267 682dd5a 1249->1267 1251->1252 1256 682d460-682d4a2 1252->1256 1257 682d4a7-682d4aa 1252->1257 1258 682d826-682db13 1253->1258 1259 682d56c-682d57b 1253->1259 1256->1257 1263 682d4b9-682d4bc 1257->1263 1264 682d4ac-682d4ae 1257->1264 1451 682dd3a-682dd44 1258->1451 1452 682db19-682db1f 1258->1452 1261 682d58a-682d596 1259->1261 1262 682d57d-682d582 1259->1262 1261->1249 1272 682d59c-682d5ae 1261->1272 1262->1261 1273 682d505-682d508 1263->1273 1274 682d4be-682d500 1263->1274 1270 682d4b4 1264->1270 1271 682d6cf-682d6d8 1264->1271 1266->1267 1275 682dd62-682dd7e 1267->1275 1276 682dd5c-682dd61 1267->1276 1270->1263 1281 682d6e7-682d6f3 1271->1281 1282 682d6da-682d6df 1271->1282 1303 682d5b3-682d5b6 1272->1303 1279 682d551-682d554 1273->1279 1280 682d50a-682d54c 1273->1280 1274->1273 1285 682dd80-682dd83 1275->1285 1276->1275 1279->1253 1295 682d55a-682d55d 1279->1295 1280->1279 1290 682d804-682d809 1281->1290 1291 682d6f9-682d70d 1281->1291 1282->1281 1292 682dd92-682dd95 1285->1292 1293 682dd85 1285->1293 1290->1244 1291->1244 1318 682d713-682d725 1291->1318 1299 682dd97-682ddb3 1292->1299 1300 682ddb8-682ddbb 1292->1300 1498 682dd85 call 682deb0 1293->1498 1499 682dd85 call 682de9d 1293->1499 1301 682d567-682d56a 1295->1301 1302 682d55f-682d564 1295->1302 1299->1300 1308 682ddee-682ddf0 1300->1308 1309 682ddbd-682dde9 1300->1309 1301->1259 1301->1303 1302->1301 1311 682d5b8-682d5fa 1303->1311 1312 682d5ff-682d602 1303->1312 1306 682dd8b-682dd8d 1306->1292 1320 682ddf2 1308->1320 1321 682ddf7-682ddfa 1308->1321 1309->1308 1311->1312 1315 682d604-682d646 1312->1315 1316 682d64b-682d64e 1312->1316 1315->1316 1323 682d650-682d692 1316->1323 1324 682d697-682d69a 1316->1324 1338 682d727-682d72d 1318->1338 1339 682d749-682d74b 1318->1339 1320->1321 1321->1285 1326 682ddfc-682de0b 1321->1326 1323->1324 1334 682d69c-682d6b8 1324->1334 1335 682d6bd-682d6bf 1324->1335 1351 682de72-682de87 1326->1351 1352 682de0d-682de70 call 6826590 1326->1352 1334->1335 1336 682d6c1 1335->1336 1337 682d6c6-682d6c9 1335->1337 1336->1337 1337->1234 1337->1271 1349 682d731-682d73d 1338->1349 1350 682d72f 1338->1350 1346 682d755-682d761 1339->1346 1369 682d763-682d76d 1346->1369 1370 682d76f 1346->1370 1355 682d73f-682d747 1349->1355 1350->1355 1367 682de88 1351->1367 1352->1351 1355->1346 1367->1367 1375 682d774-682d776 1369->1375 1370->1375 1375->1244 1378 682d77c-682d798 call 6826590 1375->1378 1391 682d7a7-682d7b3 1378->1391 1392 682d79a-682d79f 1378->1392 1391->1290 1393 682d7b5-682d802 1391->1393 1392->1391 1393->1244 1453 682db21-682db26 1452->1453 1454 682db2e-682db37 1452->1454 1453->1454 1454->1249 1455 682db3d-682db50 1454->1455 1457 682db56-682db5c 1455->1457 1458 682dd2a-682dd34 1455->1458 1459 682db6b-682db74 1457->1459 1460 682db5e-682db63 1457->1460 1458->1451 1458->1452 1459->1249 1461 682db7a-682db9b 1459->1461 1460->1459 1464 682dbaa-682dbb3 1461->1464 1465 682db9d-682dba2 1461->1465 1464->1249 1466 682dbb9-682dbd6 1464->1466 1465->1464 1466->1458 1469 682dbdc-682dbe2 1466->1469 1469->1249 1470 682dbe8-682dc01 1469->1470 1472 682dc07-682dc2e 1470->1472 1473 682dd1d-682dd24 1470->1473 1472->1249 1476 682dc34-682dc3e 1472->1476 1473->1458 1473->1469 1476->1249 1477 682dc44-682dc5b 1476->1477 1479 682dc6a-682dc85 1477->1479 1480 682dc5d-682dc68 1477->1480 1479->1473 1485 682dc8b-682dca4 call 6826590 1479->1485 1480->1479 1489 682dcb3-682dcbc 1485->1489 1490 682dca6-682dcab 1485->1490 1489->1249 1491 682dcc2-682dd16 1489->1491 1490->1489 1491->1473 1498->1306 1499->1306
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $_q$$_q$$_q
                                          • API String ID: 0-2441406858
                                          • Opcode ID: 63736c63dfe36cb13cbe1ddb7e0ab95fa8134b36d3b038a0eae85dc2a85000a3
                                          • Instruction ID: 49d752a42759054525834017de506ee0813acaddf9ec74ec152d2d0c17dcf806
                                          • Opcode Fuzzy Hash: 63736c63dfe36cb13cbe1ddb7e0ab95fa8134b36d3b038a0eae85dc2a85000a3
                                          • Instruction Fuzzy Hash: 79624130A007169FCB55EF68D690A5DB7B2FF84308B208A68D015DF769EB75EC46CB84
                                          Function 06824B90 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1500 6824b90-6824bb4 1502 6824bb6-6824bb9 1500->1502 1503 6825298-682529b 1502->1503 1504 6824bbf-6824cb7 1502->1504 1505 68252bc-68252be 1503->1505 1506 682529d-68252b7 1503->1506 1524 6824d3a-6824d41 1504->1524 1525 6824cbd-6824d05 1504->1525 1507 68252c0 1505->1507 1508 68252c5-68252c8 1505->1508 1506->1505 1507->1508 1508->1502 1511 68252ce-68252db 1508->1511 1526 6824d47-6824db7 1524->1526 1527 6824dc5-6824dce 1524->1527 1547 6824d0a call 6825448 1525->1547 1548 6824d0a call 6825439 1525->1548 1544 6824dc2 1526->1544 1545 6824db9 1526->1545 1527->1511 1538 6824d10-6824d2c 1541 6824d37-6824d38 1538->1541 1542 6824d2e 1538->1542 1541->1524 1542->1541 1544->1527 1545->1544 1547->1538 1548->1538
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: fdq$XPdq$\Odq
                                          • API String ID: 0-727959394
                                          • Opcode ID: 23f0d629d5ac855519dad237ca03625cbe9d3913baffbb391f093abae53b2168
                                          • Instruction ID: ba8455fe475214bb7197f67ffbb88cc106e8ff567f84e39a46cd71373e2eb18b
                                          • Opcode Fuzzy Hash: 23f0d629d5ac855519dad237ca03625cbe9d3913baffbb391f093abae53b2168
                                          • Instruction Fuzzy Hash: 24618F70F002299FEB549BA5C8147AEBAF2FF88700F208429D505EB395DF744C458BA1
                                          Function 06829130 Relevance: 2.7, Strings: 2, Instructions: 163COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2510 6829130-6829132 2511 6829134-6829136 2510->2511 2512 682913a 2510->2512 2513 6829138 2511->2513 2514 682913e 2511->2514 2515 6829142-6829144 2512->2515 2516 682913c-682913d 2512->2516 2513->2512 2517 6829140-6829141 2514->2517 2518 6829145-6829165 2514->2518 2515->2518 2516->2514 2517->2515 2519 6829167-682916a 2518->2519 2520 6829170-6829185 2519->2520 2521 6829a28-6829a2b 2519->2521 2528 6829187-682918d 2520->2528 2529 682919d-68291b3 2520->2529 2522 6829a51-6829a53 2521->2522 2523 6829a2d-6829a4c 2521->2523 2525 6829a55 2522->2525 2526 6829a5a-6829a5d 2522->2526 2523->2522 2525->2526 2526->2519 2530 6829a63-6829a6d 2526->2530 2531 6829191-6829193 2528->2531 2532 682918f 2528->2532 2535 68291be-68291c0 2529->2535 2531->2529 2532->2529 2536 68291c2-68291c8 2535->2536 2537 68291d8-6829249 2535->2537 2538 68291ca 2536->2538 2539 68291cc-68291ce 2536->2539 2548 6829275-6829291 2537->2548 2549 682924b-682926e 2537->2549 2538->2537 2539->2537 2554 6829293-68292b6 2548->2554 2555 68292bd-68292d8 2548->2555 2549->2548 2554->2555 2560 6829303-682931e 2555->2560 2561 68292da-68292fc 2555->2561 2566 6829343-6829351 2560->2566 2567 6829320-682933c 2560->2567 2561->2560 2568 6829353-682935c 2566->2568 2569 6829361-68293db 2566->2569 2567->2566 2568->2530 2575 6829428-682943d 2569->2575 2576 68293dd-68293fb 2569->2576 2575->2521 2580 6829417-6829426 2576->2580 2581 68293fd-682940c 2576->2581 2580->2575 2580->2576 2581->2580
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $_q$$_q
                                          • API String ID: 0-458585787
                                          • Opcode ID: ee99b8074042499bff277562658956785ef72996dd6fb374b66d72829cfebea8
                                          • Instruction ID: 7b3a9f2feea0fe720698b1503042feff9d68b1d52898b19cd4abf44fb637fe73
                                          • Opcode Fuzzy Hash: ee99b8074042499bff277562658956785ef72996dd6fb374b66d72829cfebea8
                                          • Instruction Fuzzy Hash: 46515F70F001169FDF54DB75E950BAE73F6AB88654F108469C909EB398EE34DC82CBA1
                                          Function 067CBE38 Relevance: 1.7, APIs: 1, Instructions: 217COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 067CC09E
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2559941370.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_67c0000_z68ORDER.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: cc284e883cd274305ff3730c652a40c3228eb4f226046bb7ee2744cc073afd4f
                                          • Instruction ID: 4178c3091fc2fb3340e8c2fcd5e21b0596c733aec1b3e9f6abc636e98da23cf5
                                          • Opcode Fuzzy Hash: cc284e883cd274305ff3730c652a40c3228eb4f226046bb7ee2744cc073afd4f
                                          • Instruction Fuzzy Hash: DA815570A00B058FD7A4DF29C44576ABBF1FF88714F00892EE59A9BA50E735E949CF90
                                          Function 011CF580 Relevance: 1.6, APIs: 1, Instructions: 136COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2544508517.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_11c0000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: db91bf3a91c385670050001e9fd6845ca87b2819bebd09a629ce238301eb250d
                                          • Instruction ID: fdad2c5d6c857468db17df08eee888b2703bf47694c96f83728617a624d85308
                                          • Opcode Fuzzy Hash: db91bf3a91c385670050001e9fd6845ca87b2819bebd09a629ce238301eb250d
                                          • Instruction Fuzzy Hash: 10413672D043568FCB08DF79D4042AEBFB5AF99310F15856AD504A7291DB349C46CBE1
                                          Function 067CE424 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 067CE542
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2559941370.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_67c0000_z68ORDER.jbxd
                                          Similarity
                                          • API ID: CreateWindow
                                          • String ID:
                                          • API String ID: 716092398-0
                                          • Opcode ID: 8e48c14947a1007a1189236677a1a505d6ff4dc01be7c12de38f94b936ae861a
                                          • Instruction ID: 913ce9bdf2119dc2d01c81710234a5417e9adb6cbd73be4c0390ced2f15ac20d
                                          • Opcode Fuzzy Hash: 8e48c14947a1007a1189236677a1a505d6ff4dc01be7c12de38f94b936ae861a
                                          • Instruction Fuzzy Hash: 0F51C0B1D00309EFDB14CF99D884ADEBBB5BF48314F24812EE819AB250D7749985CF91
                                          Function 067CE430 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 067CE542
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2559941370.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_67c0000_z68ORDER.jbxd
                                          Similarity
                                          • API ID: CreateWindow
                                          • String ID:
                                          • API String ID: 716092398-0
                                          • Opcode ID: c46da4d98407dd1e2e99f7bddf5ca12f0cd258fbcecc9def97379c59349942ed
                                          • Instruction ID: b3c2038f50fae35fadde969f2d868b5b5d0c00d210b0bc2cd4f94923f65671d6
                                          • Opcode Fuzzy Hash: c46da4d98407dd1e2e99f7bddf5ca12f0cd258fbcecc9def97379c59349942ed
                                          • Instruction Fuzzy Hash: 6241C0B1D003099FDB14CF99D884ADEBBB5BF48314F24812EE819AB210D771A985CF91
                                          Function 067C3C58 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                          Download Yara Rule
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 067C3CE7
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2559941370.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_67c0000_z68ORDER.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: 6b509da7f379d06bbbc1cdb95b0ab42a22374ff8cd23c32706cf57d280da49e7
                                          • Instruction ID: b6643ab89c60b74ee3acad3179dd0f76ec08ddad9d0776681631628f14d14dc1
                                          • Opcode Fuzzy Hash: 6b509da7f379d06bbbc1cdb95b0ab42a22374ff8cd23c32706cf57d280da49e7
                                          • Instruction Fuzzy Hash: 6B2105B5D002189FDB50CF99D985AEEBBF8FB48320F14811AE918A3350C374A940CFA1
                                          Function 011C7838 Relevance: 1.6, APIs: 1, Instructions: 65fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • MoveFileA.KERNEL32(?,00000000,?,?), ref: 011C8700
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2544508517.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_11c0000_z68ORDER.jbxd
                                          Similarity
                                          • API ID: FileMove
                                          • String ID:
                                          • API String ID: 3562171763-0
                                          • Opcode ID: ebd1cdbba47afc67d109b0137548e01e3de88d957db01dafeff6e0d353932ad2
                                          • Instruction ID: 4b47d6145cc522c02deec8a527681468417954916f7131153b9bc5fdf00f669f
                                          • Opcode Fuzzy Hash: ebd1cdbba47afc67d109b0137548e01e3de88d957db01dafeff6e0d353932ad2
                                          • Instruction Fuzzy Hash: 362123B6C012189FCB54CF99D884ADEFBF5FB88710F10805AE918BB304D375A944CBA5
                                          Function 011C8668 Relevance: 1.6, APIs: 1, Instructions: 64fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • MoveFileA.KERNEL32(?,00000000,?,?), ref: 011C8700
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2544508517.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_11c0000_z68ORDER.jbxd
                                          Similarity
                                          • API ID: FileMove
                                          • String ID:
                                          • API String ID: 3562171763-0
                                          • Opcode ID: 5504a3c7ddd7febda91d9cdf00fa10f8bd5caf2f939c377df18300747edc45d9
                                          • Instruction ID: 8f3a89d2a5c4df03d47ec467857febacdc8b7894992f75b08f813ffa8b0a7b29
                                          • Opcode Fuzzy Hash: 5504a3c7ddd7febda91d9cdf00fa10f8bd5caf2f939c377df18300747edc45d9
                                          • Instruction Fuzzy Hash: 412125B6C012189FCB14CF99D884ADEFFF5FB88710F25805AE918BB205D375A944CBA0
                                          Function 067C3C60 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                          Download Yara Rule
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 067C3CE7
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2559941370.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_67c0000_z68ORDER.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: ef36f2a083b26d7bbc03b38d234ef6a8e2687a636b155a53640b28fd1a70aa28
                                          • Instruction ID: 4852b3482eb64f9cda1dddf515e7380e8ef2807b39015c64b68f524ff3978745
                                          • Opcode Fuzzy Hash: ef36f2a083b26d7bbc03b38d234ef6a8e2687a636b155a53640b28fd1a70aa28
                                          • Instruction Fuzzy Hash: D121C6B5D002599FDB10CF9AD585ADEBBF4FB48320F14841AE918A3350D375A944CFA5
                                          Function 011C7810 Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • DeleteFileW.KERNELBASE(00000000), ref: 011C8110
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2544508517.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_11c0000_z68ORDER.jbxd
                                          Similarity
                                          • API ID: DeleteFile
                                          • String ID:
                                          • API String ID: 4033686569-0
                                          • Opcode ID: d274ad29fafff4af5f1cd97a2b53d04c1144fba4bb4dacd0d5bc976eb676f0f8
                                          • Instruction ID: bb9b4fe024269571a927180ce1cd418ef0ec5b4238ec9e8d193efd7560e8f89d
                                          • Opcode Fuzzy Hash: d274ad29fafff4af5f1cd97a2b53d04c1144fba4bb4dacd0d5bc976eb676f0f8
                                          • Instruction Fuzzy Hash: D42144B1C046599FCB14CF9AC4457AEFBF4EB48720F11812AD818B7340D378A944CFA5
                                          Function 011C8098 Relevance: 1.6, APIs: 1, Instructions: 58fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • DeleteFileW.KERNELBASE(00000000), ref: 011C8110
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2544508517.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_11c0000_z68ORDER.jbxd
                                          Similarity
                                          • API ID: DeleteFile
                                          • String ID:
                                          • API String ID: 4033686569-0
                                          • Opcode ID: 4aa401d33f204f1af7d10fef62442eb9e417826c865f6acff81b51e9be017fe6
                                          • Instruction ID: e434c96390b471510d798dffc9e63eebc79b66bbb905c19b3122c759e9072ca7
                                          • Opcode Fuzzy Hash: 4aa401d33f204f1af7d10fef62442eb9e417826c865f6acff81b51e9be017fe6
                                          • Instruction Fuzzy Hash: 1D2144B1C006599FCB14CFA9C5457EEFBF4AF48720F15816AD818B7241D378A944CFA1
                                          Function 011CF650 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                          Download Yara Rule
                                          APIs
                                          • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,011CF5D2), ref: 011CF6BF
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2544508517.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_11c0000_z68ORDER.jbxd
                                          Similarity
                                          • API ID: GlobalMemoryStatus
                                          • String ID:
                                          • API String ID: 1890195054-0
                                          • Opcode ID: a99a782ca974d91b94dbabfb407bdb4d5dae158c3b981a496d9b68eeb428e4f6
                                          • Instruction ID: ba35f2aeed04c92e2cc7af1fecec9349d2214405915c5cde9f832832de580c4c
                                          • Opcode Fuzzy Hash: a99a782ca974d91b94dbabfb407bdb4d5dae158c3b981a496d9b68eeb428e4f6
                                          • Instruction Fuzzy Hash: 261136B1C0026A9BDB14CFAAC4487DEFBB4AB08320F11812AD918B3250D379A945CFA5
                                          Function 011CEDCC Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                          Download Yara Rule
                                          APIs
                                          • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,011CF5D2), ref: 011CF6BF
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2544508517.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_11c0000_z68ORDER.jbxd
                                          Similarity
                                          • API ID: GlobalMemoryStatus
                                          • String ID:
                                          • API String ID: 1890195054-0
                                          • Opcode ID: 56b706c3ccdcf6aa9c5b85b12f98d4cf4b803ab1bc5d5f82c3af5ac08c7622d5
                                          • Instruction ID: 1605b2554e9ba4b3e08833c088ba10e8f980d4d8dc8d2d976a222b68ebf43cc3
                                          • Opcode Fuzzy Hash: 56b706c3ccdcf6aa9c5b85b12f98d4cf4b803ab1bc5d5f82c3af5ac08c7622d5
                                          • Instruction Fuzzy Hash: 671136B1C0065A9BCB14DFAAC44879EFBF4AB08320F11816AD918B7250D378A944CFA5
                                          Function 067CC038 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 067CC09E
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2559941370.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_67c0000_z68ORDER.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: 06e3ed111fdc2cda7daff85ca652ec5dab7ca0fdd23401967726c62a09011406
                                          • Instruction ID: 85c4b79907ada504bf27b338f4b72ee1f462e85c5dbc4c0e2e857e6626a3a675
                                          • Opcode Fuzzy Hash: 06e3ed111fdc2cda7daff85ca652ec5dab7ca0fdd23401967726c62a09011406
                                          • Instruction Fuzzy Hash: 7A110FB5C002498FCB10DF9AC844B9EFBF4EB88324F10842ED829A7200C375A545CFA1
                                          Function 06824B83 Relevance: 1.4, Strings: 1, Instructions: 131COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: XPdq
                                          • API String ID: 0-1708276200
                                          • Opcode ID: 2c8115ed46990c4cbc013c74c1c86f39c316a43e20e84274adbd969acd795e02
                                          • Instruction ID: 1293e20893f6958cd39ecbce7686a3a7250978428fa0aa95486eba0314979f6c
                                          • Opcode Fuzzy Hash: 2c8115ed46990c4cbc013c74c1c86f39c316a43e20e84274adbd969acd795e02
                                          • Instruction Fuzzy Hash: A1419D74F102199FEB599BA5C854B9EBBF6BF88700F20C529E105EB395DA744C418BA0
                                          Function 0682DE9D Relevance: 1.4, Strings: 1, Instructions: 120COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: PH_q
                                          • API String ID: 0-2397113591
                                          • Opcode ID: ac9d73cac39f9be6f3b29a68470abc1e6dd3467ba443eb9d47611c30353a1ff3
                                          • Instruction ID: 7c0372ee5ceb67920728574377242a40aa691a8b4b311318b312a24125374870
                                          • Opcode Fuzzy Hash: ac9d73cac39f9be6f3b29a68470abc1e6dd3467ba443eb9d47611c30353a1ff3
                                          • Instruction Fuzzy Hash: F341B130E1031A9FDB64DF65C89469EBBB2BF85304F104529E905EB244EB75E886CB91
                                          Function 0682DEB0 Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: PH_q
                                          • API String ID: 0-2397113591
                                          • Opcode ID: bce59a9c212e4416db5f74874a7e5988e10db8a681e0b13e9c844385c64d88a3
                                          • Instruction ID: 3d57ab84af5be010f04cef1bcd8abb6310dfbf975e689ae32db2cf7f25540af3
                                          • Opcode Fuzzy Hash: bce59a9c212e4416db5f74874a7e5988e10db8a681e0b13e9c844385c64d88a3
                                          • Instruction Fuzzy Hash: 6041CF30E0031A9FDB64DF65C45469FBBB2BF89304F204929E901E7344EBB4E882CB95
                                          Function 068225E5 Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: PH_q
                                          • API String ID: 0-2397113591
                                          • Opcode ID: 1c50314f7a316b2a9220460b49770df27f7ee80a4d8c5de9fda73077199b1cf1
                                          • Instruction ID: 7e52c308f3f524a36822da04b527c082f133aaacba6ccbe35389144b05a0bcf1
                                          • Opcode Fuzzy Hash: 1c50314f7a316b2a9220460b49770df27f7ee80a4d8c5de9fda73077199b1cf1
                                          • Instruction Fuzzy Hash: FD310131B003268FDB59AB74C5606AE7BE2EF89604F108578D506DB394DF39DE82C7A1
                                          Function 068225F8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: PH_q
                                          • API String ID: 0-2397113591
                                          • Opcode ID: 3d6a7abe7d2a58fbe860a5ce33c0c0315da7e481375f5fdff95107d76172b6b4
                                          • Instruction ID: aaa587fa825dce0c5f1c862c3a3b8c9055afafbdc1b57d66d33d2516a3ba2e8c
                                          • Opcode Fuzzy Hash: 3d6a7abe7d2a58fbe860a5ce33c0c0315da7e481375f5fdff95107d76172b6b4
                                          • Instruction Fuzzy Hash: B631E231B002168FDB58AB74C56466E7BA3AF88604F108938D506DB394EF39DE82C7A5
                                          Function 068282B8 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $_q
                                          • API String ID: 0-238743419
                                          • Opcode ID: 8dbfa628ee7a4baa3a97e7d7d0eeba5116ffcbfb99dbb85f9a2ee60aec84e6a4
                                          • Instruction ID: fa27bf1dec28b22f8e6c95ec9d3f11e5873e1e3807c1fd72ee45f107c6db278e
                                          • Opcode Fuzzy Hash: 8dbfa628ee7a4baa3a97e7d7d0eeba5116ffcbfb99dbb85f9a2ee60aec84e6a4
                                          • Instruction Fuzzy Hash: FEF0FFB1A0022BCFDF689A94EA962AC73A1FB40318F144426CA04DB644D731ED89CB90
                                          Function 0682B213 Relevance: .3, Instructions: 296COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2305f50e09300d587e14ed413e314c7559edd1e5216c40916793acdf97dc9dd3
                                          • Instruction ID: 262c09636a4302ea74561bd162e07e30201bbe1e793b5f037fea341dd98eff57
                                          • Opcode Fuzzy Hash: 2305f50e09300d587e14ed413e314c7559edd1e5216c40916793acdf97dc9dd3
                                          • Instruction Fuzzy Hash: 53A1C670F1121A9FDF64CAACC9947AE77E6FB49314F208829E509EB395CA34DCC18791
                                          Function 0682B628 Relevance: .3, Instructions: 271COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f9c63d322b30c92a45059e9348276e456e6e2cbf179027679f831ed610c4dcb5
                                          • Instruction ID: 35d0f57a8e01dc106ea6052c67faa3200d592c1d0fcbf143fa22bd928980d07d
                                          • Opcode Fuzzy Hash: f9c63d322b30c92a45059e9348276e456e6e2cbf179027679f831ed610c4dcb5
                                          • Instruction Fuzzy Hash: 29A15B30E1122B8FDFA0CA68C5C07ADB7B1FB49318F148926E559EB255DB34DC85CB51
                                          Function 068261E0 Relevance: .2, Instructions: 229COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a40f065eb55da5e268aeff427f9ef5cb07a9521ae550529b5cd2b5e9e615b1a9
                                          • Instruction ID: 16c2d893309b1daf55dd8fcbf3229caa449a6768cc85a522d3ad579e787e29c2
                                          • Opcode Fuzzy Hash: a40f065eb55da5e268aeff427f9ef5cb07a9521ae550529b5cd2b5e9e615b1a9
                                          • Instruction Fuzzy Hash: 5061CFB1F401224FCB549A6EC88066FBAD7EFC8224B254439D90EDB364EE65ED4287D1
                                          Function 068242C0 Relevance: .2, Instructions: 224COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c3296fdfd3fcc47d98b645b93f981cab16dfc19cd4c3b039c5654b95d0a1ab0f
                                          • Instruction ID: f3d88ebd7708f4671508ac14319649be67f88c7ca1e46f348ad944d7f9e4bc64
                                          • Opcode Fuzzy Hash: c3296fdfd3fcc47d98b645b93f981cab16dfc19cd4c3b039c5654b95d0a1ab0f
                                          • Instruction Fuzzy Hash: 0B815E30B1021A8FDB54DFB4D55476EB7F2AF88304F108529D50AEB398EB74DC868BA1
                                          Function 068245E0 Relevance: .2, Instructions: 219COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8e9e01c6031f8e86046266d45e277e4f94d23ca41569385033d17839a5b3d0d6
                                          • Instruction ID: 98f610a887f6ed1c67c870c1279e49952d0c55ac3f86dcca606a1d867d867758
                                          • Opcode Fuzzy Hash: 8e9e01c6031f8e86046266d45e277e4f94d23ca41569385033d17839a5b3d0d6
                                          • Instruction Fuzzy Hash: 88915C30E1061A8FDF64DF68C880B9DB7B1FF89304F208599D549EB295DB70AA85CF91
                                          Function 068242D0 Relevance: .2, Instructions: 218COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b8c095e6bb5341451a65f8749def38b6c94291dfae756634d56d6fde42b1fd8c
                                          • Instruction ID: 3df316f531ec4225df5a5f4402226b5e2f004ede70fe756249b40e026fe4ed8c
                                          • Opcode Fuzzy Hash: b8c095e6bb5341451a65f8749def38b6c94291dfae756634d56d6fde42b1fd8c
                                          • Instruction Fuzzy Hash: B2814D30B1021A8FDB54DFB5D55475EB7F2AF88304F108529E50AEB398EB74DC868BA1
                                          Function 068245F8 Relevance: .2, Instructions: 210COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3fd7912a9fee00486ea7453d88910da1eac0548dab23c525255ce22ecfa6771e
                                          • Instruction ID: 40287d08ed607d7ab927a9d5c3b4391fdde29937ce31996139fde6d833444b6f
                                          • Opcode Fuzzy Hash: 3fd7912a9fee00486ea7453d88910da1eac0548dab23c525255ce22ecfa6771e
                                          • Instruction Fuzzy Hash: 63913C34E1061A8BDF64DF68C880B9DB7B1FF89304F208599D519EB295DB70AA85CF90
                                          Function 0682EEE7 Relevance: .2, Instructions: 209COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3c74daa7570b4d071b5219da8b56fd10826075bd147ae2a0b5a0090f786b2903
                                          • Instruction ID: 62f527c8512dc42a196e7de91808a121df4827c8226520d62375868d4cd158ac
                                          • Opcode Fuzzy Hash: 3c74daa7570b4d071b5219da8b56fd10826075bd147ae2a0b5a0090f786b2903
                                          • Instruction Fuzzy Hash: 3A713F70A0121A9FCB54DFA8D994AAEB7F6FF88304F148469D519EB354DB30EC86CB50
                                          Function 0682EEF8 Relevance: .2, Instructions: 201COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 19b669604f779210997fa4010508b9922594a76200a3057e7b71cbbe890a2724
                                          • Instruction ID: 4ca20fad1eb2e3ff825c58298eda28cafd3159990979a6b6a10c216914c0f30e
                                          • Opcode Fuzzy Hash: 19b669604f779210997fa4010508b9922594a76200a3057e7b71cbbe890a2724
                                          • Instruction Fuzzy Hash: E1714F70A0121A9FCB54DFA9D990AAEB7F6FF88304F148469D115EB354DB30EC86CB50
                                          Function 0682FC68 Relevance: .2, Instructions: 171COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f96ec112fb48bba66a88213ce68699dc21c2bb97744a36df5277e2c9f73cfcd9
                                          • Instruction ID: cb238eef5be02774ff142e6a254f31458d142bcadf920e59320073b5c6c7eeda
                                          • Opcode Fuzzy Hash: f96ec112fb48bba66a88213ce68699dc21c2bb97744a36df5277e2c9f73cfcd9
                                          • Instruction Fuzzy Hash: 34510335E00126DFDF24EB78E4542ADBBB2FF88315F108879E20ADB250DB359895CB81
                                          Function 0682FA0B Relevance: .2, Instructions: 170COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: aa53d1a2107609b8a4c2667b73ae8f7331278361d59387371574d4ed8265675c
                                          • Instruction ID: 94ad702fa12846d85693597bce090cf196a501ac9a93a4e001686f26b8a1e39c
                                          • Opcode Fuzzy Hash: aa53d1a2107609b8a4c2667b73ae8f7331278361d59387371574d4ed8265675c
                                          • Instruction Fuzzy Hash: 8351EB30B502269BEF64666CD96472F3676D789744F10482AF30AD77DCDA38CC95C3A2
                                          Function 0682FA18 Relevance: .2, Instructions: 163COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: dfcdea80341daddf3b4ed3eddde9dbe2caead7d216c8f81c6311388f5abb5a2f
                                          • Instruction ID: 4a66d183772e5a90de8f9722aeca7dfa3908a8d483ee489345a71b66df7c3740
                                          • Opcode Fuzzy Hash: dfcdea80341daddf3b4ed3eddde9dbe2caead7d216c8f81c6311388f5abb5a2f
                                          • Instruction Fuzzy Hash: 72510B30B502269BEF54666CD96472F3666D789704F20482AF60AD37DCDE34CC85C3A2
                                          Function 06825448 Relevance: .1, Instructions: 126COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ecb6c3c0ab926618e4830ff39fee63375d1a3dd296557413765fb9c5c538f090
                                          • Instruction ID: 3c28f5425a04ee8ad3e9c971c6470b7652a51946dcb63afe396e5d212433c9fe
                                          • Opcode Fuzzy Hash: ecb6c3c0ab926618e4830ff39fee63375d1a3dd296557413765fb9c5c538f090
                                          • Instruction Fuzzy Hash: E6414F71E4061A9FDF70CFA9D981AAFF7B2FB84310F10492AD215D7650D330E8958B92
                                          Function 0682FC57 Relevance: .1, Instructions: 119COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2a9117d54cec428ef058f7334065e9544baff294b7198e9be201601ca4f4cbb5
                                          • Instruction ID: a5727941edc373c3bde677ab10139117d0247c7ebc4833e9dfba52da71c5efb5
                                          • Opcode Fuzzy Hash: 2a9117d54cec428ef058f7334065e9544baff294b7198e9be201601ca4f4cbb5
                                          • Instruction Fuzzy Hash: D5413731A001269FCF69AB78E4540AEFBB2FF84205F108879D20ACB251DF319C96C792
                                          Function 068255B8 Relevance: .1, Instructions: 109COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 08483ab67cfc95bbd6d03853ac1cf2ad745e75cddb9b7efa535a06cd38a6ed77
                                          • Instruction ID: 3314cfcab94c6800565011843bd12c669f80d20bb99fd47801cc0ace13e8132d
                                          • Opcode Fuzzy Hash: 08483ab67cfc95bbd6d03853ac1cf2ad745e75cddb9b7efa535a06cd38a6ed77
                                          • Instruction Fuzzy Hash: AD31B470E502169FDF708BA9C8C077EF7B2FB85310F64882AD659D7241C635D981CB92
                                          Function 0682DD50 Relevance: .1, Instructions: 98COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ddce973a640f7623d0b963389b0065862ddb19c13ac0eee41ba82a53cd47c7db
                                          • Instruction ID: 10356f22252cd1ae2431cfcb63f5f4b3f3dde908db65cc8363c2d40987ec1155
                                          • Opcode Fuzzy Hash: ddce973a640f7623d0b963389b0065862ddb19c13ac0eee41ba82a53cd47c7db
                                          • Instruction Fuzzy Hash: C731C730E1071B9FCF15DF64D99069EBBB6FF85304F508929E505EB354EB71A8868B80
                                          Function 068224B8 Relevance: .1, Instructions: 91COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7a388bbcef3c536c0d334ef2810dd13309242dc777c38c53454d41e6ad8d6e7f
                                          • Instruction ID: 74ef6170e0682ec090989909f57bdc8e825a6dd6384412cd3812be13667a09da
                                          • Opcode Fuzzy Hash: 7a388bbcef3c536c0d334ef2810dd13309242dc777c38c53454d41e6ad8d6e7f
                                          • Instruction Fuzzy Hash: 8F315C34E1061A9BCB59CF64D96469EB7B2FF89310F10C529E806E7758DB70AD82CB50
                                          Function 06825FE0 Relevance: .1, Instructions: 87COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1b5ea548544aa132f3b634ed51638fd2115e6d1db829f908f8d51e849f55c28e
                                          • Instruction ID: 9b6bec067f2b123bccb41d3309e73a10ce62d6d53ca4c3f6c561c14ae05ef561
                                          • Opcode Fuzzy Hash: 1b5ea548544aa132f3b634ed51638fd2115e6d1db829f908f8d51e849f55c28e
                                          • Instruction Fuzzy Hash: 6D31D035B200248FCB54DF78C498A5EBBE2FF8C710F2184A9E506DB3A2DA71DC448B90
                                          Function 06823EC9 Relevance: .1, Instructions: 84COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 76fb451cba5a6434b8089f00c40a0f92cf389798098b73e091ff7046c25e1e11
                                          • Instruction ID: 431da7d2fad8b62c4bdf19e26d0ac06f16da5d27a40a5e7c07184450e06308d2
                                          • Opcode Fuzzy Hash: 76fb451cba5a6434b8089f00c40a0f92cf389798098b73e091ff7046c25e1e11
                                          • Instruction Fuzzy Hash: 19218D35F0125A9FDB00DF68D991BAFBBF6AB48210F10842AE905E7384E774DD418B91
                                          Function 06825FF0 Relevance: .1, Instructions: 81COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5dad3e84d17748577f18a0ebf0c912c8334e1cb4bb56591aa5e472725ab7ff5c
                                          • Instruction ID: bebc10e215c93a208d2c00736b3c973f5805ef5b38ba27d3ce7e71d7b1d66c44
                                          • Opcode Fuzzy Hash: 5dad3e84d17748577f18a0ebf0c912c8334e1cb4bb56591aa5e472725ab7ff5c
                                          • Instruction Fuzzy Hash: B3216235B200248FCB54DF69C498A5EB7F6FF8D710F2184A9E506DB3A5DA71DC448B90
                                          Function 06823ED8 Relevance: .1, Instructions: 78COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 255ce8f24b691eb39a097a9ac8fb0de56b846b391b487e273a37353206cc9c92
                                          • Instruction ID: a347e388d45113fd8ecc6ebf31bf0f62811219232b9d88b3965f05767113a75e
                                          • Opcode Fuzzy Hash: 255ce8f24b691eb39a097a9ac8fb0de56b846b391b487e273a37353206cc9c92
                                          • Instruction Fuzzy Hash: 3A218E75F012169FDB40DF69E991BAEB7F1EB48710F108029EA05E7344E774DD418B91
                                          Function 06825439 Relevance: .1, Instructions: 78COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 04dec2ea1caa92fb66839848aeed9d609b2b75cb7cc53a3341170ad735e4921c
                                          • Instruction ID: 5b493255b1c4be1366a16aa7e09ca943b5c003972c2670e59a2f971857cd052b
                                          • Opcode Fuzzy Hash: 04dec2ea1caa92fb66839848aeed9d609b2b75cb7cc53a3341170ad735e4921c
                                          • Instruction Fuzzy Hash: C3216D71A407168FCB70CFA9C9806AEFBF2FF85310F10492AD255D7651D370A8958B92
                                          Function 0113D044 Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2544075088.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_113d000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ea8734a3293aebbde25801ad91915540019278a6f9439f30e461135badc7c44b
                                          • Instruction ID: 69676e474c97aa0c0a15096a077a0bd877b14d0e9f612ac23099c511c32d5c68
                                          • Opcode Fuzzy Hash: ea8734a3293aebbde25801ad91915540019278a6f9439f30e461135badc7c44b
                                          • Instruction Fuzzy Hash: A62134B1504204DFCF19CFA8E9C0B26FB65FBC4714F60C5ADE8490B25AC73AD44ACA62
                                          Function 06823FE8 Relevance: .1, Instructions: 59COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2164cb92360302630f325d44be87582be0f04cace1d9d5b7994c3f77c03a248d
                                          • Instruction ID: 79a97269b343f7394645a01f1bb1c96a85b5a8cbf235375c918232878feb9132
                                          • Opcode Fuzzy Hash: 2164cb92360302630f325d44be87582be0f04cace1d9d5b7994c3f77c03a248d
                                          • Instruction Fuzzy Hash: 7411C435B1013A5FDF949678D8146AE73EAEBC8711F008439D50AE7344EE76DC468BE1
                                          Function 06823CA0 Relevance: .1, Instructions: 58COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: dd8cf4b93f68f3b977e40782e6604f57b57e2bad531b3bcbf54fd1fafb49e0d1
                                          • Instruction ID: 82c1bd96b53d6ded63307e50181a309ae86edf1f304668db71a39aa0898bc0b3
                                          • Opcode Fuzzy Hash: dd8cf4b93f68f3b977e40782e6604f57b57e2bad531b3bcbf54fd1fafb49e0d1
                                          • Instruction Fuzzy Hash: E521E5B5D01229AFCB40DF9AD984ADEFBB4BB48314F10851AE518B3300D3796954CFA5
                                          Function 0682A2F0 Relevance: .1, Instructions: 58COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a5812f344c938664eb918ac51c64c314e6c0fb8049ae68838171eb394af8d693
                                          • Instruction ID: c0f52657847efe7e2fce81fe56fb8505e99b0c5d2b02a7d6298e0c4c3ad49541
                                          • Opcode Fuzzy Hash: a5812f344c938664eb918ac51c64c314e6c0fb8049ae68838171eb394af8d693
                                          • Instruction Fuzzy Hash: 29114430B102261FC756DA38E864B2E7BE5FF46324F10C479E209CB2A2DA21DC4283A1
                                          Function 06824223 Relevance: .1, Instructions: 58COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 64f31ffdb4c10b063aa2c4301f6ceb02f867761e1110d6bf62fbf448dd6d57f8
                                          • Instruction ID: a25de5e9c8a7e4172703ebe4d011b6999717bb91cd0a8df91efebaa1fc6d5069
                                          • Opcode Fuzzy Hash: 64f31ffdb4c10b063aa2c4301f6ceb02f867761e1110d6bf62fbf448dd6d57f8
                                          • Instruction Fuzzy Hash: 3D01B1B5B100230FCB95DABED55172EABDADBCD720F20843AE60ACB355E925CC4243B4
                                          Function 06822154 Relevance: .1, Instructions: 55COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 12ecaead07d62838d10c426617b3c5b636890c5d3c7b8570541acda2d959f1db
                                          • Instruction ID: 4630eec239b7046a309e193cc78dd2fc42bdea58e967409f4fe642101e8b1f18
                                          • Opcode Fuzzy Hash: 12ecaead07d62838d10c426617b3c5b636890c5d3c7b8570541acda2d959f1db
                                          • Instruction Fuzzy Hash: 8021F4B1D01219AFCB00DF9AD884ADEFBB4FB48314F10812AE918B7200C378A944CFE5
                                          Function 0682F167 Relevance: .1, Instructions: 55COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 35fed4e0feca509903d5b10e29f46fb6cb6c4c1bec4b453e3bc9da4d6a6a6aa9
                                          • Instruction ID: 758ee398331bc8af6b85effe55e5511d10711f0112507a90e5a29468d6e44f75
                                          • Opcode Fuzzy Hash: 35fed4e0feca509903d5b10e29f46fb6cb6c4c1bec4b453e3bc9da4d6a6a6aa9
                                          • Instruction Fuzzy Hash: 55012835B141224FDB56DA7CD86072E6BF2DBCA214F54C83AE20AC7345DA24CC82C3A1
                                          Function 06823FD7 Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: baad641fd5faca8e99499cd8ba4e2e8fde94960bcd1877e42bef03ec8a07fcb4
                                          • Instruction ID: e25977a2911ba90f4701b33a9b0f3693daccadea65bd022b1c4373a973bbcbf3
                                          • Opcode Fuzzy Hash: baad641fd5faca8e99499cd8ba4e2e8fde94960bcd1877e42bef03ec8a07fcb4
                                          • Instruction Fuzzy Hash: F701AC36F101265BDF949579D8107AF73FAABC8710F408035D50AE7344EE66DC4687E2
                                          Function 0113D03F Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2544075088.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_113d000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a3be7094ea246a7cddba5200c6ce82fad2e7d53e3ec886449491685f026f1607
                                          • Instruction ID: 1580021f9c933eb6b419bcd631a4e25096ae5654fc26315d26578811b21cf37d
                                          • Opcode Fuzzy Hash: a3be7094ea246a7cddba5200c6ce82fad2e7d53e3ec886449491685f026f1607
                                          • Instruction Fuzzy Hash: 7C11BB75504284CFDB16CF64D9C4B15FBA2FB84314F24C6A9E8494B256C33AD44ACB62
                                          Function 06824230 Relevance: .1, Instructions: 51COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: dc82af909a239846432a8c32558bde6934b6c1a6460927bd6f56284832053669
                                          • Instruction ID: 47da86f7d01119dfb94bf27e2d2f8862a4df77ab36e2d029755693fc17089c1e
                                          • Opcode Fuzzy Hash: dc82af909a239846432a8c32558bde6934b6c1a6460927bd6f56284832053669
                                          • Instruction Fuzzy Hash: 1601D174B100220BDB64D9AED45072FA6DADBCD720F10C43AE60AC7354EE65DC4243B4
                                          Function 0682F178 Relevance: .0, Instructions: 49COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 35fbdc9e1cf46b3c7dec447677586f3c0304524bbf3b5f1ab6fedb42f97f556d
                                          • Instruction ID: 6f977b74482e158591efddff81f71fc5df232e10787ab6c63f2a53256df72409
                                          • Opcode Fuzzy Hash: 35fbdc9e1cf46b3c7dec447677586f3c0304524bbf3b5f1ab6fedb42f97f556d
                                          • Instruction Fuzzy Hash: B001F934B100225BDB55D57DD86072E67E6D7C9624F50C839E70AC7344EE25DC8283D5
                                          Function 0682A300 Relevance: .0, Instructions: 46COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b3944ff292db5ef441a59b9b175b981d003da45a97b8fc8f29874ef1bf24fe31
                                          • Instruction ID: c8cd2c7e6df858b7ce722caddbb3a5a659381d50ad0ba4516b9d6196e900809e
                                          • Opcode Fuzzy Hash: b3944ff292db5ef441a59b9b175b981d003da45a97b8fc8f29874ef1bf24fe31
                                          • Instruction Fuzzy Hash: 5801A434B601265FCB58EA7CE854B2E77D5FF89714F108439E60AC7354EE21DC424394
                                          Function 06826460 Relevance: .0, Instructions: 31COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4cea706791a1f3ad5989480e8de699060123e003a5781635d6ff115fc7650128
                                          • Instruction ID: 2930b7398facc72529a82578b12f3badb77389c2b674548bad8593bde8ea96a6
                                          • Opcode Fuzzy Hash: 4cea706791a1f3ad5989480e8de699060123e003a5781635d6ff115fc7650128
                                          • Instruction Fuzzy Hash: D7F05570E09209BBDB31CEB0C80976E7769EB02228F2088A5E488CF151F533CBC18780
                                          Function 06826470 Relevance: .0, Instructions: 22COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fdb783ad8ddd0b625cd7748f5eb138bca677bf42f01657a5ee64e5022ce74967
                                          • Instruction ID: 1b5dd4b1ca8100bc4fff4978fb5efb6e0405ae72d64c7649581a1b8ff2968c8a
                                          • Opcode Fuzzy Hash: fdb783ad8ddd0b625cd7748f5eb138bca677bf42f01657a5ee64e5022ce74967
                                          • Instruction Fuzzy Hash: 11E0C270E1111EABDF60CEB4C95576EB3ADE701214F2088A4D549CB201F132DAC14380

                                          Non-executed Functions

                                          Function 06827688 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $_q$$_q$$_q$$_q$$_q$$_q$$_q$$_q$$_q$$_q
                                          • API String ID: 0-698649689
                                          • Opcode ID: ca93da003883859d38bc9b73d77c5216541e73a0258555c0b72a12516ab38e38
                                          • Instruction ID: 6dbcd2ef96f9eb721b2003fc9cfa7b30726ff11399eb0184231e168f1cec7389
                                          • Opcode Fuzzy Hash: ca93da003883859d38bc9b73d77c5216541e73a0258555c0b72a12516ab38e38
                                          • Instruction Fuzzy Hash: F5122D30A0022ACFDB68DF79C994A6DB7F2BF89704F208569D509EB354DB309D81CB81
                                          Function 0682A928 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $_q$$_q$$_q$$_q$$_q$$_q$$_q$$_q
                                          • API String ID: 0-2216122830
                                          • Opcode ID: d318e18aece4750054bfdccd97a34e2918f2f6cb7c7baa4a793fe75ce75116f7
                                          • Instruction ID: baa469e1103a59bf51c628d517fbabd7cf697bcfb39a36e5aefceae9f4dc76e7
                                          • Opcode Fuzzy Hash: d318e18aece4750054bfdccd97a34e2918f2f6cb7c7baa4a793fe75ce75116f7
                                          • Instruction Fuzzy Hash: 63918E30A0021BDFDB6CDF64D695B6E77F6AF84B04F108429E402EB294DB759C85CB90
                                          Function 06827088 Relevance: 9.2, Strings: 7, Instructions: 405COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: .5wq$$_q$$_q$$_q$$_q$$_q$$_q
                                          • API String ID: 0-3129995876
                                          • Opcode ID: 959efe98abb3f1f0d8cbdf4094c66639bf5797ba5302e5cc68348fc05b2a1336
                                          • Instruction ID: 8a630f95c15026b1882d8807efd06f801b9b069e13d98b8dd9f8ada3e785138e
                                          • Opcode Fuzzy Hash: 959efe98abb3f1f0d8cbdf4094c66639bf5797ba5302e5cc68348fc05b2a1336
                                          • Instruction Fuzzy Hash: 9DF15D34A0021ACFDB58EB69D594A6EB7B3FF98304F208528D415DB758DB35EC86CB80
                                          Function 0682BDE8 Relevance: 7.7, Strings: 6, Instructions: 197COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $_q$$_q$$_q$$_q$$_q$$_q
                                          • API String ID: 0-155944776
                                          • Opcode ID: 8c58f8292ac8021f7f4d5ba6b47929f0fce20cb6b607c48705fb2348f72dfcad
                                          • Instruction ID: b1316bb7c780844a087d98eff63f2cb49bb1b2f3ee87c91b3360d050e1437176
                                          • Opcode Fuzzy Hash: 8c58f8292ac8021f7f4d5ba6b47929f0fce20cb6b607c48705fb2348f72dfcad
                                          • Instruction Fuzzy Hash: A271C074A1122B8FCBA8CFA8D5406AEB7B2FF84708F108929D505DB254DBB1DD85CB81
                                          Function 068283C0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $_q$$_q$$_q$$_q
                                          • API String ID: 0-1171383116
                                          • Opcode ID: 3f64768030782cfb4e6dab0da383078a4e762d802535e518a8723d881b3aea6b
                                          • Instruction ID: d21c881ffae6f27ee972135b02ea8f5ff32a8de3270f841537d5fa6e752b3af4
                                          • Opcode Fuzzy Hash: 3f64768030782cfb4e6dab0da383078a4e762d802535e518a8723d881b3aea6b
                                          • Instruction Fuzzy Hash: D0B12B74B1021A8FDB68EB69C59465EB7B2FF98304F248829D505DB358DB74DC8ACB80
                                          Function 0682ACA8 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $_q$$_q$$_q$$_q
                                          • API String ID: 0-1171383116
                                          • Opcode ID: ff84501a663fec3443a1097900568ebc81e32e6127b570fd08b0bab08d59bb89
                                          • Instruction ID: 558f8df37d0c3b3cb9fdd53ca808d1bfaf6d0b475306506861f33325c6fb8fb4
                                          • Opcode Fuzzy Hash: ff84501a663fec3443a1097900568ebc81e32e6127b570fd08b0bab08d59bb89
                                          • Instruction Fuzzy Hash: 62517034E102169FDF6DEB68D5806ADB7B6EF88714F108929D905E7354DB31EC82CB90
                                          Function 068287D8 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2560769623.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6820000_z68ORDER.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: LR_q$LR_q$$_q$$_q
                                          • API String ID: 0-2912794808
                                          • Opcode ID: d75c14a7bd10d5bfb6afd1f7dccfca63592c262095741b302eee0da4ea9fb4c5
                                          • Instruction ID: e295ddcd0624e32a03be86d22cb6db7b82762821f1dab742b7f6f21fe14f46ff
                                          • Opcode Fuzzy Hash: d75c14a7bd10d5bfb6afd1f7dccfca63592c262095741b302eee0da4ea9fb4c5
                                          • Instruction Fuzzy Hash: 9551C130B002169FDF58EB28C951A6E77E2FF88708F148969E505DB399DB30EC95CB91

                                          Execution Graph

                                          Execution Coverage:10.1%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:0%
                                          Total number of Nodes:386
                                          Total number of Limit Nodes:19
                                          execution_graph 48610 2e2acb0 48611 2e2acbf 48610->48611 48614 2e2ad97 48610->48614 48619 2e2ada8 48610->48619 48615 2e2addc 48614->48615 48616 2e2adb9 48614->48616 48615->48611 48616->48615 48617 2e2afe0 GetModuleHandleW 48616->48617 48618 2e2b00d 48617->48618 48618->48611 48620 2e2addc 48619->48620 48621 2e2adb9 48619->48621 48620->48611 48621->48620 48622 2e2afe0 GetModuleHandleW 48621->48622 48623 2e2b00d 48622->48623 48623->48611 48675 2e2d040 48676 2e2d086 48675->48676 48680 2e2d628 48676->48680 48683 2e2d618 48676->48683 48677 2e2d173 48687 2e2d27c 48680->48687 48684 2e2d628 48683->48684 48685 2e2d27c DuplicateHandle 48684->48685 48686 2e2d656 48685->48686 48686->48677 48688 2e2d690 DuplicateHandle 48687->48688 48689 2e2d656 48688->48689 48689->48677 48690 702d060 48691 702d1eb 48690->48691 48693 702d086 48690->48693 48693->48691 48694 702aa18 48693->48694 48695 702d2e0 PostMessageW 48694->48695 48696 702d34c 48695->48696 48696->48693 48624 5437750 48625 543777d 48624->48625 48648 54373fc 48625->48648 48627 5437801 48652 543741c 48627->48652 48629 5437865 48630 543741c 3 API calls 48629->48630 48631 5437897 48630->48631 48632 543741c 3 API calls 48631->48632 48633 54378c9 48632->48633 48657 543742c 48633->48657 48635 54378fb 48636 543742c 3 API calls 48635->48636 48637 543792d 48636->48637 48638 543742c 3 API calls 48637->48638 48639 543795f 48638->48639 48640 54373fc 3 API calls 48639->48640 48641 5437991 48640->48641 48642 543741c 3 API calls 48641->48642 48643 5437a59 48642->48643 48644 543741c 3 API calls 48643->48644 48645 5437a8b 48644->48645 48646 543741c 3 API calls 48645->48646 48647 5437abd 48646->48647 48649 5437407 48648->48649 48662 54375cc 48649->48662 48651 5439a99 48651->48627 48653 5437427 48652->48653 48655 2e2830b 3 API calls 48653->48655 48656 2e25ccc 3 API calls 48653->48656 48654 543a9f3 48654->48629 48655->48654 48656->48654 48658 5437437 48657->48658 48659 543b562 48658->48659 48660 2e2830b 3 API calls 48658->48660 48661 2e25ccc 3 API calls 48658->48661 48659->48635 48660->48659 48661->48659 48663 54375d7 48662->48663 48666 2e25ccc 3 API calls 48663->48666 48667 2e2830b 48663->48667 48664 5439b8c 48664->48651 48666->48664 48668 2e28313 48667->48668 48670 2e285cb 48668->48670 48671 74d4ca9 DrawTextExW 48668->48671 48672 74d4cb0 DrawTextExW 48668->48672 48669 2e28609 48669->48664 48670->48669 48673 2e2cd68 3 API calls 48670->48673 48674 2e2cd78 3 API calls 48670->48674 48671->48670 48672->48670 48673->48669 48674->48669 48697 138d01c 48698 138d034 48697->48698 48699 138d08e 48698->48699 48704 5432808 48698->48704 48709 5431aa8 48698->48709 48714 5431a98 48698->48714 48719 5432818 48698->48719 48705 5432818 48704->48705 48706 5432877 48705->48706 48724 5432991 48705->48724 48729 54329a0 48705->48729 48710 5431ace 48709->48710 48712 5432808 2 API calls 48710->48712 48713 5432818 2 API calls 48710->48713 48711 5431aef 48711->48699 48712->48711 48713->48711 48715 5431aa8 48714->48715 48717 5432808 2 API calls 48715->48717 48718 5432818 2 API calls 48715->48718 48716 5431aef 48716->48699 48717->48716 48718->48716 48720 5432845 48719->48720 48721 5432877 48720->48721 48722 5432991 2 API calls 48720->48722 48723 54329a0 2 API calls 48720->48723 48722->48721 48723->48721 48726 54329a0 48724->48726 48725 5432a40 48725->48706 48734 5432a48 48726->48734 48738 5432a58 48726->48738 48731 54329b4 48729->48731 48730 5432a40 48730->48706 48732 5432a48 2 API calls 48731->48732 48733 5432a58 2 API calls 48731->48733 48732->48730 48733->48730 48735 5432a58 48734->48735 48736 5432a69 48735->48736 48741 5434012 48735->48741 48736->48725 48739 5432a69 48738->48739 48740 5434012 2 API calls 48738->48740 48739->48725 48740->48739 48745 5434040 48741->48745 48749 5434030 48741->48749 48742 543402a 48742->48736 48746 5434082 48745->48746 48748 5434089 48745->48748 48747 54340da CallWindowProcW 48746->48747 48746->48748 48747->48748 48748->48742 48750 5434082 48749->48750 48752 5434089 48749->48752 48751 54340da CallWindowProcW 48750->48751 48750->48752 48751->48752 48752->48742 48465 2e24668 48466 2e2467a 48465->48466 48467 2e24686 48466->48467 48471 2e24779 48466->48471 48476 2e23e40 48467->48476 48469 2e246a5 48472 2e2479d 48471->48472 48480 2e24888 48472->48480 48484 2e24879 48472->48484 48477 2e23e4b 48476->48477 48492 2e25c4c 48477->48492 48479 2e27048 48479->48469 48482 2e248af 48480->48482 48481 2e2498c 48481->48481 48482->48481 48488 2e244c4 48482->48488 48486 2e24888 48484->48486 48485 2e2498c 48485->48485 48486->48485 48487 2e244c4 CreateActCtxA 48486->48487 48487->48485 48489 2e25918 CreateActCtxA 48488->48489 48491 2e259db 48489->48491 48493 2e25c57 48492->48493 48496 2e25c6c 48493->48496 48495 2e270ed 48495->48479 48497 2e25c77 48496->48497 48500 2e25c9c 48497->48500 48499 2e271c2 48499->48495 48501 2e25ca7 48500->48501 48504 2e25ccc 48501->48504 48503 2e272c5 48503->48499 48505 2e25cd7 48504->48505 48507 2e285cb 48505->48507 48512 74d4ca9 48505->48512 48517 74d4cb0 48505->48517 48506 2e28609 48506->48503 48507->48506 48522 2e2cd68 48507->48522 48527 2e2cd78 48507->48527 48513 74d4cb0 48512->48513 48514 74d4d0b 48513->48514 48532 543b5b9 48513->48532 48538 543b5c8 48513->48538 48514->48507 48518 74d4cbe 48517->48518 48519 74d4d0b 48518->48519 48520 543b5b9 DrawTextExW 48518->48520 48521 543b5c8 DrawTextExW 48518->48521 48519->48507 48520->48519 48521->48519 48523 2e2cd99 48522->48523 48524 2e2cdbd 48523->48524 48567 2e2cf28 48523->48567 48571 2e2cf18 48523->48571 48524->48506 48528 2e2cd99 48527->48528 48529 2e2cdbd 48528->48529 48530 2e2cf28 3 API calls 48528->48530 48531 2e2cf18 3 API calls 48528->48531 48529->48506 48530->48529 48531->48529 48533 543b5c8 48532->48533 48534 543b6a2 48533->48534 48544 74d2118 48533->48544 48549 74d2128 48533->48549 48534->48514 48535 543b635 48535->48514 48539 543b5f0 48538->48539 48540 543b6a2 48538->48540 48542 74d2118 DrawTextExW 48539->48542 48543 74d2128 DrawTextExW 48539->48543 48540->48514 48541 543b635 48541->48514 48542->48541 48543->48541 48546 74d2128 48544->48546 48545 74d215e 48545->48535 48546->48545 48554 74d0fec 48546->48554 48548 74d21c9 48551 74d2149 48549->48551 48550 74d215e 48550->48535 48551->48550 48552 74d0fec DrawTextExW 48551->48552 48553 74d21c9 48552->48553 48556 74d0ff7 48554->48556 48555 74d3d99 48555->48548 48556->48555 48560 74d4908 48556->48560 48563 74d48f8 48556->48563 48557 74d3eac 48557->48548 48561 74d3394 DrawTextExW 48560->48561 48562 74d4925 48561->48562 48562->48557 48564 74d4908 48563->48564 48565 74d3394 DrawTextExW 48564->48565 48566 74d4925 48565->48566 48566->48557 48568 2e2cf35 48567->48568 48570 2e2cf6f 48568->48570 48575 2e2bae0 48568->48575 48570->48524 48573 2e2cf28 48571->48573 48572 2e2cf6f 48572->48524 48573->48572 48574 2e2bae0 3 API calls 48573->48574 48574->48572 48576 2e2baeb 48575->48576 48578 2e2dc88 48576->48578 48579 2e2d2dc 48576->48579 48580 2e2d2e7 48579->48580 48581 2e25ccc 3 API calls 48580->48581 48582 2e2dcf7 48581->48582 48586 2e2fa88 48582->48586 48592 2e2fa70 48582->48592 48583 2e2dd31 48583->48578 48588 2e2fab9 48586->48588 48589 2e2fbb9 48586->48589 48587 2e2fac5 48587->48583 48588->48587 48590 54309b3 CreateWindowExW CreateWindowExW 48588->48590 48591 54309c0 CreateWindowExW CreateWindowExW 48588->48591 48589->48583 48590->48589 48591->48589 48594 2e2fab9 48592->48594 48595 2e2fbb9 48592->48595 48593 2e2fac5 48593->48583 48594->48593 48596 54309b3 CreateWindowExW CreateWindowExW 48594->48596 48597 54309c0 CreateWindowExW CreateWindowExW 48594->48597 48595->48583 48596->48595 48597->48595 48598 702e6c8 48599 702e6e6 48598->48599 48600 702e6f0 48598->48600 48602 702e730 48599->48602 48603 702e73e 48602->48603 48606 702e75d 48602->48606 48607 702dd60 48603->48607 48608 702e8a8 CloseHandle 48607->48608 48609 702e759 48608->48609 48609->48600 48753 74d51a0 48755 2e2830b 3 API calls 48753->48755 48756 2e25ccc 3 API calls 48753->48756 48754 74d51c2 48755->48754 48756->48754 48757 702b37d 48758 702b27c 48757->48758 48759 702b304 48758->48759 48762 702be80 48758->48762 48782 702be71 48758->48782 48763 702be9a 48762->48763 48802 702c4c4 48763->48802 48808 702c287 48763->48808 48812 702c8a0 48763->48812 48817 702caa2 48763->48817 48823 702c65d 48763->48823 48828 702c618 48763->48828 48833 702c757 48763->48833 48838 702c2f1 48763->48838 48844 702c6b1 48763->48844 48850 702c813 48763->48850 48855 702c733 48763->48855 48861 702c552 48763->48861 48866 702c5ac 48763->48866 48873 702ca2f 48763->48873 48878 702c348 48763->48878 48884 702c388 48763->48884 48888 702c705 48763->48888 48764 702bebe 48764->48759 48783 702be80 48782->48783 48785 702caa2 2 API calls 48783->48785 48786 702c8a0 4 API calls 48783->48786 48787 702c287 2 API calls 48783->48787 48788 702c4c4 2 API calls 48783->48788 48789 702c705 3 API calls 48783->48789 48790 702c388 2 API calls 48783->48790 48791 702c348 2 API calls 48783->48791 48792 702ca2f 4 API calls 48783->48792 48793 702c5ac 5 API calls 48783->48793 48794 702c552 2 API calls 48783->48794 48795 702c733 2 API calls 48783->48795 48796 702c813 2 API calls 48783->48796 48797 702c6b1 2 API calls 48783->48797 48798 702c2f1 2 API calls 48783->48798 48799 702c757 2 API calls 48783->48799 48800 702c618 2 API calls 48783->48800 48801 702c65d 3 API calls 48783->48801 48784 702bebe 48784->48759 48785->48784 48786->48784 48787->48784 48788->48784 48789->48784 48790->48784 48791->48784 48792->48784 48793->48784 48794->48784 48795->48784 48796->48784 48797->48784 48798->48784 48799->48784 48800->48784 48801->48784 48803 702c2fd 48802->48803 48804 702cbd5 48803->48804 48894 702a100 48803->48894 48898 702a108 48803->48898 48804->48764 48805 702cca4 48902 702ae10 48808->48902 48906 702ae04 48808->48906 48910 702a5e9 48812->48910 48914 702a6c1 48812->48914 48920 702a5f0 48812->48920 48813 702c385 48813->48764 48818 702c2fd 48817->48818 48820 702cbd5 48818->48820 48821 702a100 ResumeThread 48818->48821 48822 702a108 ResumeThread 48818->48822 48819 702cca4 48820->48764 48821->48819 48822->48819 48824 702c691 48823->48824 48924 702a870 48823->48924 48928 702a878 48823->48928 48932 702a951 48823->48932 48824->48764 48829 702c63b 48828->48829 48936 702a788 48829->48936 48940 702a780 48829->48940 48830 702cc0d 48834 702c75d 48833->48834 48836 702a100 ResumeThread 48834->48836 48837 702a108 ResumeThread 48834->48837 48835 702cca4 48836->48835 48837->48835 48839 702c2fd 48838->48839 48841 702cbd5 48839->48841 48842 702a100 ResumeThread 48839->48842 48843 702a108 ResumeThread 48839->48843 48840 702cca4 48841->48764 48842->48840 48843->48840 48846 702c2fd 48844->48846 48845 702cca4 48847 702c6e6 48846->48847 48848 702a100 ResumeThread 48846->48848 48849 702a108 ResumeThread 48846->48849 48847->48764 48848->48845 48849->48845 48851 702c76e 48850->48851 48853 702a100 ResumeThread 48851->48853 48854 702a108 ResumeThread 48851->48854 48852 702cca4 48853->48852 48854->48852 48856 702c2fd 48855->48856 48856->48855 48857 702cbd5 48856->48857 48859 702a100 ResumeThread 48856->48859 48860 702a108 ResumeThread 48856->48860 48857->48764 48858 702cca4 48859->48858 48860->48858 48862 702c558 48861->48862 48864 702a780 WriteProcessMemory 48862->48864 48865 702a788 WriteProcessMemory 48862->48865 48863 702c58d 48864->48863 48865->48863 48871 702a6c1 2 API calls 48866->48871 48944 702a6c8 48866->48944 48867 702c569 48868 702c58d 48867->48868 48869 702a780 WriteProcessMemory 48867->48869 48870 702a788 WriteProcessMemory 48867->48870 48869->48868 48870->48868 48871->48867 48875 702a5f0 Wow64SetThreadContext 48873->48875 48876 702a6c1 2 API calls 48873->48876 48877 702a5e9 Wow64SetThreadContext 48873->48877 48874 702ca49 48875->48874 48876->48874 48877->48874 48879 702c2fd 48878->48879 48880 702cbd5 48879->48880 48882 702a100 ResumeThread 48879->48882 48883 702a108 ResumeThread 48879->48883 48880->48764 48881 702cca4 48882->48881 48883->48881 48886 702a780 WriteProcessMemory 48884->48886 48887 702a788 WriteProcessMemory 48884->48887 48885 702c3b0 48886->48885 48887->48885 48889 702c66f 48888->48889 48891 702a870 ReadProcessMemory 48889->48891 48892 702a951 ReadProcessMemory 48889->48892 48893 702a878 ReadProcessMemory 48889->48893 48890 702c691 48890->48764 48891->48890 48892->48890 48893->48890 48895 702a108 ResumeThread 48894->48895 48897 702a179 48895->48897 48897->48805 48899 702a148 ResumeThread 48898->48899 48901 702a179 48899->48901 48901->48805 48903 702ae99 48902->48903 48903->48903 48904 702affe CreateProcessA 48903->48904 48905 702b05b 48904->48905 48907 702ae10 48906->48907 48907->48907 48908 702affe CreateProcessA 48907->48908 48909 702b05b 48908->48909 48911 702a5f0 Wow64SetThreadContext 48910->48911 48913 702a67d 48911->48913 48913->48813 48915 702a653 Wow64SetThreadContext 48914->48915 48916 702a6c6 VirtualAllocEx 48914->48916 48917 702a67d 48915->48917 48919 702a745 48916->48919 48917->48813 48919->48813 48921 702a635 Wow64SetThreadContext 48920->48921 48923 702a67d 48921->48923 48923->48813 48925 702a8c3 ReadProcessMemory 48924->48925 48927 702a907 48925->48927 48927->48824 48929 702a8c3 ReadProcessMemory 48928->48929 48931 702a907 48929->48931 48931->48824 48933 702a8e5 ReadProcessMemory 48932->48933 48935 702a956 48932->48935 48934 702a907 48933->48934 48934->48824 48935->48824 48937 702a7d0 WriteProcessMemory 48936->48937 48939 702a827 48937->48939 48939->48830 48941 702a788 WriteProcessMemory 48940->48941 48943 702a827 48941->48943 48943->48830 48945 702a708 VirtualAllocEx 48944->48945 48947 702a745 48945->48947 48947->48867

                                          Executed Functions

                                          Function 0702A6C1 Relevance: 3.1, APIs: 2, Instructions: 87memorythreadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1296 702a6c1-702a6c4 1297 702a653-702a67b Wow64SetThreadContext 1296->1297 1298 702a6c6-702a743 VirtualAllocEx 1296->1298 1300 702a684-702a6b4 1297->1300 1301 702a67d-702a683 1297->1301 1307 702a745-702a74b 1298->1307 1308 702a74c-702a771 1298->1308 1301->1300 1307->1308
                                          APIs
                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0702A66E
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0702A736
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1443128682.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_7020000_mpTrle.jbxd
                                          Similarity
                                          • API ID: AllocContextThreadVirtualWow64
                                          • String ID:
                                          • API String ID: 2727713192-0
                                          • Opcode ID: ff98356655a62a8e6600af55547545fcc0c80372e45d0718e5ec01ec108c143a
                                          • Instruction ID: 2b6ba340e1756296ff05ec3e042e29f25a40de3d8326b664285c81e764a83b86
                                          • Opcode Fuzzy Hash: ff98356655a62a8e6600af55547545fcc0c80372e45d0718e5ec01ec108c143a
                                          • Instruction Fuzzy Hash: 2B3189B2D003098FCB20DFAAC8497DEFBF4AF48320F14841AD519A7250DB799545DFA4
                                          Function 0702AE04 Relevance: 1.8, APIs: 1, Instructions: 252processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1505 702ae04-702aea5 1508 702aea7-702aeb1 1505->1508 1509 702aede-702aefe 1505->1509 1508->1509 1510 702aeb3-702aeb5 1508->1510 1516 702af00-702af0a 1509->1516 1517 702af37-702af66 1509->1517 1511 702aeb7-702aec1 1510->1511 1512 702aed8-702aedb 1510->1512 1514 702aec3 1511->1514 1515 702aec5-702aed4 1511->1515 1512->1509 1514->1515 1515->1515 1518 702aed6 1515->1518 1516->1517 1519 702af0c-702af0e 1516->1519 1523 702af68-702af72 1517->1523 1524 702af9f-702b059 CreateProcessA 1517->1524 1518->1512 1521 702af10-702af1a 1519->1521 1522 702af31-702af34 1519->1522 1525 702af1e-702af2d 1521->1525 1526 702af1c 1521->1526 1522->1517 1523->1524 1528 702af74-702af76 1523->1528 1537 702b062-702b0e8 1524->1537 1538 702b05b-702b061 1524->1538 1525->1525 1527 702af2f 1525->1527 1526->1525 1527->1522 1529 702af78-702af82 1528->1529 1530 702af99-702af9c 1528->1530 1532 702af86-702af95 1529->1532 1533 702af84 1529->1533 1530->1524 1532->1532 1535 702af97 1532->1535 1533->1532 1535->1530 1548 702b0ea-702b0ee 1537->1548 1549 702b0f8-702b0fc 1537->1549 1538->1537 1548->1549 1550 702b0f0 1548->1550 1551 702b0fe-702b102 1549->1551 1552 702b10c-702b110 1549->1552 1550->1549 1551->1552 1553 702b104 1551->1553 1554 702b112-702b116 1552->1554 1555 702b120-702b124 1552->1555 1553->1552 1554->1555 1556 702b118 1554->1556 1557 702b136-702b13d 1555->1557 1558 702b126-702b12c 1555->1558 1556->1555 1559 702b154 1557->1559 1560 702b13f-702b14e 1557->1560 1558->1557 1562 702b155 1559->1562 1560->1559 1562->1562
                                          APIs
                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0702B046
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1443128682.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_7020000_mpTrle.jbxd
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: 1de1cf66137260ee122701e0b34b4994cb381a3f78e51de0fa2c891a1c22e962
                                          • Instruction ID: ef54baea2252f682fac5202dccdcf94b18ca3fb6551a7646c76cf57373f54653
                                          • Opcode Fuzzy Hash: 1de1cf66137260ee122701e0b34b4994cb381a3f78e51de0fa2c891a1c22e962
                                          • Instruction Fuzzy Hash: 74A15FB1E00229DFDF50DF68C8417DDBBF2AB44314F14826AD859A7240DB749986DF91
                                          Function 0702AE10 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1563 702ae10-702aea5 1565 702aea7-702aeb1 1563->1565 1566 702aede-702aefe 1563->1566 1565->1566 1567 702aeb3-702aeb5 1565->1567 1573 702af00-702af0a 1566->1573 1574 702af37-702af66 1566->1574 1568 702aeb7-702aec1 1567->1568 1569 702aed8-702aedb 1567->1569 1571 702aec3 1568->1571 1572 702aec5-702aed4 1568->1572 1569->1566 1571->1572 1572->1572 1575 702aed6 1572->1575 1573->1574 1576 702af0c-702af0e 1573->1576 1580 702af68-702af72 1574->1580 1581 702af9f-702b059 CreateProcessA 1574->1581 1575->1569 1578 702af10-702af1a 1576->1578 1579 702af31-702af34 1576->1579 1582 702af1e-702af2d 1578->1582 1583 702af1c 1578->1583 1579->1574 1580->1581 1585 702af74-702af76 1580->1585 1594 702b062-702b0e8 1581->1594 1595 702b05b-702b061 1581->1595 1582->1582 1584 702af2f 1582->1584 1583->1582 1584->1579 1586 702af78-702af82 1585->1586 1587 702af99-702af9c 1585->1587 1589 702af86-702af95 1586->1589 1590 702af84 1586->1590 1587->1581 1589->1589 1592 702af97 1589->1592 1590->1589 1592->1587 1605 702b0ea-702b0ee 1594->1605 1606 702b0f8-702b0fc 1594->1606 1595->1594 1605->1606 1607 702b0f0 1605->1607 1608 702b0fe-702b102 1606->1608 1609 702b10c-702b110 1606->1609 1607->1606 1608->1609 1610 702b104 1608->1610 1611 702b112-702b116 1609->1611 1612 702b120-702b124 1609->1612 1610->1609 1611->1612 1613 702b118 1611->1613 1614 702b136-702b13d 1612->1614 1615 702b126-702b12c 1612->1615 1613->1612 1616 702b154 1614->1616 1617 702b13f-702b14e 1614->1617 1615->1614 1619 702b155 1616->1619 1617->1616 1619->1619
                                          APIs
                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0702B046
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1443128682.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_7020000_mpTrle.jbxd
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: 5d1e0f71bfda40306d4ccf6fc1042c81357d59ed4ce6486a8b2c6a167c577441
                                          • Instruction ID: 25d7ffec846119b80cad4abf604b83cadaa1819104773761fe194d496a184f0f
                                          • Opcode Fuzzy Hash: 5d1e0f71bfda40306d4ccf6fc1042c81357d59ed4ce6486a8b2c6a167c577441
                                          • Instruction Fuzzy Hash: 6C915EF1E0062ADFDF60CFA8C8417DDBBF2AB44314F14826AD859A7240DB749986DF91
                                          Function 02E2ADA8 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1620 2e2ada8-2e2adb7 1621 2e2ade3-2e2ade7 1620->1621 1622 2e2adb9-2e2adc6 call 2e2a0cc 1620->1622 1623 2e2adfb-2e2ae3c 1621->1623 1624 2e2ade9-2e2adf3 1621->1624 1629 2e2adc8 1622->1629 1630 2e2addc 1622->1630 1631 2e2ae49-2e2ae57 1623->1631 1632 2e2ae3e-2e2ae46 1623->1632 1624->1623 1676 2e2adce call 2e2b040 1629->1676 1677 2e2adce call 2e2b031 1629->1677 1630->1621 1634 2e2ae7b-2e2ae7d 1631->1634 1635 2e2ae59-2e2ae5e 1631->1635 1632->1631 1633 2e2add4-2e2add6 1633->1630 1636 2e2af18-2e2afd8 1633->1636 1637 2e2ae80-2e2ae87 1634->1637 1638 2e2ae60-2e2ae67 call 2e2a0d8 1635->1638 1639 2e2ae69 1635->1639 1671 2e2afe0-2e2b00b GetModuleHandleW 1636->1671 1672 2e2afda-2e2afdd 1636->1672 1641 2e2ae94-2e2ae9b 1637->1641 1642 2e2ae89-2e2ae91 1637->1642 1640 2e2ae6b-2e2ae79 1638->1640 1639->1640 1640->1637 1645 2e2aea8-2e2aeaa call 2e2a0e8 1641->1645 1646 2e2ae9d-2e2aea5 1641->1646 1642->1641 1649 2e2aeaf-2e2aeb1 1645->1649 1646->1645 1651 2e2aeb3-2e2aebb 1649->1651 1652 2e2aebe-2e2aec3 1649->1652 1651->1652 1653 2e2aee1-2e2aeee 1652->1653 1654 2e2aec5-2e2aecc 1652->1654 1661 2e2aef0-2e2af0e 1653->1661 1662 2e2af11-2e2af17 1653->1662 1654->1653 1656 2e2aece-2e2aede call 2e2a0f8 call 2e2a108 1654->1656 1656->1653 1661->1662 1673 2e2b014-2e2b028 1671->1673 1674 2e2b00d-2e2b013 1671->1674 1672->1671 1674->1673 1676->1633 1677->1633
                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 02E2AFFE
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1440019950.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_2e20000_mpTrle.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: eed8f2a071ef050b05f012077e1e0caa8fd34d389d39500f0999b0231411ea5f
                                          • Instruction ID: 9e96cbf6014b42affa8d47ca3912d794b8b46164e01c7128e12adf138b9dd31f
                                          • Opcode Fuzzy Hash: eed8f2a071ef050b05f012077e1e0caa8fd34d389d39500f0999b0231411ea5f
                                          • Instruction Fuzzy Hash: C571F270A00B159FD724DF2AD54575ABBF5BB88308F008A2DE48A97B50DB75E84ACB90
                                          Function 054318E4 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1802 54318e4-5431956 1804 5431961-5431968 1802->1804 1805 5431958-543195e 1802->1805 1806 5431973-5431a12 CreateWindowExW 1804->1806 1807 543196a-5431970 1804->1807 1805->1804 1809 5431a14-5431a1a 1806->1809 1810 5431a1b-5431a53 1806->1810 1807->1806 1809->1810 1814 5431a60 1810->1814 1815 5431a55-5431a58 1810->1815 1816 5431a61 1814->1816 1815->1814 1816->1816
                                          APIs
                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05431A02
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1442674911.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_5430000_mpTrle.jbxd
                                          Similarity
                                          • API ID: CreateWindow
                                          • String ID:
                                          • API String ID: 716092398-0
                                          • Opcode ID: 9df60e8635959784c59ee3fc5f47c650daf6d96553a45b320735490eadf96bc9
                                          • Instruction ID: 3bae7bdfde6a99431381a64f240dc3ae6c3aeb36c0491d5ed6efe170d047377f
                                          • Opcode Fuzzy Hash: 9df60e8635959784c59ee3fc5f47c650daf6d96553a45b320735490eadf96bc9
                                          • Instruction Fuzzy Hash: 0E51A0B1D003499FDB14DF99C985ADEFBB5BF48310F64812AE819AB210D7719945CF90
                                          Function 054318F0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1817 54318f0-5431956 1818 5431961-5431968 1817->1818 1819 5431958-543195e 1817->1819 1820 5431973-5431a12 CreateWindowExW 1818->1820 1821 543196a-5431970 1818->1821 1819->1818 1823 5431a14-5431a1a 1820->1823 1824 5431a1b-5431a53 1820->1824 1821->1820 1823->1824 1828 5431a60 1824->1828 1829 5431a55-5431a58 1824->1829 1830 5431a61 1828->1830 1829->1828 1830->1830
                                          APIs
                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05431A02
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1442674911.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_5430000_mpTrle.jbxd
                                          Similarity
                                          • API ID: CreateWindow
                                          • String ID:
                                          • API String ID: 716092398-0
                                          • Opcode ID: 9e72a033ac92bd82c0a02c2f9ddc4820584aef688757acfeaca54bce46a34936
                                          • Instruction ID: 7c03e47d8e2e35902b788d76a2244306ee9e23321156d84e858054003e10c20a
                                          • Opcode Fuzzy Hash: 9e72a033ac92bd82c0a02c2f9ddc4820584aef688757acfeaca54bce46a34936
                                          • Instruction Fuzzy Hash: 4341B0B1D003499FDB14DF99C885ADEFBB5BF48310F64812AE819AB220D7719985CF90
                                          Function 02E244C4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1831 2e244c4-2e259d9 CreateActCtxA 1834 2e259e2-2e25a3c 1831->1834 1835 2e259db-2e259e1 1831->1835 1842 2e25a4b-2e25a4f 1834->1842 1843 2e25a3e-2e25a41 1834->1843 1835->1834 1844 2e25a60-2e25a90 1842->1844 1845 2e25a51-2e25a5d 1842->1845 1843->1842 1849 2e25a42-2e25a4a 1844->1849 1850 2e25a92-2e25b14 1844->1850 1845->1844 1849->1842
                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 02E259C9
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1440019950.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_2e20000_mpTrle.jbxd
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: 7577db6b515c23cbc84d1db8b1c18248308ab9db91f531d13b2b9d06524f2836
                                          • Instruction ID: b15216fddfa89d55b081481ce6ded79a6565ae9beec106ef0bb156bd8a35ff2f
                                          • Opcode Fuzzy Hash: 7577db6b515c23cbc84d1db8b1c18248308ab9db91f531d13b2b9d06524f2836
                                          • Instruction Fuzzy Hash: 1641F2B1C0072DCBDB24CFA9C985B9EBBB5BF48304F64806AD409AB255DB716949CF90
                                          Function 02E2590C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 02E259C9
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1440019950.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_2e20000_mpTrle.jbxd
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: 2450a1b038c14bd2621d37a72b81cf7831317735ad153ac1d742dd8ea25f641f
                                          • Instruction ID: c8554316b6e7bce707213925310e18a3576eb69a85c553ae87950cca7d147880
                                          • Opcode Fuzzy Hash: 2450a1b038c14bd2621d37a72b81cf7831317735ad153ac1d742dd8ea25f641f
                                          • Instruction Fuzzy Hash: EA41F3B1C0071DCFDB24CFA9C985B9EBBB5BF49304F60806AD409AB255DB715989CF90
                                          Function 05434040 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                          Download Yara Rule
                                          APIs
                                          • CallWindowProcW.USER32(?,?,?,?,?), ref: 05434101
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1442674911.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_5430000_mpTrle.jbxd
                                          Similarity
                                          • API ID: CallProcWindow
                                          • String ID:
                                          • API String ID: 2714655100-0
                                          • Opcode ID: ed59449d2aa658fcf67c52d472340748831039665bf51d265465a41a61a8f9d4
                                          • Instruction ID: 60a780a517114eb5c78e753cb9d521f476040ee99cb130737f71935d3cda40a7
                                          • Opcode Fuzzy Hash: ed59449d2aa658fcf67c52d472340748831039665bf51d265465a41a61a8f9d4
                                          • Instruction Fuzzy Hash: AF4116B5A003098FCB14CF99C449AAABBF5FB8C314F25C499D519AB321D735A845CFA0
                                          Function 0702A951 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                          Download Yara Rule
                                          APIs
                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0702A8F8
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1443128682.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_7020000_mpTrle.jbxd
                                          Similarity
                                          • API ID: MemoryProcessRead
                                          • String ID:
                                          • API String ID: 1726664587-0
                                          • Opcode ID: e7fee3f86e2e197d066a7e259065a16cb8861be34641092b31b25a6d85aedee5
                                          • Instruction ID: bfa74061dd5e740f33779cd9efe353b8c0e107fa2b8a568a3f729e5d8839815b
                                          • Opcode Fuzzy Hash: e7fee3f86e2e197d066a7e259065a16cb8861be34641092b31b25a6d85aedee5
                                          • Instruction Fuzzy Hash: 27318AB2D003198FDB20DFAAD8457DEFBF4AF48320F25841AD459A7250DB38A546DBA0
                                          Function 0702A780 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0702A818
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1443128682.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_7020000_mpTrle.jbxd
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: 7a0bdecb76f1eda0c874bc978db35ab9876772f098c993525917d827b4c89fa3
                                          • Instruction ID: d6ffcd7566fb524e8548104190054034adf7c1168d49aa1c9f5fe6727e53df70
                                          • Opcode Fuzzy Hash: 7a0bdecb76f1eda0c874bc978db35ab9876772f098c993525917d827b4c89fa3
                                          • Instruction Fuzzy Hash: 5E2137B29003199FCB10DFA9C985BDEBBF5FF48310F10842AE919A7240DB749945DFA4
                                          Function 074D3394 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                          Download Yara Rule
                                          APIs
                                          • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,074D4925,?,?), ref: 074D49D7
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1443322960.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_74d0000_mpTrle.jbxd
                                          Similarity
                                          • API ID: DrawText
                                          • String ID:
                                          • API String ID: 2175133113-0
                                          • Opcode ID: b95125005bca8dcce19beb59d0ee04e81401aa042fc39aa8d0c0c11b1efd438d
                                          • Instruction ID: 20caf44244ecc34f083d27487a124c43003d75f6729b61d5d5a6a690e0eb5a1d
                                          • Opcode Fuzzy Hash: b95125005bca8dcce19beb59d0ee04e81401aa042fc39aa8d0c0c11b1efd438d
                                          • Instruction Fuzzy Hash: E43102B5D003499FDB10CFAAD884ADEFBF5EB48320F14842AE959A7310D774A945CFA0
                                          Function 074D493A Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                          Download Yara Rule
                                          APIs
                                          • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,074D4925,?,?), ref: 074D49D7
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1443322960.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_74d0000_mpTrle.jbxd
                                          Similarity
                                          • API ID: DrawText
                                          • String ID:
                                          • API String ID: 2175133113-0
                                          • Opcode ID: 8f734489cadcaa21c5919b8c17c8bd5ed6afce96bff7565ee927b5aba41d2a26
                                          • Instruction ID: 2dcc685ddda0d9fcd8ab5754809538a07a1f712caee0c4dba9e6ea124c9626b1
                                          • Opcode Fuzzy Hash: 8f734489cadcaa21c5919b8c17c8bd5ed6afce96bff7565ee927b5aba41d2a26
                                          • Instruction Fuzzy Hash: 8531C0B5D003499FDB10CFAAD884ADEFBF5EB48320F14842AE959A7310D774A945CFA0
                                          Function 0702A788 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0702A818
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1443128682.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_7020000_mpTrle.jbxd
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: 83893e5ae7c69a9dee3bb930712a89f85e697a5b3aba74c9c931231db359fa6f
                                          • Instruction ID: 169b015f5ed7236795222151cf29d7e9c1e2d71f6da8d3c39d357e32ae8916fa
                                          • Opcode Fuzzy Hash: 83893e5ae7c69a9dee3bb930712a89f85e697a5b3aba74c9c931231db359fa6f
                                          • Instruction Fuzzy Hash: A02157B2D003199FCB10DFA9C985BDEBBF5FF48310F10842AE919A7240CB789945CBA4
                                          Function 0702A5E9 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0702A66E
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1443128682.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_7020000_mpTrle.jbxd
                                          Similarity
                                          • API ID: ContextThreadWow64
                                          • String ID:
                                          • API String ID: 983334009-0
                                          • Opcode ID: 6977812838bb823ebc201728249873e03f74302f7244d4af22f16c02dc259210
                                          • Instruction ID: c95f5b553be75fc9e348757e9825eb1e9c1872f088d29f8eb13ea2cd0557e8c6
                                          • Opcode Fuzzy Hash: 6977812838bb823ebc201728249873e03f74302f7244d4af22f16c02dc259210
                                          • Instruction Fuzzy Hash: AA2145B19003099FCB10DFAAC4897EEFBF4EB48324F10842AD459A7240CB78A945CBA4
                                          Function 02E2D27C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                          Download Yara Rule
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02E2D656,?,?,?,?,?), ref: 02E2D717
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1440019950.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_2e20000_mpTrle.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: 5abf1e48fccf4c7bc51f834f83915dd492f5738db1c7bd29488e5302c4f592fd
                                          • Instruction ID: f96ff1b58aaaf1a6d278c7fbe99a6fa7684078136c7cf265f746da1b688fd071
                                          • Opcode Fuzzy Hash: 5abf1e48fccf4c7bc51f834f83915dd492f5738db1c7bd29488e5302c4f592fd
                                          • Instruction Fuzzy Hash: A621E5B5D003589FDB10CFAAD985ADEFBF4EB48310F14841AE919A3310D374A954CFA5
                                          Function 0702A870 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                          Download Yara Rule
                                          APIs
                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0702A8F8
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1443128682.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_7020000_mpTrle.jbxd
                                          Similarity
                                          • API ID: MemoryProcessRead
                                          • String ID:
                                          • API String ID: 1726664587-0
                                          • Opcode ID: 3f5dce6dd1ad67f427826e2077746ba6c2c26ca8ceeed02b0e7387ec85cff956
                                          • Instruction ID: 0762a6e47570b9844977bfc20e516929bb60dd6220fd62e536dd30c14deb4cbc
                                          • Opcode Fuzzy Hash: 3f5dce6dd1ad67f427826e2077746ba6c2c26ca8ceeed02b0e7387ec85cff956
                                          • Instruction Fuzzy Hash: 612148B2D003599FCB10DFAAC8856EEFBF5FF48310F10842AE559A3250C7349946CBA0
                                          Function 02E2D689 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                          Download Yara Rule
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02E2D656,?,?,?,?,?), ref: 02E2D717
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1440019950.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_2e20000_mpTrle.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: 2102cbccaf415f868c1674dcb11748588fc2dbadeea6d30cb39d8f2144ebf6ad
                                          • Instruction ID: 30871007b00a8bafedbdbb025ded2eeff2cc426ddfe2920ffdea47f8089afb0f
                                          • Opcode Fuzzy Hash: 2102cbccaf415f868c1674dcb11748588fc2dbadeea6d30cb39d8f2144ebf6ad
                                          • Instruction Fuzzy Hash: F32103B5D00308AFDB10CFAAD984ADEFBF4EB48314F14801AE918B3210D378A945CFA4
                                          Function 0702A5F0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0702A66E
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1443128682.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_7020000_mpTrle.jbxd
                                          Similarity
                                          • API ID: ContextThreadWow64
                                          • String ID:
                                          • API String ID: 983334009-0
                                          • Opcode ID: 56383bc8eab106e3f446a5dfc817bef24b711e047e5d7f0615d00f603341805d
                                          • Instruction ID: 3eccf4fb7cca1cacae452a3cac7a907cdba443c225980116238c7f6560682f91
                                          • Opcode Fuzzy Hash: 56383bc8eab106e3f446a5dfc817bef24b711e047e5d7f0615d00f603341805d
                                          • Instruction Fuzzy Hash: 962137B1D003198FDB10DFAAC4857EEFBF4AB48314F10842AD419A7240CB789945CBA4
                                          Function 0702A878 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                          Download Yara Rule
                                          APIs
                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0702A8F8
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1443128682.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_7020000_mpTrle.jbxd
                                          Similarity
                                          • API ID: MemoryProcessRead
                                          • String ID:
                                          • API String ID: 1726664587-0
                                          • Opcode ID: 9448362c9d74eafbe18580c4e83a51e7dbea96dd6c8c8498108c7adb069abc99
                                          • Instruction ID: b4b042fe25fe3c0ad9f1b6df07fbea3eaf9429ad77e6b10d2e4fcaa57ca0e497
                                          • Opcode Fuzzy Hash: 9448362c9d74eafbe18580c4e83a51e7dbea96dd6c8c8498108c7adb069abc99
                                          • Instruction Fuzzy Hash: 352139B1D003599FCB10DFAAC885ADEFBF5FF48310F50842AE919A7250C7759945DBA0
                                          Function 0702A100 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1443128682.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_7020000_mpTrle.jbxd
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: 1ab030b3330e4ed6a2b012a4aaab839a0adc0f868b7af54334d86c0322e8d8c8
                                          • Instruction ID: c47173c90d30aaca0077da37b14239c656ff619e184b005c0a119d3fc59d04cd
                                          • Opcode Fuzzy Hash: 1ab030b3330e4ed6a2b012a4aaab839a0adc0f868b7af54334d86c0322e8d8c8
                                          • Instruction Fuzzy Hash: BF1134B1D003099FCB20DFAAC8457DEFBF4AF89324F20841AD419A7240DB75A945CBA4
                                          Function 0702A6C8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0702A736
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1443128682.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_7020000_mpTrle.jbxd
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: a38e988a993ae7251e76124abeafebce2db4598505c45784c7c6b5b01bb3e423
                                          • Instruction ID: a4cda893d44370f10ab6ec6de9e42a58fc3236ffa100144dc1b9a229173f31d0
                                          • Opcode Fuzzy Hash: a38e988a993ae7251e76124abeafebce2db4598505c45784c7c6b5b01bb3e423
                                          • Instruction Fuzzy Hash: F61126B29002499FCB20DFAAC845ADEFFF5AB48320F108419E519A7250CB75A945DBA4
                                          Function 0702A108 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1443128682.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_7020000_mpTrle.jbxd
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: e995c1c0b52280250dbc8ebb60a8024cfa9369a4c62c6975e29b32c89e822c52
                                          • Instruction ID: debe18611963369cddc4bb51e53d4a846942ba384266934db1ae668ec778bda1
                                          • Opcode Fuzzy Hash: e995c1c0b52280250dbc8ebb60a8024cfa9369a4c62c6975e29b32c89e822c52
                                          • Instruction Fuzzy Hash: A3113AB1D003598FDB20DFAAC4457DFFBF4AB88324F108419D419A7240CB756945CBA4
                                          Function 02E2AF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 02E2AFFE
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1440019950.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_2e20000_mpTrle.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: 916b9a50d61ce2a9eae5bad05d94e6548a622d54f8c1691f815907f5ec3630c2
                                          • Instruction ID: 96cd4649651bde4b7b00e69198b3976ee30616b287f6e058eb298ffda0f0cfb7
                                          • Opcode Fuzzy Hash: 916b9a50d61ce2a9eae5bad05d94e6548a622d54f8c1691f815907f5ec3630c2
                                          • Instruction Fuzzy Hash: CC1113B5C003498FCB10CF9AC444BDEFBF4AB48318F14842AD429B7210D375A549CFA1
                                          Function 0702AA18 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 0702D33D
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1443128682.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_7020000_mpTrle.jbxd
                                          Similarity
                                          • API ID: MessagePost
                                          • String ID:
                                          • API String ID: 410705778-0
                                          • Opcode ID: 71885689f81826ad97a2e9b4d78e6bc48df2263ee4b3157ec64c75b91c593118
                                          • Instruction ID: db15f56bd7c2fac6b5a3e35020db073c97a19aeae7f6dba2d51eeb8e6ae59681
                                          • Opcode Fuzzy Hash: 71885689f81826ad97a2e9b4d78e6bc48df2263ee4b3157ec64c75b91c593118
                                          • Instruction Fuzzy Hash: 511133B68003089FCB10DF9AD489BDEFBF8EB48310F108419E958A3200C375A944CFA4
                                          Function 0702D2D9 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 0702D33D
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1443128682.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_7020000_mpTrle.jbxd
                                          Similarity
                                          • API ID: MessagePost
                                          • String ID:
                                          • API String ID: 410705778-0
                                          • Opcode ID: 15d230b07cb282cce8df9dcd6e4d623faa0e6449fb400e5b06e5e37bb4d4dbc2
                                          • Instruction ID: e588e573a11e690b33d26226d21d24cf70dadbccdb71f6e532eace9240cc6246
                                          • Opcode Fuzzy Hash: 15d230b07cb282cce8df9dcd6e4d623faa0e6449fb400e5b06e5e37bb4d4dbc2
                                          • Instruction Fuzzy Hash: FB11F2B6900359DFCB10DF99D889BDEFBF4EB48314F20845AE558A7200C375A989CFA1
                                          Function 0702DD60 Relevance: 1.3, APIs: 1, Instructions: 50COMMON
                                          Download Yara Rule
                                          APIs
                                          • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,0702E759,?,?), ref: 0702E900
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1443128682.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_7020000_mpTrle.jbxd
                                          Similarity
                                          • API ID: CloseHandle
                                          • String ID:
                                          • API String ID: 2962429428-0
                                          • Opcode ID: 2bbe2c0954d06e48c683353433b9d1994ef6d386c5c2f04756c35d7653a037ac
                                          • Instruction ID: 7bc05c1a614cf0111fdcfd091bab25447c0822a5842d3af3157bbd2c428ad85a
                                          • Opcode Fuzzy Hash: 2bbe2c0954d06e48c683353433b9d1994ef6d386c5c2f04756c35d7653a037ac
                                          • Instruction Fuzzy Hash: 791158B28003598FCB60DF99C449BDEBBF4EB48320F10842AD558A7341D338A545CFA4
                                          Function 0702DDAC Relevance: 1.3, APIs: 1, Instructions: 50COMMON
                                          Download Yara Rule
                                          APIs
                                          • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,0702E759,?,?), ref: 0702E900
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1443128682.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_7020000_mpTrle.jbxd
                                          Similarity
                                          • API ID: CloseHandle
                                          • String ID:
                                          • API String ID: 2962429428-0
                                          • Opcode ID: 9b889766ca7720edcf13b07f5eb374bb047af0505cf52512b1af2fee14339f7e
                                          • Instruction ID: 0416529233dd46ad5f7679cfb55d4c62e23ed60f81418108c190d58078656b50
                                          • Opcode Fuzzy Hash: 9b889766ca7720edcf13b07f5eb374bb047af0505cf52512b1af2fee14339f7e
                                          • Instruction Fuzzy Hash: DF1155B28003498FCB60DF99C449BEEBBF4EB48320F20842AD558A7341D338A945CFA5
                                          Function 0702DDB8 Relevance: 1.3, APIs: 1, Instructions: 50COMMON
                                          Download Yara Rule
                                          APIs
                                          • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,0702E759,?,?), ref: 0702E900
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1443128682.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_7020000_mpTrle.jbxd
                                          Similarity
                                          • API ID: CloseHandle
                                          • String ID:
                                          • API String ID: 2962429428-0
                                          • Opcode ID: 8aea9b3078b6bf86725190e7c94ebb1880129929ad3ed55c790d27612190f58c
                                          • Instruction ID: 9b4b6dcf898a730df53d4284398027355f9fc538822a2883e917fe7089f3f105
                                          • Opcode Fuzzy Hash: 8aea9b3078b6bf86725190e7c94ebb1880129929ad3ed55c790d27612190f58c
                                          • Instruction Fuzzy Hash: 971146B18003498FCB60DF99C449BDEBBF4EB48320F10842AD558A7241D338A545CFA5
                                          Function 0137D1FC Relevance: .1, Instructions: 76COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1439622946.000000000137D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_137d000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2063d836401107e8f2ee4607a89149653f280fa131d628b53a86b5d21576888d
                                          • Instruction ID: 2e6afa7260cc586035939ec5e2f8e8ef766a6f9dd85ad57f72fba9326c01bd86
                                          • Opcode Fuzzy Hash: 2063d836401107e8f2ee4607a89149653f280fa131d628b53a86b5d21576888d
                                          • Instruction Fuzzy Hash: EE21F171504204DFDB16DF98D9C0B26BF65FF88328F24C5A9E9091B25AC33AD417CBA1
                                          Function 0138D01C Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1439665273.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_138d000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3f500ab8d2c8c54cd04e4511657db82cf9abb6370add8f1ef35ee85a9d856e21
                                          • Instruction ID: 68cd40d635ea779c081093fd0cd9d58b289b7feed90f9397a4fd6910d449eff9
                                          • Opcode Fuzzy Hash: 3f500ab8d2c8c54cd04e4511657db82cf9abb6370add8f1ef35ee85a9d856e21
                                          • Instruction Fuzzy Hash: F12122B1604304DFDB15EF98D980B26BF65FB88318F20C56DE80A4B396C33AD407CA61
                                          Function 0138D1D4 Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1439665273.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_138d000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ecab22ef7d3669ceb6e1e997a14c2962a55b0eb29009f983e2664df65ea6d088
                                          • Instruction ID: 766f1e68b8fa551c2c62ed50840209a936b511707177ceb90173a1c430873776
                                          • Opcode Fuzzy Hash: ecab22ef7d3669ceb6e1e997a14c2962a55b0eb29009f983e2664df65ea6d088
                                          • Instruction Fuzzy Hash: 32210771504304DFDB05EF98D5C0F26BB65FB84328F20C56DE9094B296C336D406CA61
                                          Function 0137D1F7 Relevance: .1, Instructions: 57COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1439622946.000000000137D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_137d000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 21e913fbe4a6093fe52002ebff3728cbe293fe76fa7d723964536c1d21f6342d
                                          • Instruction ID: ffc20e896743a6b15a7049d9d88e1aa70e226c0d3cf4e7f4dcae69de406a5e86
                                          • Opcode Fuzzy Hash: 21e913fbe4a6093fe52002ebff3728cbe293fe76fa7d723964536c1d21f6342d
                                          • Instruction Fuzzy Hash: B7219D76504244DFDB16CF54D9C4B16BF62FF84324F24C5A9ED090A656C33AD42ACBA1
                                          Function 0138D1CF Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1439665273.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_138d000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a3be7094ea246a7cddba5200c6ce82fad2e7d53e3ec886449491685f026f1607
                                          • Instruction ID: b03a63c9dfcaf15cdef406a74846a3f3fa8bb3973073822319879d885bf2db8a
                                          • Opcode Fuzzy Hash: a3be7094ea246a7cddba5200c6ce82fad2e7d53e3ec886449491685f026f1607
                                          • Instruction Fuzzy Hash: 8C11BB75504384DFDB02DF58C5C4B15BBB1FB84328F24C6A9D8494B296C33AD40ACB61
                                          Function 0138D017 Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1439665273.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_138d000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a3be7094ea246a7cddba5200c6ce82fad2e7d53e3ec886449491685f026f1607
                                          • Instruction ID: 8569ce95e63f69de272814c2be84854a01624dd0faba2e91969af8305f7bc6b3
                                          • Opcode Fuzzy Hash: a3be7094ea246a7cddba5200c6ce82fad2e7d53e3ec886449491685f026f1607
                                          • Instruction Fuzzy Hash: 1E11BBB5504384CFDB12DF58D5C4B15BBA2FB84318F24C6AAD8494B696C33AD40BCBA2

                                          Execution Graph

                                          Execution Coverage:10.6%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:0%
                                          Total number of Nodes:87
                                          Total number of Limit Nodes:11
                                          execution_graph 38095 69b32d8 DuplicateHandle 38096 69b336e 38095->38096 38097 2c20848 38099 2c2084e 38097->38099 38098 2c2091b 38099->38098 38104 2c2138f 38099->38104 38110 2c214bf 38099->38110 38115 69b1f88 38099->38115 38119 69b1f78 38099->38119 38105 2c21372 38104->38105 38106 2c21393 38104->38106 38105->38099 38107 2c214ba 38106->38107 38109 2c214bf 2 API calls 38106->38109 38123 2c28258 38106->38123 38107->38099 38109->38106 38111 2c213a6 38110->38111 38112 2c214ba 38111->38112 38113 2c28258 2 API calls 38111->38113 38114 2c214bf 2 API calls 38111->38114 38112->38099 38113->38111 38114->38111 38116 69b1f97 38115->38116 38136 69b17c4 38116->38136 38120 69b1f88 38119->38120 38121 69b17c4 GetModuleHandleW 38120->38121 38122 69b1fb8 38121->38122 38122->38099 38124 2c28262 38123->38124 38125 2c2827c 38124->38125 38128 69dfa1f 38124->38128 38132 69dfa30 38124->38132 38125->38106 38130 69dfa45 38128->38130 38129 69dfc5a 38129->38125 38130->38129 38131 69dfc70 GlobalMemoryStatusEx GlobalMemoryStatusEx 38130->38131 38131->38130 38133 69dfa45 38132->38133 38134 69dfc5a 38133->38134 38135 69dfc70 GlobalMemoryStatusEx GlobalMemoryStatusEx 38133->38135 38134->38125 38135->38133 38137 69b17cf 38136->38137 38140 69b2f24 38137->38140 38139 69b393e 38142 69b2f2f 38140->38142 38141 69b4064 38141->38139 38142->38141 38144 69b5ce8 38142->38144 38145 69b5d09 38144->38145 38146 69b5d2d 38145->38146 38148 69b5e98 38145->38148 38146->38141 38149 69b5ea5 38148->38149 38151 69b5ede 38149->38151 38152 69b3e30 38149->38152 38151->38146 38153 69b3e3b 38152->38153 38155 69b5f50 38153->38155 38156 69b49a8 38153->38156 38155->38155 38157 69b49b3 38156->38157 38163 69b49b8 38157->38163 38159 69b5fbf 38167 69bb458 38159->38167 38173 69bb440 38159->38173 38160 69b5ff9 38160->38155 38164 69b49c3 38163->38164 38165 69b73c0 38164->38165 38166 69b5ce8 GetModuleHandleW 38164->38166 38165->38159 38166->38165 38169 69bb489 38167->38169 38170 69bb4d5 38167->38170 38168 69bb495 38168->38160 38169->38168 38178 69bb6d0 38169->38178 38181 69bb6c0 38169->38181 38170->38160 38174 69bb450 38173->38174 38175 69bb495 38174->38175 38176 69bb6d0 GetModuleHandleW 38174->38176 38177 69bb6c0 GetModuleHandleW 38174->38177 38175->38160 38176->38175 38177->38175 38185 69bb710 38178->38185 38179 69bb6da 38179->38170 38182 69bb6cc 38181->38182 38184 69bb710 GetModuleHandleW 38182->38184 38183 69bb6da 38183->38170 38184->38183 38187 69bb715 38185->38187 38186 69bb754 38186->38179 38187->38186 38188 69bb958 GetModuleHandleW 38187->38188 38189 69bb985 38188->38189 38189->38179 38190 69b3090 38191 69b30d6 GetCurrentProcess 38190->38191 38193 69b3128 GetCurrentThread 38191->38193 38194 69b3121 38191->38194 38195 69b315e 38193->38195 38196 69b3165 GetCurrentProcess 38193->38196 38194->38193 38195->38196 38199 69b319b 38196->38199 38197 69b31c3 GetCurrentThreadId 38198 69b31f4 38197->38198 38199->38197 38200 69bd8f0 38201 69bd958 CreateWindowExW 38200->38201 38203 69bda14 38201->38203

                                          Executed Functions

                                          Function 069D3490 Relevance: 8.0, Strings: 6, Instructions: 545COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 653 69d3490-69d34b1 655 69d34b3-69d34b6 653->655 656 69d34dc-69d34df 655->656 657 69d34b8-69d34d7 655->657 658 69d34e5-69d3504 656->658 659 69d3c80-69d3c82 656->659 657->656 667 69d351d-69d3527 658->667 668 69d3506-69d3509 658->668 661 69d3c89-69d3c8c 659->661 662 69d3c84 659->662 661->655 664 69d3c92-69d3c9b 661->664 662->661 671 69d352d-69d353c 667->671 668->667 669 69d350b-69d351b 668->669 669->671 782 69d353e call 69d3ca8 671->782 783 69d353e call 69d3cb0 671->783 673 69d3543-69d3548 674 69d354a-69d3550 673->674 675 69d3555-69d3832 673->675 674->664 696 69d3838-69d38e7 675->696 697 69d3c72-69d3c7f 675->697 706 69d38e9-69d390e 696->706 707 69d3910 696->707 709 69d3919-69d392c 706->709 707->709 711 69d3c59-69d3c65 709->711 712 69d3932-69d3954 call 69d307c 709->712 711->696 713 69d3c6b 711->713 712->711 716 69d395a-69d3964 712->716 713->697 716->711 717 69d396a-69d3975 716->717 717->711 718 69d397b-69d3a51 717->718 730 69d3a5f-69d3a8f 718->730 731 69d3a53-69d3a55 718->731 735 69d3a9d-69d3aa9 730->735 736 69d3a91-69d3a93 730->736 731->730 737 69d3b09-69d3b0d 735->737 738 69d3aab-69d3aaf 735->738 736->735 740 69d3c4a-69d3c53 737->740 741 69d3b13-69d3b4f 737->741 738->737 739 69d3ab1-69d3adb 738->739 748 69d3add-69d3adf 739->748 749 69d3ae9-69d3b06 call 69d3088 739->749 740->711 740->718 752 69d3b5d-69d3b6b 741->752 753 69d3b51-69d3b53 741->753 748->749 749->737 756 69d3b6d-69d3b78 752->756 757 69d3b82-69d3b8d 752->757 753->752 756->757 762 69d3b7a 756->762 760 69d3b8f-69d3b95 757->760 761 69d3ba5-69d3bb6 757->761 763 69d3b99-69d3b9b 760->763 764 69d3b97 760->764 766 69d3bce-69d3bda 761->766 767 69d3bb8-69d3bbe 761->767 762->757 763->761 764->761 771 69d3bdc-69d3be2 766->771 772 69d3bf2-69d3c43 766->772 768 69d3bc0 767->768 769 69d3bc2-69d3bc4 767->769 768->766 769->766 773 69d3be4 771->773 774 69d3be6-69d3be8 771->774 772->740 773->772 774->772 782->673 783->673
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533894328.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69d0000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $_q$$_q$$_q$$_q$$_q$$_q
                                          • API String ID: 0-155944776
                                          • Opcode ID: f282e12820b17fdc9566b6d0f437b90f90fb8cbf3395abd8da49cddcc0d1bbce
                                          • Instruction ID: 0b89a420f2d4f13c0919fe9723a26c4b5eb135bcaf3677bc3ada6c86532278ee
                                          • Opcode Fuzzy Hash: f282e12820b17fdc9566b6d0f437b90f90fb8cbf3395abd8da49cddcc0d1bbce
                                          • Instruction Fuzzy Hash: 6C322130E1061ACFCB14EF75D8546ADB7B6BFC9301F20CA69D409A7264EF709985CB91
                                          Function 069D7D70 Relevance: 3.0, Strings: 2, Instructions: 487COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1375 69d7d70-69d7d8e 1377 69d7d90-69d7d93 1375->1377 1378 69d7d95-69d7daf 1377->1378 1379 69d7db4-69d7db7 1377->1379 1378->1379 1380 69d7db9-69d7dc3 1379->1380 1381 69d7dc4-69d7dc7 1379->1381 1382 69d7dc9-69d7de5 1381->1382 1383 69d7dea-69d7ded 1381->1383 1382->1383 1385 69d7def-69d7dfd 1383->1385 1386 69d7e04-69d7e06 1383->1386 1391 69d7e16-69d7e2c 1385->1391 1394 69d7dff 1385->1394 1388 69d7e0d-69d7e10 1386->1388 1389 69d7e08 1386->1389 1388->1377 1388->1391 1389->1388 1396 69d8047-69d804a 1391->1396 1397 69d7e32-69d7e3b 1391->1397 1394->1386 1400 69d804c-69d8051 1396->1400 1398 69d7e41-69d7e5e 1397->1398 1399 69d8052-69d8060 1397->1399 1410 69d8034-69d8041 1398->1410 1411 69d7e64-69d7e8c 1398->1411 1403 69d80b7-69d80be 1399->1403 1404 69d8062-69d8066 1399->1404 1406 69d80bf 1403->1406 1407 69d80a3-69d80b3 1403->1407 1408 69d806e-69d8087 1404->1408 1409 69d8068-69d806d 1404->1409 1406->1400 1412 69d80c0-69d8104 1406->1412 1407->1403 1413 69d8089-69d808c 1408->1413 1409->1408 1410->1396 1410->1397 1411->1410 1433 69d7e92-69d7e9b 1411->1433 1424 69d810a-69d811b 1412->1424 1425 69d8295-69d82ab 1412->1425 1414 69d82c1-69d82c4 1413->1414 1415 69d8092-69d80a1 1413->1415 1419 69d82e7-69d82ea 1414->1419 1420 69d82c6-69d82e2 1414->1420 1415->1407 1415->1412 1422 69d8395-69d8397 1419->1422 1423 69d82f0-69d82fc 1419->1423 1420->1419 1428 69d839e-69d83a1 1422->1428 1429 69d8399 1422->1429 1432 69d8307-69d8309 1423->1432 1440 69d8121-69d813e 1424->1440 1441 69d8280-69d828f 1424->1441 1425->1414 1428->1413 1431 69d83a7-69d83b0 1428->1431 1429->1428 1436 69d830b-69d8311 1432->1436 1437 69d8321-69d8325 1432->1437 1433->1399 1439 69d7ea1-69d7ebd 1433->1439 1442 69d8315-69d8317 1436->1442 1443 69d8313 1436->1443 1444 69d8327-69d8331 1437->1444 1445 69d8333 1437->1445 1450 69d7ec3-69d7eed 1439->1450 1451 69d8022-69d802e 1439->1451 1440->1441 1456 69d8144-69d823a call 69d6598 1440->1456 1441->1424 1441->1425 1442->1437 1443->1437 1448 69d8338-69d833a 1444->1448 1445->1448 1452 69d833c-69d833f 1448->1452 1453 69d834b-69d8384 1448->1453 1464 69d8018-69d801d 1450->1464 1465 69d7ef3-69d7f1b 1450->1465 1451->1410 1451->1433 1452->1431 1453->1415 1470 69d838a-69d8394 1453->1470 1514 69d823c-69d8246 1456->1514 1515 69d8248 1456->1515 1464->1451 1465->1464 1473 69d7f21-69d7f4f 1465->1473 1473->1464 1479 69d7f55-69d7f5e 1473->1479 1479->1464 1480 69d7f64-69d7f96 1479->1480 1488 69d7f98-69d7f9c 1480->1488 1489 69d7fa1-69d7fbd 1480->1489 1488->1464 1490 69d7f9e 1488->1490 1489->1451 1492 69d7fbf-69d8016 call 69d6598 1489->1492 1490->1489 1492->1451 1516 69d824d-69d824f 1514->1516 1515->1516 1516->1441 1517 69d8251-69d8256 1516->1517 1518 69d8258-69d8262 1517->1518 1519 69d8264 1517->1519 1520 69d8269-69d826b 1518->1520 1519->1520 1520->1441 1521 69d826d-69d8279 1520->1521 1521->1441
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533894328.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69d0000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $_q$$_q
                                          • API String ID: 0-458585787
                                          • Opcode ID: 786681332b73ac815e149cccff5730931543b3bb317136f4cb62a475b0209d77
                                          • Instruction ID: a962b003fc9d0b2fe0115d86d9632597870820f9057d1b17b9d7514924c6f496
                                          • Opcode Fuzzy Hash: 786681332b73ac815e149cccff5730931543b3bb317136f4cb62a475b0209d77
                                          • Instruction Fuzzy Hash: 9C02A930B002168FDB54DB69DA90AAEB7E6FF84344F24C938D4099B795DB31EC46CB90
                                          Function 069D65E8 Relevance: .8, Instructions: 823COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533894328.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69d0000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5c50107f28e94ca0b5ff3701ee7b2751a3db7f0af74661eff77e10942dd19a66
                                          • Instruction ID: 5532007a8ea59688530b80ac7d7ebbcfbf8615f5ec148207b732ee64b58e67a5
                                          • Opcode Fuzzy Hash: 5c50107f28e94ca0b5ff3701ee7b2751a3db7f0af74661eff77e10942dd19a66
                                          • Instruction Fuzzy Hash: B262A934A002059FDB54DB68D594AADBBF6EF88314F20C579E40AEB794DB35EC46CB80
                                          Function 069DC178 Relevance: .6, Instructions: 647COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533894328.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69d0000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 861e32039ccebd9415764ada49ed0d768f3e747dfd2f969c629cda8c6998af58
                                          • Instruction ID: c82e49cb65c56ac81ebb99caa7acc07516978dabde15c86a903854ca57e50184
                                          • Opcode Fuzzy Hash: 861e32039ccebd9415764ada49ed0d768f3e747dfd2f969c629cda8c6998af58
                                          • Instruction Fuzzy Hash: 66328930B002199FDB54DF69D990AADB7AAFB88310F208539E505EB759DB31EC42CB91
                                          Function 069D55D0 Relevance: .6, Instructions: 590COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533894328.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69d0000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ddb67d7fa1a50abf1fc640b9d4f7a8feddc0935be1b1a362683f87f73bfb557f
                                          • Instruction ID: 964c2fa6d320af9619b7608041ebc2d183b0a143e5e24f6bedcb54697b524b13
                                          • Opcode Fuzzy Hash: ddb67d7fa1a50abf1fc640b9d4f7a8feddc0935be1b1a362683f87f73bfb557f
                                          • Instruction Fuzzy Hash: CF12EE75F002059BDF64DB64C8806AEBBBAEB84310F35C879D85ADB785CA34DC46CB91
                                          Function 069DB220 Relevance: .6, Instructions: 566COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533894328.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69d0000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f2bc5254121679314430fe3f1053d3c8f01082b75f33baca9829187c276bdf76
                                          • Instruction ID: 730b8108a3c48eb32199ac9108f88cee168e579a1301803ef996c946360356e2
                                          • Opcode Fuzzy Hash: f2bc5254121679314430fe3f1053d3c8f01082b75f33baca9829187c276bdf76
                                          • Instruction Fuzzy Hash: 5F2270B0E002099FDF64CB69C4907ADBBAAEB45314F21C939E409DBB59CA34DC85CB51
                                          Function 069DACC8 Relevance: 10.4, Strings: 8, Instructions: 390COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 528 69dacc8-69dace6 530 69dace8-69daceb 528->530 531 69daced-69dad00 530->531 532 69dad05-69dad08 530->532 531->532 533 69dad1c-69dad1f 532->533 534 69dad0a-69dad17 532->534 536 69dad39-69dad3c 533->536 537 69dad21-69dad2a 533->537 534->533 541 69dad5f-69dad62 536->541 542 69dad3e-69dad5a 536->542 539 69daeff-69daf36 537->539 540 69dad30-69dad34 537->540 551 69daf38-69daf3b 539->551 540->536 543 69dad64-69dad6d 541->543 544 69dad72-69dad75 541->544 542->541 543->544 545 69dad7b-69dad7e 544->545 546 69daee5-69daeee 544->546 549 69dad88-69dad8b 545->549 550 69dad80-69dad85 545->550 546->537 552 69daef4-69daefe 546->552 556 69dad8d-69dad91 549->556 557 69dad9c-69dad9e 549->557 550->549 554 69daf3d-69daf41 551->554 555 69daf48-69daf4b 551->555 558 69daf61-69daf9c 554->558 559 69daf43 554->559 560 69daf4d-69daf57 555->560 561 69daf58-69daf5b 555->561 556->552 562 69dad97 556->562 563 69dada5-69dada8 557->563 564 69dada0 557->564 572 69db18f-69db1a2 558->572 573 69dafa2-69dafae 558->573 559->555 561->558 565 69db1c4-69db1c7 561->565 562->557 563->530 566 69dadae-69dadd2 563->566 564->563 567 69db1c9-69db1e5 565->567 568 69db1ea-69db1ed 565->568 585 69dadd8-69dade7 566->585 586 69daee2 566->586 567->568 570 69db1fc-69db1fe 568->570 571 69db1ef call 69db220 568->571 577 69db205-69db208 570->577 578 69db200 570->578 582 69db1f5-69db1f7 571->582 575 69db1a4 572->575 583 69dafce-69db012 573->583 584 69dafb0-69dafc9 573->584 575->565 577->551 579 69db20e-69db218 577->579 578->577 582->570 602 69db02e-69db06d 583->602 603 69db014-69db026 583->603 584->575 590 69dadff-69dae3a call 69d6598 585->590 591 69dade9-69dadef 585->591 586->546 608 69dae3c-69dae42 590->608 609 69dae52-69dae69 590->609 593 69dadf1 591->593 594 69dadf3-69dadf5 591->594 593->590 594->590 610 69db154-69db169 602->610 611 69db073-69db14e call 69d6598 602->611 603->602 613 69dae44 608->613 614 69dae46-69dae48 608->614 621 69dae6b-69dae71 609->621 622 69dae81-69dae92 609->622 610->572 611->610 613->609 614->609 623 69dae75-69dae77 621->623 624 69dae73 621->624 627 69daeaa-69daedb 622->627 628 69dae94-69dae9a 622->628 623->622 624->622 627->586 630 69dae9c 628->630 631 69dae9e-69daea0 628->631 630->627 631->627
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533894328.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69d0000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $_q$$_q$$_q$$_q$$_q$$_q$$_q$$_q
                                          • API String ID: 0-2216122830
                                          • Opcode ID: 6aadfd88c07c0ed8be3656e24439bc055f80440c644a066580dbafef5572df94
                                          • Instruction ID: 1e44c558b9eb34b413f131886dd4f2d193698af912f3d4858bac435b032816db
                                          • Opcode Fuzzy Hash: 6aadfd88c07c0ed8be3656e24439bc055f80440c644a066580dbafef5572df94
                                          • Instruction Fuzzy Hash: 4AE15D30E1021A8FDB54DF69D8906AEB7B6FF85304F208539E809EB758DB719C46CB91
                                          Function 069DB648 Relevance: 8.0, Strings: 6, Instructions: 473COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533894328.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69d0000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $_q$$_q$$_q$$_q$$_q$$_q
                                          • API String ID: 0-155944776
                                          • Opcode ID: b68db8f69bf4d377aadfa83632ff47d1c54e4c2a6970379ba205f9ed033f1338
                                          • Instruction ID: af746944177ff85810244a16d1869f47634310bc68d0ef940012cfc3982ca9f3
                                          • Opcode Fuzzy Hash: b68db8f69bf4d377aadfa83632ff47d1c54e4c2a6970379ba205f9ed033f1338
                                          • Instruction Fuzzy Hash: D3027BB0E0020A9FDFA4CF69C480AADB7A6FB45314F21C97AE405DBB59DB34D845CB91
                                          Function 069B308B Relevance: 6.1, APIs: 4, Instructions: 131threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 954 69b308b-69b311f GetCurrentProcess 959 69b3128-69b315c GetCurrentThread 954->959 960 69b3121-69b3127 954->960 961 69b315e-69b3164 959->961 962 69b3165-69b3199 GetCurrentProcess 959->962 960->959 961->962 963 69b319b-69b31a1 962->963 964 69b31a2-69b31bd call 69b3260 962->964 963->964 968 69b31c3-69b31f2 GetCurrentThreadId 964->968 969 69b31fb-69b325d 968->969 970 69b31f4-69b31fa 968->970 970->969
                                          APIs
                                          • GetCurrentProcess.KERNEL32 ref: 069B310E
                                          • GetCurrentThread.KERNEL32 ref: 069B314B
                                          • GetCurrentProcess.KERNEL32 ref: 069B3188
                                          • GetCurrentThreadId.KERNEL32 ref: 069B31E1
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533730458.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69b0000_mpTrle.jbxd
                                          Similarity
                                          • API ID: Current$ProcessThread
                                          • String ID:
                                          • API String ID: 2063062207-0
                                          • Opcode ID: 0dab675fed51dd72108bc9fb68cff73e83b15b94fe5ba4f1315fe1d1d8308422
                                          • Instruction ID: 496ade3103d1158a3f0ccc2f5a7ffc982c007235fef78f1e964e5869f91d09b7
                                          • Opcode Fuzzy Hash: 0dab675fed51dd72108bc9fb68cff73e83b15b94fe5ba4f1315fe1d1d8308422
                                          • Instruction Fuzzy Hash: A85165B09003098FDB94DFAADA48BDEBBF5AF48310F248459E019A7760D7345944CBA5
                                          Function 069B3090 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 978 69b3090-69b311f GetCurrentProcess 982 69b3128-69b315c GetCurrentThread 978->982 983 69b3121-69b3127 978->983 984 69b315e-69b3164 982->984 985 69b3165-69b3199 GetCurrentProcess 982->985 983->982 984->985 986 69b319b-69b31a1 985->986 987 69b31a2-69b31bd call 69b3260 985->987 986->987 991 69b31c3-69b31f2 GetCurrentThreadId 987->991 992 69b31fb-69b325d 991->992 993 69b31f4-69b31fa 991->993 993->992
                                          APIs
                                          • GetCurrentProcess.KERNEL32 ref: 069B310E
                                          • GetCurrentThread.KERNEL32 ref: 069B314B
                                          • GetCurrentProcess.KERNEL32 ref: 069B3188
                                          • GetCurrentThreadId.KERNEL32 ref: 069B31E1
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533730458.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69b0000_mpTrle.jbxd
                                          Similarity
                                          • API ID: Current$ProcessThread
                                          • String ID:
                                          • API String ID: 2063062207-0
                                          • Opcode ID: ff158150292190ff9e3fbc40f475cb9656faff1ec678a32e46d9375ac9a23787
                                          • Instruction ID: 7dd04ecce82c121be7b123222901ff1148814454eb57b9f39f9852435d9df6df
                                          • Opcode Fuzzy Hash: ff158150292190ff9e3fbc40f475cb9656faff1ec678a32e46d9375ac9a23787
                                          • Instruction Fuzzy Hash: 5A5165B0D003098FDB94DFAADA48BEEBBF5AF48314F248459E019A7760D7345944CFA5
                                          Function 069D9148 Relevance: 5.2, Strings: 4, Instructions: 230COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1001 69d9148-69d916d 1002 69d916f-69d9172 1001->1002 1003 69d9178-69d918d 1002->1003 1004 69d9a30-69d9a33 1002->1004 1011 69d918f-69d9195 1003->1011 1012 69d91a5-69d91bb 1003->1012 1005 69d9a59-69d9a5b 1004->1005 1006 69d9a35-69d9a54 1004->1006 1008 69d9a5d 1005->1008 1009 69d9a62-69d9a65 1005->1009 1006->1005 1008->1009 1009->1002 1013 69d9a6b-69d9a75 1009->1013 1014 69d9199-69d919b 1011->1014 1015 69d9197 1011->1015 1018 69d91c6-69d91c8 1012->1018 1014->1012 1015->1012 1019 69d91ca-69d91d0 1018->1019 1020 69d91e0-69d9251 1018->1020 1021 69d91d4-69d91d6 1019->1021 1022 69d91d2 1019->1022 1031 69d927d-69d9299 1020->1031 1032 69d9253-69d9276 1020->1032 1021->1020 1022->1020 1037 69d929b-69d92be 1031->1037 1038 69d92c5-69d92e0 1031->1038 1032->1031 1037->1038 1043 69d930b-69d9326 1038->1043 1044 69d92e2-69d9304 1038->1044 1049 69d9328-69d9344 1043->1049 1050 69d934b-69d9359 1043->1050 1044->1043 1049->1050 1051 69d9369-69d93e3 1050->1051 1052 69d935b-69d9364 1050->1052 1058 69d93e5-69d9403 1051->1058 1059 69d9430-69d9445 1051->1059 1052->1013 1063 69d941f-69d942e 1058->1063 1064 69d9405-69d9414 1058->1064 1059->1004 1063->1058 1063->1059 1064->1063
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533894328.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69d0000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $_q$$_q$$_q$$_q
                                          • API String ID: 0-1171383116
                                          • Opcode ID: 744eb1521b23e740b106301ec91b83dedb0173f13f7d7bc6a567cc4add277d19
                                          • Instruction ID: f2f09dafc7e37610f95b5ea399298fa3e12eee3ab0f300dad47025628fccf4fe
                                          • Opcode Fuzzy Hash: 744eb1521b23e740b106301ec91b83dedb0173f13f7d7bc6a567cc4add277d19
                                          • Instruction Fuzzy Hash: 18916D30B0021A9FDB54EF65D9507AEB7FABF88200F108579D809EB758EB319D46CB91
                                          Function 069DCF38 Relevance: 4.6, Strings: 3, Instructions: 802COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1067 69dcf38-69dcf53 1069 69dcf55-69dcf58 1067->1069 1070 69dcf5a-69dcf9c 1069->1070 1071 69dcfa1-69dcfa4 1069->1071 1070->1071 1072 69dcfed-69dcff0 1071->1072 1073 69dcfa6-69dcfb5 1071->1073 1077 69dcfff-69dd002 1072->1077 1078 69dcff2-69dcff4 1072->1078 1074 69dcfc4-69dcfd0 1073->1074 1075 69dcfb7-69dcfbc 1073->1075 1079 69dd955-69dd98e 1074->1079 1080 69dcfd6-69dcfe8 1074->1080 1075->1074 1083 69dd01f-69dd022 1077->1083 1084 69dd004-69dd01a 1077->1084 1081 69dcffa 1078->1081 1082 69dd421 1078->1082 1096 69dd990-69dd993 1079->1096 1080->1072 1081->1077 1085 69dd424-69dd430 1082->1085 1086 69dd06b-69dd06e 1083->1086 1087 69dd024-69dd066 1083->1087 1084->1083 1093 69dd17c-69dd18b 1085->1093 1094 69dd436-69dd723 1085->1094 1089 69dd0b7-69dd0ba 1086->1089 1090 69dd070-69dd0b2 1086->1090 1087->1086 1100 69dd0bc-69dd0be 1089->1100 1101 69dd0c9-69dd0cc 1089->1101 1090->1089 1098 69dd18d-69dd192 1093->1098 1099 69dd19a-69dd1a6 1093->1099 1281 69dd729-69dd72f 1094->1281 1282 69dd94a-69dd954 1094->1282 1105 69dd995 call 69ddaad 1096->1105 1106 69dd9a2-69dd9a5 1096->1106 1098->1099 1099->1079 1110 69dd1ac-69dd1be 1099->1110 1108 69dd2df-69dd2e8 1100->1108 1109 69dd0c4 1100->1109 1111 69dd0ce-69dd110 1101->1111 1112 69dd115-69dd118 1101->1112 1127 69dd99b-69dd99d 1105->1127 1113 69dd9c8-69dd9cb 1106->1113 1114 69dd9a7-69dd9c3 1106->1114 1118 69dd2ea-69dd2ef 1108->1118 1119 69dd2f7-69dd303 1108->1119 1109->1101 1136 69dd1c3-69dd1c6 1110->1136 1111->1112 1116 69dd11a-69dd15c 1112->1116 1117 69dd161-69dd164 1112->1117 1129 69dd9cd-69dd9f9 1113->1129 1130 69dd9fe-69dda00 1113->1130 1114->1113 1116->1117 1117->1085 1124 69dd16a-69dd16d 1117->1124 1118->1119 1121 69dd309-69dd31d 1119->1121 1122 69dd414-69dd419 1119->1122 1121->1082 1148 69dd323-69dd335 1121->1148 1122->1082 1134 69dd16f-69dd174 1124->1134 1135 69dd177-69dd17a 1124->1135 1127->1106 1129->1130 1131 69dda07-69dda0a 1130->1131 1132 69dda02 1130->1132 1131->1096 1140 69dda0c-69dda1b 1131->1140 1132->1131 1134->1135 1135->1093 1135->1136 1144 69dd20f-69dd212 1136->1144 1145 69dd1c8-69dd20a 1136->1145 1163 69dda1d-69dda80 call 69d6598 1140->1163 1164 69dda82-69dda97 1140->1164 1151 69dd25b-69dd25e 1144->1151 1152 69dd214-69dd256 1144->1152 1145->1144 1169 69dd359-69dd35b 1148->1169 1170 69dd337-69dd33d 1148->1170 1156 69dd2a7-69dd2aa 1151->1156 1157 69dd260-69dd2a2 1151->1157 1152->1151 1166 69dd2cd-69dd2cf 1156->1166 1167 69dd2ac-69dd2c8 1156->1167 1157->1156 1163->1164 1190 69dda98 1164->1190 1176 69dd2d6-69dd2d9 1166->1176 1177 69dd2d1 1166->1177 1167->1166 1188 69dd365-69dd371 1169->1188 1182 69dd33f 1170->1182 1183 69dd341-69dd34d 1170->1183 1176->1069 1176->1108 1177->1176 1186 69dd34f-69dd357 1182->1186 1183->1186 1186->1188 1205 69dd37f 1188->1205 1206 69dd373-69dd37d 1188->1206 1190->1190 1209 69dd384-69dd386 1205->1209 1206->1209 1209->1082 1213 69dd38c-69dd3a8 call 69d6598 1209->1213 1223 69dd3aa-69dd3af 1213->1223 1224 69dd3b7-69dd3c3 1213->1224 1223->1224 1224->1122 1225 69dd3c5-69dd412 1224->1225 1225->1082 1283 69dd73e-69dd747 1281->1283 1284 69dd731-69dd736 1281->1284 1283->1079 1285 69dd74d-69dd760 1283->1285 1284->1283 1287 69dd93a-69dd944 1285->1287 1288 69dd766-69dd76c 1285->1288 1287->1281 1287->1282 1289 69dd76e-69dd773 1288->1289 1290 69dd77b-69dd784 1288->1290 1289->1290 1290->1079 1291 69dd78a-69dd7ab 1290->1291 1294 69dd7ad-69dd7b2 1291->1294 1295 69dd7ba-69dd7c3 1291->1295 1294->1295 1295->1079 1296 69dd7c9-69dd7e6 1295->1296 1296->1287 1299 69dd7ec-69dd7f2 1296->1299 1299->1079 1300 69dd7f8-69dd811 1299->1300 1302 69dd92d-69dd934 1300->1302 1303 69dd817-69dd83e 1300->1303 1302->1287 1302->1299 1303->1079 1306 69dd844-69dd84e 1303->1306 1306->1079 1307 69dd854-69dd86b 1306->1307 1309 69dd86d-69dd878 1307->1309 1310 69dd87a-69dd895 1307->1310 1309->1310 1310->1302 1315 69dd89b-69dd8b4 call 69d6598 1310->1315 1319 69dd8b6-69dd8bb 1315->1319 1320 69dd8c3-69dd8cc 1315->1320 1319->1320 1320->1079 1321 69dd8d2-69dd926 1320->1321 1321->1302
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533894328.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69d0000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $_q$$_q$$_q
                                          • API String ID: 0-2441406858
                                          • Opcode ID: 5c9b09013f121bf0e14ac229cdcb4c81e7198859b0e42351cd6c4c2163f91930
                                          • Instruction ID: 459438348506b0b4ff5d3c3dfbb2e2bc1d353dade133dee25b49010e32d0e13d
                                          • Opcode Fuzzy Hash: 5c9b09013f121bf0e14ac229cdcb4c81e7198859b0e42351cd6c4c2163f91930
                                          • Instruction Fuzzy Hash: E2622E30A002169FCB55EF69D590A5DB7E6FF84314B20CA68E0099F76DDB71EC4ACB90
                                          Function 069D4B98 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1329 69d4b98-69d4bbc 1330 69d4bbe-69d4bc1 1329->1330 1331 69d4bc7-69d4cbf 1330->1331 1332 69d52a0-69d52a3 1330->1332 1352 69d4cc5-69d4d12 call 69d5440 1331->1352 1353 69d4d42-69d4d49 1331->1353 1333 69d52a5-69d52bf 1332->1333 1334 69d52c4-69d52c6 1332->1334 1333->1334 1336 69d52cd-69d52d0 1334->1336 1337 69d52c8 1334->1337 1336->1330 1339 69d52d6-69d52e3 1336->1339 1337->1336 1366 69d4d18-69d4d34 1352->1366 1354 69d4dcd-69d4dd6 1353->1354 1355 69d4d4f-69d4dbf 1353->1355 1354->1339 1372 69d4dca 1355->1372 1373 69d4dc1 1355->1373 1369 69d4d3f 1366->1369 1370 69d4d36 1366->1370 1369->1353 1370->1369 1372->1354 1373->1372
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533894328.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69d0000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: fdq$XPdq$\Odq
                                          • API String ID: 0-727959394
                                          • Opcode ID: 470b4dbdec0cc3cac126ef491e15f5748078d95ed943b6fb9536631c4b678390
                                          • Instruction ID: 3db7b028c91848285567b0d38faa238b86ab5e848c9edd691fb40ab1fba169e3
                                          • Opcode Fuzzy Hash: 470b4dbdec0cc3cac126ef491e15f5748078d95ed943b6fb9536631c4b678390
                                          • Instruction Fuzzy Hash: 71619170F002199FEB54DFA5C858BAEBBF6FB88700F20852AE105EB395DB754C458B91
                                          Function 069DA39A Relevance: 2.7, Strings: 2, Instructions: 240COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1762 69da39a-69da3a0 1763 69da338 1762->1763 1764 69da3a3-69da3c8 1762->1764 1765 69da35a-69da35d 1763->1765 1766 69da33a-69da355 1763->1766 1767 69da3ca-69da3cd 1764->1767 1770 69da37f-69da381 1765->1770 1771 69da35f 1765->1771 1766->1765 1768 69da3ed-69da3f0 1767->1768 1769 69da3cf-69da3e8 1767->1769 1772 69da3f6-69da423 call 69d2088 1768->1772 1773 69da523-69da526 1768->1773 1769->1768 1774 69da388-69da38b 1770->1774 1775 69da383 1770->1775 1777 69da36b-69da37a 1771->1777 1811 69da429-69da44d 1772->1811 1812 69da518-69da522 1772->1812 1778 69da528-69da532 1773->1778 1779 69da533-69da536 1773->1779 1780 69da38d-69da391 1774->1780 1781 69da310-69da313 1774->1781 1775->1774 1777->1770 1785 69da53c-69da5d5 call 69d2088 1779->1785 1786 69da5e6-69da5e9 1779->1786 1783 69da335 1781->1783 1784 69da315-69da330 1781->1784 1783->1763 1784->1783 1785->1772 1823 69da5db-69da5e5 1785->1823 1790 69da5eb-69da5f9 1786->1790 1791 69da604-69da607 1786->1791 1790->1785 1799 69da5ff 1790->1799 1795 69da609-69da625 1791->1795 1796 69da62a-69da62c 1791->1796 1795->1796 1800 69da62e 1796->1800 1801 69da633-69da636 1796->1801 1799->1791 1800->1801 1801->1767 1806 69da63c-69da645 1801->1806 1819 69da44f-69da455 1811->1819 1820 69da457 1811->1820 1822 69da45d-69da512 call 69d6598 call 69d2088 1819->1822 1820->1822 1822->1811 1822->1812
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533894328.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69d0000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: X!@$x!@
                                          • API String ID: 0-2527372166
                                          • Opcode ID: 93034f3cf1c71629c71eae420a7e420bc10418ab3e0d7f951a6636c138c76ef3
                                          • Instruction ID: 0f5a0b51d8e5ffc9109a5e63c0dcbb1fc2404d7306d5b1a09ac3b549a6b3dfb1
                                          • Opcode Fuzzy Hash: 93034f3cf1c71629c71eae420a7e420bc10418ab3e0d7f951a6636c138c76ef3
                                          • Instruction Fuzzy Hash: 7B81A031F002159FCB54EBA9E854AADB7B6FF88310F208939E509EB754DB31AC55CB90
                                          Function 069D9139 Relevance: 2.7, Strings: 2, Instructions: 161COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1841 69d9139-69d916d 1843 69d916f-69d9172 1841->1843 1844 69d9178-69d918d 1843->1844 1845 69d9a30-69d9a33 1843->1845 1852 69d918f-69d9195 1844->1852 1853 69d91a5-69d91bb 1844->1853 1846 69d9a59-69d9a5b 1845->1846 1847 69d9a35-69d9a54 1845->1847 1849 69d9a5d 1846->1849 1850 69d9a62-69d9a65 1846->1850 1847->1846 1849->1850 1850->1843 1854 69d9a6b-69d9a75 1850->1854 1855 69d9199-69d919b 1852->1855 1856 69d9197 1852->1856 1859 69d91c6-69d91c8 1853->1859 1855->1853 1856->1853 1860 69d91ca-69d91d0 1859->1860 1861 69d91e0-69d9251 1859->1861 1862 69d91d4-69d91d6 1860->1862 1863 69d91d2 1860->1863 1872 69d927d-69d9299 1861->1872 1873 69d9253-69d9276 1861->1873 1862->1861 1863->1861 1878 69d929b-69d92be 1872->1878 1879 69d92c5-69d92e0 1872->1879 1873->1872 1878->1879 1884 69d930b-69d9326 1879->1884 1885 69d92e2-69d9304 1879->1885 1890 69d9328-69d9344 1884->1890 1891 69d934b-69d9359 1884->1891 1885->1884 1890->1891 1892 69d9369-69d93e3 1891->1892 1893 69d935b-69d9364 1891->1893 1899 69d93e5-69d9403 1892->1899 1900 69d9430-69d9445 1892->1900 1893->1854 1904 69d941f-69d942e 1899->1904 1905 69d9405-69d9414 1899->1905 1900->1845 1904->1899 1904->1900 1905->1904
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533894328.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69d0000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $_q$$_q
                                          • API String ID: 0-458585787
                                          • Opcode ID: c03ea9478632c448b265f1bb613dfa1d2446a7d2eb3253d9be3bf268ab79f865
                                          • Instruction ID: 88b7c4caaeea0149017c0458f4598bbe6629592f083875cbdb507c2e27e0904e
                                          • Opcode Fuzzy Hash: c03ea9478632c448b265f1bb613dfa1d2446a7d2eb3253d9be3bf268ab79f865
                                          • Instruction Fuzzy Hash: 1D516030B001169FDB54EF75D950BAEB7FAAF88650F108539D809EB798EA31DC42CB91
                                          Function 069BB710 Relevance: 1.7, APIs: 1, Instructions: 209COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 069BB976
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533730458.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69b0000_mpTrle.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: 49135a9ac8077bd57cfd9d1b14768c7dcfcb40586da111a3e75fbb3987bdba14
                                          • Instruction ID: cfd2c4a7235959182fc16fa309e2d92181ae7d1d5b6a7f9e57f02972438f7462
                                          • Opcode Fuzzy Hash: 49135a9ac8077bd57cfd9d1b14768c7dcfcb40586da111a3e75fbb3987bdba14
                                          • Instruction Fuzzy Hash: 3F817970A00B058FD7A4DF6AD54579ABBF5FF88300F108A2DE48AD7A84DB74E805CB91
                                          Function 069BD8E4 Relevance: 1.6, APIs: 1, Instructions: 120COMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 069BDA02
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533730458.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69b0000_mpTrle.jbxd
                                          Similarity
                                          • API ID: CreateWindow
                                          • String ID:
                                          • API String ID: 716092398-0
                                          • Opcode ID: 8276e11d8441e26876f351074901f37161acf8895b9ec7d1b6320565628f5372
                                          • Instruction ID: 0c7fb17ccd1578d29267a67f8f828932bd0ae691088501cc62ebbf804244314f
                                          • Opcode Fuzzy Hash: 8276e11d8441e26876f351074901f37161acf8895b9ec7d1b6320565628f5372
                                          • Instruction Fuzzy Hash: 5651D1B1D003499FDB14CF99C984ADEBFB5BF89310F64912AE819AB210D7719885CF90
                                          Function 069BD8F0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 069BDA02
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533730458.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69b0000_mpTrle.jbxd
                                          Similarity
                                          • API ID: CreateWindow
                                          • String ID:
                                          • API String ID: 716092398-0
                                          • Opcode ID: 79ccc07c1f43af6c8b9bfaa68ad632a4d07832fc42b03b2d0ba604f9f56d28a1
                                          • Instruction ID: 037fc17a6cf6846deba9b4a895f0987c0e6b74cd5a70d0b70071847b108dca15
                                          • Opcode Fuzzy Hash: 79ccc07c1f43af6c8b9bfaa68ad632a4d07832fc42b03b2d0ba604f9f56d28a1
                                          • Instruction Fuzzy Hash: CD41B0B1D00349DFDB14CF9AC984ADEBBB5BF88310F24912AE819AB210D7759985CF90
                                          Function 02C2F018 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                          Download Yara Rule
                                          APIs
                                          • GlobalMemoryStatusEx.KERNELBASE ref: 02C2F0BF
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1524435509.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_2c20000_mpTrle.jbxd
                                          Similarity
                                          • API ID: GlobalMemoryStatus
                                          • String ID:
                                          • API String ID: 1890195054-0
                                          • Opcode ID: d07775b4c4952f64fdd5d10540933b20ccf5003cdabad177dcc496b13bfc8b7a
                                          • Instruction ID: 3921577e62145d470dfab610359a857e76508739201b64d37bd7b9cfc8579222
                                          • Opcode Fuzzy Hash: d07775b4c4952f64fdd5d10540933b20ccf5003cdabad177dcc496b13bfc8b7a
                                          • Instruction Fuzzy Hash: AE2189B1C0425A9FCB14DFAAC80479EFFF4AF48320F11846AE808A7241D7789945CFE1
                                          Function 069B32D0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                          Download Yara Rule
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 069B335F
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533730458.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69b0000_mpTrle.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: 8c68170f4c9f15e3a2fd7a775c228fe14882ad8bd8e4ed5da9fa22d242e71f86
                                          • Instruction ID: fa7e15e61a1241231fbbf6bab71fca9c8bd0046150012f1759fce5de41196f2b
                                          • Opcode Fuzzy Hash: 8c68170f4c9f15e3a2fd7a775c228fe14882ad8bd8e4ed5da9fa22d242e71f86
                                          • Instruction Fuzzy Hash: 1121E4B5D002089FDB10DFAAD984ADEBBF5FB48310F14841AE919A7350D378A954CFA0
                                          Function 069B32D8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                          Download Yara Rule
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 069B335F
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533730458.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69b0000_mpTrle.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: e852c1fa5911ee921279139f24cec81f343a9c716b45020dbd51243c9ad51228
                                          • Instruction ID: ecc6b77bf8a2db1fbf5b5e911d6293fd3fc41cf7a4524e54b65907daf3a82aea
                                          • Opcode Fuzzy Hash: e852c1fa5911ee921279139f24cec81f343a9c716b45020dbd51243c9ad51228
                                          • Instruction Fuzzy Hash: D621C4B5D00248AFDB50CFAAD984ADEBBF8FB48310F14841AE918A3350D375A954CFA5
                                          Function 02C2F058 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                          Download Yara Rule
                                          APIs
                                          • GlobalMemoryStatusEx.KERNELBASE ref: 02C2F0BF
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1524435509.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_2c20000_mpTrle.jbxd
                                          Similarity
                                          • API ID: GlobalMemoryStatus
                                          • String ID:
                                          • API String ID: 1890195054-0
                                          • Opcode ID: 52291b6c33a0781a9ddaeb08c27b815fa0ba88912612edc78dc557cdcdafd543
                                          • Instruction ID: 5788e465862901437a522b6b40634f31bf8c8dec773819f8a8f8c03e246c164b
                                          • Opcode Fuzzy Hash: 52291b6c33a0781a9ddaeb08c27b815fa0ba88912612edc78dc557cdcdafd543
                                          • Instruction Fuzzy Hash: 8011E2B1C006599BCB10DF9AC544BDEFBF4AB48320F15816AD818B7640D779A944CFE5
                                          Function 069BB910 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 069BB976
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533730458.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69b0000_mpTrle.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: a57004b46f038c20665dd793590d4ab414690a218c3db8a84b6c7864bd859e41
                                          • Instruction ID: 96022c472ca04b2e2e532df6113fdb4d167b81cf0e7104027655b0430f1c14b7
                                          • Opcode Fuzzy Hash: a57004b46f038c20665dd793590d4ab414690a218c3db8a84b6c7864bd859e41
                                          • Instruction Fuzzy Hash: E71110B6C003498FCB10DF9AC944ADEFBF8AB88314F10841AD829B7650C379A545CFA1
                                          Function 069D4B88 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533894328.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69d0000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: XPdq
                                          • API String ID: 0-1708276200
                                          • Opcode ID: ccfbeae714151d8b31792ffbe37befc81661b1688cb28957ecb33d2b62c1e5f1
                                          • Instruction ID: 6665649a947e57981a79a1de85a020e2068a63a2e46c064e3f4883d13f67a609
                                          • Opcode Fuzzy Hash: ccfbeae714151d8b31792ffbe37befc81661b1688cb28957ecb33d2b62c1e5f1
                                          • Instruction Fuzzy Hash: 9D414F74E002089FDB54DFA5C858BAEBBF6BF88700F20C529E145AB395DA755C05CB91
                                          Function 069DDAAD Relevance: 1.4, Strings: 1, Instructions: 125COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533894328.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69d0000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: PH_q
                                          • API String ID: 0-2397113591
                                          • Opcode ID: bee863479f2330c94c00e5a645285a597f49f7edde63e67c44778fa38e0372c9
                                          • Instruction ID: 77e4b56c74c6342c8f8c438f84616349a2a558e08ccd53f6c531bc142cf3572f
                                          • Opcode Fuzzy Hash: bee863479f2330c94c00e5a645285a597f49f7edde63e67c44778fa38e0372c9
                                          • Instruction Fuzzy Hash: FC41C230E0020A9FDB64DF79C45069EBBB6FF85344F208939E405EB644DB74D84ACB81
                                          Function 069D21E5 Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533894328.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69d0000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: PH_q
                                          • API String ID: 0-2397113591
                                          • Opcode ID: 314ec3f3cc4482282df655fd671ee077140ade86fe72481a0c3f6a1ed7638b7e
                                          • Instruction ID: 42529c8e568e363f6d93d0d9284820407c81523640da2dfa80322ba304ce0cc7
                                          • Opcode Fuzzy Hash: 314ec3f3cc4482282df655fd671ee077140ade86fe72481a0c3f6a1ed7638b7e
                                          • Instruction Fuzzy Hash: 58310030B002028FDB599B75C46066F7BA6BF89744B208A78E506DB388DF35DE46C7A1
                                          Function 069D21F8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533894328.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69d0000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: PH_q
                                          • API String ID: 0-2397113591
                                          • Opcode ID: 0d70f9e5e83f2d76cc049089319d74cb9e20fd9c7ded6643e236e9944abac432
                                          • Instruction ID: 2da0e959cdad53c1a270532f9a9c81f1476e66d866c260614f9c22fb0d429405
                                          • Opcode Fuzzy Hash: 0d70f9e5e83f2d76cc049089319d74cb9e20fd9c7ded6643e236e9944abac432
                                          • Instruction Fuzzy Hash: F731DE30B002028FDB59AB74C51476F7BE6BB88644F208938E506DB398DE35DE46C7A1
                                          Function 069D82C0 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533894328.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69d0000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $_q
                                          • API String ID: 0-238743419
                                          • Opcode ID: 4a7f2f44f6dd31331060c7ad563d6a53a76f97b769152ea96c241f601b40254f
                                          • Instruction ID: eb6f5aaa7eb545d5fa51785749c2af4d5d5ee5744ecf75ce8c6b7918234fdad9
                                          • Opcode Fuzzy Hash: 4a7f2f44f6dd31331060c7ad563d6a53a76f97b769152ea96c241f601b40254f
                                          • Instruction Fuzzy Hash: 91F0FF31A002128FDF689E96FB80AACF7A9EB40340F248535DA09CBA46C632ED01C740
                                          Function 069D61E8 Relevance: .2, Instructions: 229COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533894328.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69d0000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ec4d811316ee7af5ad6935e658549296b263bcb5287d89a17ecea4563381286f
                                          • Instruction ID: 6ce7b303ecbc4c54d4dd219334fe92633d3fc0e5c98446f9d30dd0d6259eb4e8
                                          • Opcode Fuzzy Hash: ec4d811316ee7af5ad6935e658549296b263bcb5287d89a17ecea4563381286f
                                          • Instruction Fuzzy Hash: 5D618EB1F400214FDB549A6EC88066FBADBAFD4224F258439D90EDB364DEA5DD0287C1
                                          Function 069D42C9 Relevance: .2, Instructions: 226COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533894328.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69d0000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4d61be176ca65081a7e8a908560fe07429ce029e2aa586babd875377b9c7b27a
                                          • Instruction ID: 3fc199beff87a9ed7797258ca3522599bc15140c9168ebbcbeec2e9e80b1a74f
                                          • Opcode Fuzzy Hash: 4d61be176ca65081a7e8a908560fe07429ce029e2aa586babd875377b9c7b27a
                                          • Instruction Fuzzy Hash: 9A814C30B0020A8FDB54DFB9D55069EB7F6AF88704F208539D40AEB798EB74DC468B91
                                          Function 069D45E8 Relevance: .2, Instructions: 221COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533894328.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69d0000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 727f5bc8e5571b20efacbacf0a0ae24295da986549199c1e6cfd063f9cf85cb5
                                          • Instruction ID: b26a60ba767b815285d9ce12c61262a6610134174d419f728dacfd1372e767d4
                                          • Opcode Fuzzy Hash: 727f5bc8e5571b20efacbacf0a0ae24295da986549199c1e6cfd063f9cf85cb5
                                          • Instruction Fuzzy Hash: 45914E34E102598FDF60DF68C890B9DBBB1FF85300F2085A9D549BB295DB70AA85CF91
                                          Function 069D4600 Relevance: .2, Instructions: 210COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533894328.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69d0000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bbcf3b6e24a40fdad67a9b3cb889f77efc0c523569e23c87243ed82106f35bf0
                                          • Instruction ID: 0f8ccaa510676dd3ac3162afb726663b8baa45a34ce0850e98b98b1e20a55f07
                                          • Opcode Fuzzy Hash: bbcf3b6e24a40fdad67a9b3cb889f77efc0c523569e23c87243ed82106f35bf0
                                          • Instruction Fuzzy Hash: 73913C34E1021A8BDF64DF68C880B9DB7B1FF89310F20C5A9D549BB255DB70AA85CF91
                                          Function 069DEF00 Relevance: .2, Instructions: 204COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533894328.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69d0000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 59d801b4dd26192d46f758b0a7d4aa1c70a032efb9f2b2213c12bcd638bb62fb
                                          • Instruction ID: 1d5ce581995f862db3976d287925949f1c70facaa104fe0ff5cb0b9d65017c0e
                                          • Opcode Fuzzy Hash: 59d801b4dd26192d46f758b0a7d4aa1c70a032efb9f2b2213c12bcd638bb62fb
                                          • Instruction Fuzzy Hash: A3712A70A002199FDB54DFA9D990A9DBBF6FF88300F24C539E40AEB655DB30E946CB50
                                          Function 069DEF10 Relevance: .2, Instructions: 201COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533894328.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69d0000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6d9a5105b3a2a99af878f0e03edeeaf19c28f623bf8aad537c057d9cd6caab56
                                          • Instruction ID: 90366afb45787cc8d339bc07223504c4dd8152c23f3f2e20fdc402feedd6cad2
                                          • Opcode Fuzzy Hash: 6d9a5105b3a2a99af878f0e03edeeaf19c28f623bf8aad537c057d9cd6caab56
                                          • Instruction Fuzzy Hash: 5B711970A002099FDB54DFA9D990A9DBBF6BF84300F24C539E41AEB754DB30AD46CB50
                                          Function 069DFC70 Relevance: .2, Instructions: 178COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533894328.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69d0000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 74c0057ad85a3f8e1d9f6166b015e562437f14a203fe0a6492a56cb3b8594ee6
                                          • Instruction ID: d78048df19183f32699a78a9e7ed131620c9096613e9a4fd11a0b08585a1db26
                                          • Opcode Fuzzy Hash: 74c0057ad85a3f8e1d9f6166b015e562437f14a203fe0a6492a56cb3b8594ee6
                                          • Instruction Fuzzy Hash: 0F510031E00105DFCF24EB78E8596ADBBB6FB88315F20887AE10ADB655DB319845CB91
                                          Function 069DFA1F Relevance: .2, Instructions: 172COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533894328.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69d0000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 281235fad8e46332592bfd661c3fbb824e766f1026eba4db62d4c780fa2c4c2f
                                          • Instruction ID: 79e7039e2e1c15a8c3a4e94d2d8d5bc4cef46b9237c45c6f4419d5dcfd668edb
                                          • Opcode Fuzzy Hash: 281235fad8e46332592bfd661c3fbb824e766f1026eba4db62d4c780fa2c4c2f
                                          • Instruction Fuzzy Hash: FA51D830B102159BEF645A78D96576F2A5ED789310F30853AF40FC77D9CA69CC4583E2
                                          Function 069DFA30 Relevance: .2, Instructions: 163COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533894328.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69d0000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0cbb96730fcef0c103978523ac17da1b5a74c7b045899c13130ab38aa8e1076b
                                          • Instruction ID: 649164684fdaa93c76df1d2003afda2b170711a546023c4abdfa54e2f15ab469
                                          • Opcode Fuzzy Hash: 0cbb96730fcef0c103978523ac17da1b5a74c7b045899c13130ab38aa8e1076b
                                          • Instruction Fuzzy Hash: 6951D330B202159BEF646A6CD96572F265ED789310F30893AF40FC77D9CA69CC4543E2
                                          Function 069D5440 Relevance: .1, Instructions: 140COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533894328.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69d0000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a502739b503ca14450004ecc4bd8255bced6a7d6bb4e3fe40782e9c60cdd6770
                                          • Instruction ID: d9996db396a7bb3ec43539d95ad2860db562a385a83cb7430c985f209350e439
                                          • Opcode Fuzzy Hash: a502739b503ca14450004ecc4bd8255bced6a7d6bb4e3fe40782e9c60cdd6770
                                          • Instruction Fuzzy Hash: EA417171E006098FDB61CFA9D880AAFBBF6FB85310F21893AD155D7A54D330E8598B91
                                          Function 069D55C1 Relevance: .1, Instructions: 108COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533894328.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69d0000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f1439303f5f0960525c01734eccb746d409dd28bc40fcd9db567260382e78f76
                                          • Instruction ID: a6223fb3dffb4ea27801eb50120ba6862f94279a382f53894013e96bed54dd32
                                          • Opcode Fuzzy Hash: f1439303f5f0960525c01734eccb746d409dd28bc40fcd9db567260382e78f76
                                          • Instruction Fuzzy Hash: 8B318F30E002059BDF708E69C88077EBBBAFB85220F71C93AD459DBA85C635D941CB91
                                          Function 069DD960 Relevance: .1, Instructions: 102COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533894328.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69d0000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: db3f9d44a01519fa971e38153af7a7e8a0eb1a9f187760c99919d3b163541935
                                          • Instruction ID: b01d32a45d52470e84a5fea942293f25838f93bc7e057504958e0dc61ca76e50
                                          • Opcode Fuzzy Hash: db3f9d44a01519fa971e38153af7a7e8a0eb1a9f187760c99919d3b163541935
                                          • Instruction Fuzzy Hash: 2B31D630E1060A9FCF14DF65C850A9EBBBAFF85304F108939E405EB704DB71A8468B91
                                          Function 069D20A8 Relevance: .1, Instructions: 101COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533894328.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69d0000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ea3b6a5f99e7b260b2c98f2121e5ef081b6f1efd827cc6618aad42080f95f2c9
                                          • Instruction ID: 1984fb0c57fddfc59770cdd9205562987c20cbac0dda8a46b86db91c9253ac76
                                          • Opcode Fuzzy Hash: ea3b6a5f99e7b260b2c98f2121e5ef081b6f1efd827cc6618aad42080f95f2c9
                                          • Instruction Fuzzy Hash: 34318E30E1020ADBCB54CF65C854A9EB7B6FF89310F10C529EA16EB754DB31AD46CB80
                                          Function 069D20B8 Relevance: .1, Instructions: 91COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533894328.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69d0000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 04e9a552da04ac54d36e5a7bc8ca3e2fef31f3968f477df988ef302ea674c59e
                                          • Instruction ID: 5669d82121cab73020735d3ba715654f6b16ac80cc7ad7fc287795ddea240cb4
                                          • Opcode Fuzzy Hash: 04e9a552da04ac54d36e5a7bc8ca3e2fef31f3968f477df988ef302ea674c59e
                                          • Instruction Fuzzy Hash: 6A318030E1020A9BCB54CF65D854A9EB7F6FF89310F20C529EA16E7754DB71AD42CB90
                                          Function 069D3ED1 Relevance: .1, Instructions: 80COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533894328.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69d0000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f3e8af2bc61d46c0964e989a2740048af0f2060b91c2acc71023074f8369c947
                                          • Instruction ID: c390edfb727b3daf3bdf864b5c9e17efd05abf5735aca7065fc65d166718fbdf
                                          • Opcode Fuzzy Hash: f3e8af2bc61d46c0964e989a2740048af0f2060b91c2acc71023074f8369c947
                                          • Instruction Fuzzy Hash: 46217A75F002199FEB40DFB9D881AAEBBF6AB48310F108135E945E7394E731DC018BA1
                                          Function 069D3EE0 Relevance: .1, Instructions: 78COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533894328.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69d0000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5f7876bffe8a1ac34faab9c21a653be92bc8db8075ee6b1b7f6bf27a969394da
                                          • Instruction ID: 9f3f74c3c0f08fce1b728ff00b44555079b80abeb11304a3be5ace2504ce97f2
                                          • Opcode Fuzzy Hash: 5f7876bffe8a1ac34faab9c21a653be92bc8db8075ee6b1b7f6bf27a969394da
                                          • Instruction Fuzzy Hash: 8D218C75F002199FEB50DF6AD880AAEBBF6EB48710F208139E905E7394E770DC018B91
                                          Function 069D3481 Relevance: .1, Instructions: 75COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533894328.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69d0000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 99e9c52a23d8d6811084862a92c9b992f32ecdd8406cd66b5799f1dd06ab57a1
                                          • Instruction ID: 9606aa5028ccd5fbf4e2cbda1617558d23ca968d14b2aba4d66dc1b7f7164b87
                                          • Opcode Fuzzy Hash: 99e9c52a23d8d6811084862a92c9b992f32ecdd8406cd66b5799f1dd06ab57a1
                                          • Instruction Fuzzy Hash: 2B21C270E001299ECB54DB69D8405DEB7B5EB86311F10C979E40AE7700DA31D941CBA2
                                          Function 010FD044 Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1522818552.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_10fd000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e337526afce01dc32bbc71f29f6dc9802350b235c0c048af53447f09af20ae6d
                                          • Instruction ID: 1bcd282b2559fbfb4cbe542dacf9e5e8111c76aa2378279fd887c5ce6d238e4d
                                          • Opcode Fuzzy Hash: e337526afce01dc32bbc71f29f6dc9802350b235c0c048af53447f09af20ae6d
                                          • Instruction Fuzzy Hash: D6213471504204EFCB11CFA8C9C1B26BBA5FB84314F20C5ADFA894B756C73AD446CB62
                                          Function 069D6D08 Relevance: .1, Instructions: 68COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533894328.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69d0000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f78339a5988a724034f483e2cd67a43d6b3ea2a50ed61527eb1b9e979feb2ba9
                                          • Instruction ID: 7354bd2c84a6dc8c0e96a9eb1eb21e9a1fcf930008699d21f0647c9ab185ee15
                                          • Opcode Fuzzy Hash: f78339a5988a724034f483e2cd67a43d6b3ea2a50ed61527eb1b9e979feb2ba9
                                          • Instruction Fuzzy Hash: 83219D30B101199FDB44DB69E854BAEB7B6FB84350F208535E505EB784DB31AC458B80
                                          Function 069D4229 Relevance: .1, Instructions: 63COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533894328.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69d0000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f2cdc14dab6ee9ec90c877035940b373714004691406b3f9fc56e5f0f709417a
                                          • Instruction ID: d33d72fed3d7c7921286c352e863bb6b3f66082173d9c4c65e4c6b4c0f6e2d19
                                          • Opcode Fuzzy Hash: f2cdc14dab6ee9ec90c877035940b373714004691406b3f9fc56e5f0f709417a
                                          • Instruction Fuzzy Hash: 7401D634B005241FC75586AD9810B9BBBDADBC9A24F20C43AE609C7759D931CC0343D1
                                          Function 069D3FF0 Relevance: .1, Instructions: 59COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533894328.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69d0000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 34560627455af117a9d1b76602c225f9decb3cc32081d04c89b7648db9069900
                                          • Instruction ID: 602f66cbd5063f84b0a809cb8fac662beaee8d734115f84bdc8fea617ae7174b
                                          • Opcode Fuzzy Hash: 34560627455af117a9d1b76602c225f9decb3cc32081d04c89b7648db9069900
                                          • Instruction Fuzzy Hash: 2C11A131B100298BDB48DA78D810AAE73EAEBC8751F108539C50AE7344EE75DC028B91
                                          Function 069DF17F Relevance: .1, Instructions: 58COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533894328.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69d0000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b8e5062f1a565b271f857187c1cf4663cf2841ebf67b221f361de9f36479fe93
                                          • Instruction ID: 19e0a6573fbb2de4b4cef11b124d3c7affc10403cc6ba6907b6893c77f35340b
                                          • Opcode Fuzzy Hash: b8e5062f1a565b271f857187c1cf4663cf2841ebf67b221f361de9f36479fe93
                                          • Instruction Fuzzy Hash: 1901B5357005151FCB619A799855B6F7BDADB85710F24C435F60BCB345D910CD024391
                                          Function 069D3FDF Relevance: .1, Instructions: 57COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533894328.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69d0000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 88580bfeeebe5932a89d673be4e617207c3cffcea85cbf148368ef8b01acbb5d
                                          • Instruction ID: 0ceda36c95de63ffdb30925d30abe9b01f6c60494524a7f5e23db5c3107f582c
                                          • Opcode Fuzzy Hash: 88580bfeeebe5932a89d673be4e617207c3cffcea85cbf148368ef8b01acbb5d
                                          • Instruction Fuzzy Hash: 7801C032F100255BEB549A69DC106EF77AAEBC9A50F148535D506E7284EE21980687E1
                                          Function 069D3CA8 Relevance: .1, Instructions: 55COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533894328.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69d0000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 56290975f0526e337dda09c2fd87d243787cddad4dc3c318bc84035b3a2563f8
                                          • Instruction ID: d1ee7f69761da08694a9ce5c211e4bd33805f337d929ce2c2624ff8edf804159
                                          • Opcode Fuzzy Hash: 56290975f0526e337dda09c2fd87d243787cddad4dc3c318bc84035b3a2563f8
                                          • Instruction Fuzzy Hash: 462100B5C05259AFCB40DF9AD884ACEFFB8FB49310F10812AE918B3600C375A954CFA5
                                          Function 010FD03F Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1522818552.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_10fd000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a3be7094ea246a7cddba5200c6ce82fad2e7d53e3ec886449491685f026f1607
                                          • Instruction ID: 6b7c4b74fc02b85ec0b3ad15817c6afe398ac087591e0d58d3b65dad61ee5b59
                                          • Opcode Fuzzy Hash: a3be7094ea246a7cddba5200c6ce82fad2e7d53e3ec886449491685f026f1607
                                          • Instruction Fuzzy Hash: 6F11DD75504284DFDB12CF54C9C4B15BFA2FB84314F24C6ADEA894B652C33AD44ACF62
                                          Function 069DA2F8 Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533894328.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69d0000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7fd121eedf689867f18e1b88ab1c484c0f1102f89605d2198c4c0eccc6cf5d51
                                          • Instruction ID: fe926f7c7198b8424d7d1e34ac5f83a6011c9ebc60e8f1f4385819d9fa41ac85
                                          • Opcode Fuzzy Hash: 7fd121eedf689867f18e1b88ab1c484c0f1102f89605d2198c4c0eccc6cf5d51
                                          • Instruction Fuzzy Hash: F9012830B041165FC711EB7DD820B1EFBDAEB46760F14C538E10AC7355EA21DC018381
                                          Function 069D3CB0 Relevance: .1, Instructions: 52COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533894328.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69d0000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cfe2e365d90ca12de80a4712431924d6767607825342e1c6fed977161087b1c6
                                          • Instruction ID: 683d407a30bcfb80270fad08ea24e22581152e2fc87986cb1852c7e858ff6025
                                          • Opcode Fuzzy Hash: cfe2e365d90ca12de80a4712431924d6767607825342e1c6fed977161087b1c6
                                          • Instruction Fuzzy Hash: 8A11DDB5D01259AFCB00DF9AD884ACEFFB8FB49310F10812AE918B7200C375A954CFA5
                                          Function 069D4238 Relevance: .1, Instructions: 51COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533894328.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69d0000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 61bc8b0e00505ae1dd7d07243048b0cedd7045a47f90b47918b4fe8603199b44
                                          • Instruction ID: 8f7c1d19ed0c69fed7f0dd4d0d5f16a95cec42ee9d016bf9267e4df43352c030
                                          • Opcode Fuzzy Hash: 61bc8b0e00505ae1dd7d07243048b0cedd7045a47f90b47918b4fe8603199b44
                                          • Instruction Fuzzy Hash: BB01AD30B004150BDBA496AD9464B6BA3DBDBC8B24F20C43AE60EC7759EE71DC0243D1
                                          Function 069DF190 Relevance: .0, Instructions: 49COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533894328.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69d0000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ca94354b0ec0b553c3cac4f4f4935d205445fdcf211783d762fcfa4065b5c24d
                                          • Instruction ID: aac04b3907493d08f85101d61defb9d8195d8158017ac4bee9dea8880492a2ce
                                          • Opcode Fuzzy Hash: ca94354b0ec0b553c3cac4f4f4935d205445fdcf211783d762fcfa4065b5c24d
                                          • Instruction Fuzzy Hash: 06018C36B004150BCBA4DA7DE895B2FA7DAEBC9720F24C839E60BC7344EE61DC024391
                                          Function 069DA308 Relevance: .0, Instructions: 46COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533894328.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69d0000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cf064783086dabfbe5874501f031e8a4eab6c135d804d1cc7b474ca646b288ee
                                          • Instruction ID: beaf44e973ff002822cf5cfcd199ecdafa2394231dd756b24f241f074c20adf1
                                          • Opcode Fuzzy Hash: cf064783086dabfbe5874501f031e8a4eab6c135d804d1cc7b474ca646b288ee
                                          • Instruction Fuzzy Hash: 00018130B001164FCB50EA7DD454B2EB3DBEB85760F20C938E10AC7354EA22DC528780
                                          Function 069DC7D0 Relevance: .0, Instructions: 43COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533894328.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69d0000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3554d301425d280304ef25cf3152fff95c362c605dc830b7a1369f4bc2c250b9
                                          • Instruction ID: 1506c935210f74e880ddd6ebe0d4a9741a5108a48745f6c93396dc8ea91dada8
                                          • Opcode Fuzzy Hash: 3554d301425d280304ef25cf3152fff95c362c605dc830b7a1369f4bc2c250b9
                                          • Instruction Fuzzy Hash: CF01A431E202249BCB549A6AE851A9EB77EFB85314F108539E901EB745DB31A804CBC0
                                          Function 069D6468 Relevance: .0, Instructions: 27COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533894328.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69d0000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b66a7b41237a11844c403f36e5a57a0e3dd530384fa44b108bb8ac5728a56a68
                                          • Instruction ID: 39ad4fde42e2df618539cdf879bdbd10e6472fce2d6686deb51374ffe8e851df
                                          • Opcode Fuzzy Hash: b66a7b41237a11844c403f36e5a57a0e3dd530384fa44b108bb8ac5728a56a68
                                          • Instruction Fuzzy Hash: 0AE09270E05148ABDF50CFA1CA55B9E376DEB02208F20C8BAD408CB642E172DA1587C1
                                          Function 069DFED9 Relevance: .0, Instructions: 9COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533894328.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69d0000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 637969d9f086848d2a6bed3176bad35fbfc2c10ee5470b17bee6028dbfa23b83
                                          • Instruction ID: 7bf2b19196c20231882bdde26aca804edf3937ef0c634fa3ccaf45b048ac5723
                                          • Opcode Fuzzy Hash: 637969d9f086848d2a6bed3176bad35fbfc2c10ee5470b17bee6028dbfa23b83
                                          • Instruction Fuzzy Hash: 20B09B351015009F8F45EA3095805D13367FB863057D0189CF4110E6458735D413D551

                                          Non-executed Functions

                                          Function 069D7690 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533894328.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69d0000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $_q$$_q$$_q$$_q$$_q$$_q$$_q$$_q$$_q$$_q
                                          • API String ID: 0-698649689
                                          • Opcode ID: 5bd7f9b649673e8bff381630d000c98bf5647172e973acf17ed37225acc49972
                                          • Instruction ID: 68fff2c07c9687817db615a5752415d058d5cfaa08a2dd3c558ff9be5ddf94ca
                                          • Opcode Fuzzy Hash: 5bd7f9b649673e8bff381630d000c98bf5647172e973acf17ed37225acc49972
                                          • Instruction Fuzzy Hash: BB120A30E002198FDB64DFA5C954AADB7F6BF89304F208979D409AB764DB709D85CF81
                                          Function 069DA930 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533894328.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69d0000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $_q$$_q$$_q$$_q$$_q$$_q$$_q$$_q
                                          • API String ID: 0-2216122830
                                          • Opcode ID: 629a4be7ac558108d086c102e2c31aa098dc498332d98fc7052329006966fb9a
                                          • Instruction ID: 75167f57c52eaa035dc34862a9a45741accf54b702c37201cfa0c01e2e2e780f
                                          • Opcode Fuzzy Hash: 629a4be7ac558108d086c102e2c31aa098dc498332d98fc7052329006966fb9a
                                          • Instruction Fuzzy Hash: 20917F30A0021A9FDB68EF65D994B6E7BF6BF84310F24CA39E4019B794DB749C45CB90
                                          Function 069D7090 Relevance: 9.2, Strings: 7, Instructions: 405COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533894328.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69d0000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: .5wq$$_q$$_q$$_q$$_q$$_q$$_q
                                          • API String ID: 0-3129995876
                                          • Opcode ID: 60e86316ca018f84cfa39b04ede0ffc0e00aee83d1d0d84d326aeedc29cfcecc
                                          • Instruction ID: eac4cc9cce7815cfa1a9e8b4f5b6f5821e004a1fd002f5c82431391d83f5d8b0
                                          • Opcode Fuzzy Hash: 60e86316ca018f84cfa39b04ede0ffc0e00aee83d1d0d84d326aeedc29cfcecc
                                          • Instruction Fuzzy Hash: 87F13B30B00219DFDB58EFA5D594A6EB7B7BF84300F248579D4069B7A8DB31AC46CB81
                                          Function 069D83C8 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533894328.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69d0000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $_q$$_q$$_q$$_q
                                          • API String ID: 0-1171383116
                                          • Opcode ID: cbecfb68ad8a2eec305c93041932277ebaca037ee3b1b88895ccbc30db3a8d83
                                          • Instruction ID: c77bf0f7ccedcd82bba421e627729831dc9a84a26cc69b7aae41c1b4d7002e7e
                                          • Opcode Fuzzy Hash: cbecfb68ad8a2eec305c93041932277ebaca037ee3b1b88895ccbc30db3a8d83
                                          • Instruction Fuzzy Hash: 83B15A30B002199FDB58EF65C6946AEB7B6BF84300F24C979D0059B759DB74DC86CB80
                                          Function 069D87E0 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533894328.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69d0000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: LR_q$LR_q$$_q$$_q
                                          • API String ID: 0-2912794808
                                          • Opcode ID: 6c6ffad3d526e20a60fd9b325d4675960efac4cde89a66c653f5c8fa84a9f52a
                                          • Instruction ID: 03474042cee0ad22079afc4acc12427b1c2eb92b9d0e3d559354ba44162ffd53
                                          • Opcode Fuzzy Hash: 6c6ffad3d526e20a60fd9b325d4675960efac4cde89a66c653f5c8fa84a9f52a
                                          • Instruction Fuzzy Hash: 8851D330B002029FCB58EF29D950A6EB7E6FF84300F10CA79E4159B76ADA31EC01CB81
                                          Function 069DACBA Relevance: 5.2, Strings: 4, Instructions: 165COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1533894328.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_69d0000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $_q$$_q$$_q$$_q
                                          • API String ID: 0-1171383116
                                          • Opcode ID: 4b43b96b6f5e73b78f9936b2d1ca481b6ee396f6fbe3e2c2189e0d52e2a196c0
                                          • Instruction ID: f082b56c6abdfc8d2affc193f0b5aac053fa4159ee16d3fdf9db3ff3fb612064
                                          • Opcode Fuzzy Hash: 4b43b96b6f5e73b78f9936b2d1ca481b6ee396f6fbe3e2c2189e0d52e2a196c0
                                          • Instruction Fuzzy Hash: 8E51BF30A102159FDF64DF68D880AAEB7B6FB84310F20893AE805D7744DB31EC46CB91

                                          Execution Graph

                                          Execution Coverage:8.6%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:0%
                                          Total number of Nodes:256
                                          Total number of Limit Nodes:13
                                          execution_graph 35850 52cb37d 35851 52cb27c 35850->35851 35852 52cb304 35851->35852 35856 52cbede 35851->35856 35877 52cbe71 35851->35877 35897 52cbe80 35851->35897 35857 52cbe6c 35856->35857 35859 52cbee1 35856->35859 35917 52cc6b1 35857->35917 35923 52cc757 35857->35923 35928 52cc618 35857->35928 35933 52cc65d 35857->35933 35938 52ccaa2 35857->35938 35944 52cc381 35857->35944 35949 52cc8a0 35857->35949 35953 52cc287 35857->35953 35957 52cc705 35857->35957 35963 52cc4c4 35857->35963 35969 52cc34f 35857->35969 35975 52cca2f 35857->35975 35979 52cc5ac 35857->35979 35986 52cc813 35857->35986 35991 52cc733 35857->35991 35997 52cc552 35857->35997 36002 52cc2f1 35857->36002 35858 52cbebe 35858->35852 35859->35852 35878 52cbe80 35877->35878 35880 52cc5ac 4 API calls 35878->35880 35881 52cca2f 2 API calls 35878->35881 35882 52cc34f 2 API calls 35878->35882 35883 52cc4c4 2 API calls 35878->35883 35884 52cc705 3 API calls 35878->35884 35885 52cc287 2 API calls 35878->35885 35886 52cc8a0 2 API calls 35878->35886 35887 52cc381 2 API calls 35878->35887 35888 52ccaa2 2 API calls 35878->35888 35889 52cc65d 3 API calls 35878->35889 35890 52cc618 2 API calls 35878->35890 35891 52cc757 2 API calls 35878->35891 35892 52cc6b1 2 API calls 35878->35892 35893 52cc2f1 2 API calls 35878->35893 35894 52cc552 2 API calls 35878->35894 35895 52cc733 2 API calls 35878->35895 35896 52cc813 2 API calls 35878->35896 35879 52cbebe 35879->35852 35880->35879 35881->35879 35882->35879 35883->35879 35884->35879 35885->35879 35886->35879 35887->35879 35888->35879 35889->35879 35890->35879 35891->35879 35892->35879 35893->35879 35894->35879 35895->35879 35896->35879 35898 52cbe9a 35897->35898 35900 52cc5ac 4 API calls 35898->35900 35901 52cca2f 2 API calls 35898->35901 35902 52cc34f 2 API calls 35898->35902 35903 52cc4c4 2 API calls 35898->35903 35904 52cc705 3 API calls 35898->35904 35905 52cc287 2 API calls 35898->35905 35906 52cc8a0 2 API calls 35898->35906 35907 52cc381 2 API calls 35898->35907 35908 52ccaa2 2 API calls 35898->35908 35909 52cc65d 3 API calls 35898->35909 35910 52cc618 2 API calls 35898->35910 35911 52cc757 2 API calls 35898->35911 35912 52cc6b1 2 API calls 35898->35912 35913 52cc2f1 2 API calls 35898->35913 35914 52cc552 2 API calls 35898->35914 35915 52cc733 2 API calls 35898->35915 35916 52cc813 2 API calls 35898->35916 35899 52cbebe 35899->35852 35900->35899 35901->35899 35902->35899 35903->35899 35904->35899 35905->35899 35906->35899 35907->35899 35908->35899 35909->35899 35910->35899 35911->35899 35912->35899 35913->35899 35914->35899 35915->35899 35916->35899 35919 52cc2fd 35917->35919 35918 52ccca4 35920 52cc6e6 35919->35920 36008 52ca108 35919->36008 36012 52ca100 35919->36012 35920->35858 35924 52cc75d 35923->35924 35926 52ca108 ResumeThread 35924->35926 35927 52ca100 ResumeThread 35924->35927 35925 52ccca4 35926->35925 35927->35925 35929 52cc63b 35928->35929 36016 52ca788 35929->36016 36020 52ca780 35929->36020 35930 52ccc0d 35934 52cc691 35933->35934 36024 52ca950 35933->36024 36028 52ca878 35933->36028 36032 52ca870 35933->36032 35934->35858 35939 52cc2fd 35938->35939 35941 52ccbd5 35939->35941 35942 52ca108 ResumeThread 35939->35942 35943 52ca100 ResumeThread 35939->35943 35940 52ccca4 35941->35858 35942->35940 35943->35940 35945 52cc38a 35944->35945 35947 52ca788 WriteProcessMemory 35945->35947 35948 52ca780 WriteProcessMemory 35945->35948 35946 52cc3b0 35947->35946 35948->35946 36036 52ca5f0 35949->36036 36040 52ca5e9 35949->36040 35950 52cc385 35950->35858 36044 52cae04 35953->36044 36048 52cae10 35953->36048 35958 52cc66f 35957->35958 35960 52ca878 ReadProcessMemory 35958->35960 35961 52ca950 ReadProcessMemory 35958->35961 35962 52ca870 ReadProcessMemory 35958->35962 35959 52cc691 35959->35858 35960->35959 35961->35959 35962->35959 35964 52cc2fd 35963->35964 35964->35963 35965 52ccbd5 35964->35965 35967 52ca108 ResumeThread 35964->35967 35968 52ca100 ResumeThread 35964->35968 35965->35858 35966 52ccca4 35967->35966 35968->35966 35970 52cc2fd 35969->35970 35971 52ccbd5 35970->35971 35973 52ca108 ResumeThread 35970->35973 35974 52ca100 ResumeThread 35970->35974 35971->35858 35972 52ccca4 35973->35972 35974->35972 35977 52ca5e9 Wow64SetThreadContext 35975->35977 35978 52ca5f0 Wow64SetThreadContext 35975->35978 35976 52cca49 35977->35976 35978->35976 36052 52ca6c8 35979->36052 36056 52ca6c1 35979->36056 35980 52cc569 35981 52cc58d 35980->35981 35982 52ca788 WriteProcessMemory 35980->35982 35983 52ca780 WriteProcessMemory 35980->35983 35982->35981 35983->35981 35987 52cc76e 35986->35987 35989 52ca108 ResumeThread 35987->35989 35990 52ca100 ResumeThread 35987->35990 35988 52ccca4 35989->35988 35990->35988 35992 52cc2fd 35991->35992 35993 52ccbd5 35992->35993 35995 52ca108 ResumeThread 35992->35995 35996 52ca100 ResumeThread 35992->35996 35993->35858 35994 52ccca4 35995->35994 35996->35994 35998 52cc558 35997->35998 36000 52ca788 WriteProcessMemory 35998->36000 36001 52ca780 WriteProcessMemory 35998->36001 35999 52cc58d 36000->35999 36001->35999 36003 52cc2fd 36002->36003 36005 52ccbd5 36003->36005 36006 52ca108 ResumeThread 36003->36006 36007 52ca100 ResumeThread 36003->36007 36004 52ccca4 36005->35858 36006->36004 36007->36004 36009 52ca148 ResumeThread 36008->36009 36011 52ca179 36009->36011 36011->35918 36013 52ca108 ResumeThread 36012->36013 36015 52ca179 36013->36015 36015->35918 36017 52ca7d0 WriteProcessMemory 36016->36017 36019 52ca827 36017->36019 36019->35930 36021 52ca788 WriteProcessMemory 36020->36021 36023 52ca827 36021->36023 36023->35930 36025 52ca8e5 ReadProcessMemory 36024->36025 36027 52ca956 36024->36027 36026 52ca907 36025->36026 36026->35934 36027->35934 36029 52ca8c3 ReadProcessMemory 36028->36029 36031 52ca907 36029->36031 36031->35934 36033 52ca878 ReadProcessMemory 36032->36033 36035 52ca907 36033->36035 36035->35934 36037 52ca635 Wow64SetThreadContext 36036->36037 36039 52ca67d 36037->36039 36039->35950 36041 52ca5f0 Wow64SetThreadContext 36040->36041 36043 52ca67d 36041->36043 36043->35950 36045 52cae99 CreateProcessA 36044->36045 36047 52cb05b 36045->36047 36047->36047 36049 52cae99 CreateProcessA 36048->36049 36051 52cb05b 36049->36051 36051->36051 36053 52ca708 VirtualAllocEx 36052->36053 36055 52ca745 36053->36055 36055->35980 36057 52ca6c8 VirtualAllocEx 36056->36057 36059 52ca745 36057->36059 36059->35980 36060 263acb0 36061 263acbf 36060->36061 36064 263ad97 36060->36064 36069 263ada8 36060->36069 36065 263addc 36064->36065 36066 263adb9 36064->36066 36065->36061 36066->36065 36067 263afe0 GetModuleHandleW 36066->36067 36068 263b00d 36067->36068 36068->36061 36070 263addc 36069->36070 36071 263adb9 36069->36071 36070->36061 36071->36070 36072 263afe0 GetModuleHandleW 36071->36072 36073 263b00d 36072->36073 36073->36061 36123 263d040 36124 263d086 36123->36124 36128 263d628 36124->36128 36131 263d618 36124->36131 36125 263d173 36134 263d27c 36128->36134 36132 263d656 36131->36132 36133 263d27c DuplicateHandle 36131->36133 36132->36125 36133->36132 36135 263d690 DuplicateHandle 36134->36135 36136 263d656 36135->36136 36136->36125 36137 52ce6c8 36138 52ce6f0 36137->36138 36139 52ce6e6 36137->36139 36141 52ce730 36139->36141 36142 52ce73e 36141->36142 36145 52ce75d 36141->36145 36146 52cdd60 36142->36146 36145->36138 36147 52ce8a8 CloseHandle 36146->36147 36148 52ce759 36147->36148 36148->36138 36074 246d01c 36075 246d034 36074->36075 36076 246d08e 36075->36076 36079 4c62808 36075->36079 36084 4c62818 36075->36084 36080 4c62845 36079->36080 36081 4c62877 36080->36081 36089 4c629a0 36080->36089 36094 4c62991 36080->36094 36081->36081 36085 4c62845 36084->36085 36086 4c62877 36085->36086 36087 4c629a0 2 API calls 36085->36087 36088 4c62991 2 API calls 36085->36088 36086->36086 36087->36086 36088->36086 36091 4c629b4 36089->36091 36090 4c62a40 36090->36081 36099 4c62a48 36091->36099 36102 4c62a58 36091->36102 36096 4c629b4 36094->36096 36095 4c62a40 36095->36081 36097 4c62a48 2 API calls 36096->36097 36098 4c62a58 2 API calls 36096->36098 36097->36095 36098->36095 36100 4c62a69 36099->36100 36105 4c6401e 36099->36105 36100->36090 36103 4c62a69 36102->36103 36104 4c6401e 2 API calls 36102->36104 36103->36090 36104->36103 36109 4c64040 36105->36109 36113 4c64030 36105->36113 36106 4c6402a 36106->36100 36110 4c64082 36109->36110 36112 4c64089 36109->36112 36111 4c640da CallWindowProcW 36110->36111 36110->36112 36111->36112 36112->36106 36114 4c64082 36113->36114 36116 4c64089 36113->36116 36115 4c640da CallWindowProcW 36114->36115 36114->36116 36115->36116 36116->36106 35822 2634668 35823 263467a 35822->35823 35824 2634686 35823->35824 35826 2634779 35823->35826 35827 263479d 35826->35827 35831 2634879 35827->35831 35835 2634888 35827->35835 35833 26348af 35831->35833 35832 263498c 35832->35832 35833->35832 35839 26344c4 35833->35839 35836 26348af 35835->35836 35837 26344c4 CreateActCtxA 35836->35837 35838 263498c 35836->35838 35837->35838 35840 2635918 CreateActCtxA 35839->35840 35842 26359db 35840->35842 36117 52cb437 36118 52cb3c6 36117->36118 36119 52cb445 36118->36119 36120 52cbede 13 API calls 36118->36120 36121 52cbe80 13 API calls 36118->36121 36122 52cbe71 13 API calls 36118->36122 36120->36119 36121->36119 36122->36119 35843 52cd060 35844 52cd1eb 35843->35844 35846 52cd086 35843->35846 35846->35844 35847 52caa18 35846->35847 35848 52cd2e0 PostMessageW 35847->35848 35849 52cd34c 35848->35849 35849->35846

                                          Executed Functions

                                          Function 052CAE04 Relevance: 1.8, APIs: 1, Instructions: 251processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1382 52cae04-52caea5 1384 52caede-52caefe 1382->1384 1385 52caea7-52caeb1 1382->1385 1392 52caf37-52caf66 1384->1392 1393 52caf00-52caf0a 1384->1393 1385->1384 1386 52caeb3-52caeb5 1385->1386 1388 52caed8-52caedb 1386->1388 1389 52caeb7-52caec1 1386->1389 1388->1384 1390 52caec5-52caed4 1389->1390 1391 52caec3 1389->1391 1390->1390 1394 52caed6 1390->1394 1391->1390 1399 52caf9f-52cb059 CreateProcessA 1392->1399 1400 52caf68-52caf72 1392->1400 1393->1392 1395 52caf0c-52caf0e 1393->1395 1394->1388 1397 52caf10-52caf1a 1395->1397 1398 52caf31-52caf34 1395->1398 1401 52caf1c 1397->1401 1402 52caf1e-52caf2d 1397->1402 1398->1392 1413 52cb05b-52cb061 1399->1413 1414 52cb062-52cb0e8 1399->1414 1400->1399 1403 52caf74-52caf76 1400->1403 1401->1402 1402->1402 1404 52caf2f 1402->1404 1405 52caf78-52caf82 1403->1405 1406 52caf99-52caf9c 1403->1406 1404->1398 1408 52caf84 1405->1408 1409 52caf86-52caf95 1405->1409 1406->1399 1408->1409 1409->1409 1410 52caf97 1409->1410 1410->1406 1413->1414 1424 52cb0f8-52cb0fc 1414->1424 1425 52cb0ea-52cb0ee 1414->1425 1427 52cb10c-52cb110 1424->1427 1428 52cb0fe-52cb102 1424->1428 1425->1424 1426 52cb0f0 1425->1426 1426->1424 1430 52cb120-52cb124 1427->1430 1431 52cb112-52cb116 1427->1431 1428->1427 1429 52cb104 1428->1429 1429->1427 1433 52cb136-52cb13d 1430->1433 1434 52cb126-52cb12c 1430->1434 1431->1430 1432 52cb118 1431->1432 1432->1430 1435 52cb13f-52cb14e 1433->1435 1436 52cb154 1433->1436 1434->1433 1435->1436 1438 52cb155 1436->1438 1438->1438
                                          APIs
                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 052CB046
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.1544104084.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_52c0000_mpTrle.jbxd
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: bd33e74f7138ed9df69292af65c1f1c5606b1a62766149b2cd7526d575846eed
                                          • Instruction ID: b2e7080c5614fde5e213c20be4fd669cbac4f08cce7ecc2a8dcf21d1000983ac
                                          • Opcode Fuzzy Hash: bd33e74f7138ed9df69292af65c1f1c5606b1a62766149b2cd7526d575846eed
                                          • Instruction Fuzzy Hash: 0AA18B71D1021ADFDB20CFA8C845BEEBBB2BF45304F1482A9E849A7240DB759985CF91
                                          Function 052CAE10 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1439 52cae10-52caea5 1441 52caede-52caefe 1439->1441 1442 52caea7-52caeb1 1439->1442 1449 52caf37-52caf66 1441->1449 1450 52caf00-52caf0a 1441->1450 1442->1441 1443 52caeb3-52caeb5 1442->1443 1445 52caed8-52caedb 1443->1445 1446 52caeb7-52caec1 1443->1446 1445->1441 1447 52caec5-52caed4 1446->1447 1448 52caec3 1446->1448 1447->1447 1451 52caed6 1447->1451 1448->1447 1456 52caf9f-52cb059 CreateProcessA 1449->1456 1457 52caf68-52caf72 1449->1457 1450->1449 1452 52caf0c-52caf0e 1450->1452 1451->1445 1454 52caf10-52caf1a 1452->1454 1455 52caf31-52caf34 1452->1455 1458 52caf1c 1454->1458 1459 52caf1e-52caf2d 1454->1459 1455->1449 1470 52cb05b-52cb061 1456->1470 1471 52cb062-52cb0e8 1456->1471 1457->1456 1460 52caf74-52caf76 1457->1460 1458->1459 1459->1459 1461 52caf2f 1459->1461 1462 52caf78-52caf82 1460->1462 1463 52caf99-52caf9c 1460->1463 1461->1455 1465 52caf84 1462->1465 1466 52caf86-52caf95 1462->1466 1463->1456 1465->1466 1466->1466 1467 52caf97 1466->1467 1467->1463 1470->1471 1481 52cb0f8-52cb0fc 1471->1481 1482 52cb0ea-52cb0ee 1471->1482 1484 52cb10c-52cb110 1481->1484 1485 52cb0fe-52cb102 1481->1485 1482->1481 1483 52cb0f0 1482->1483 1483->1481 1487 52cb120-52cb124 1484->1487 1488 52cb112-52cb116 1484->1488 1485->1484 1486 52cb104 1485->1486 1486->1484 1490 52cb136-52cb13d 1487->1490 1491 52cb126-52cb12c 1487->1491 1488->1487 1489 52cb118 1488->1489 1489->1487 1492 52cb13f-52cb14e 1490->1492 1493 52cb154 1490->1493 1491->1490 1492->1493 1495 52cb155 1493->1495 1495->1495
                                          APIs
                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 052CB046
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.1544104084.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_52c0000_mpTrle.jbxd
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: ea4bf111182db255c8dde81f174b45db471d5c33be6842d1a114562d42bcbd0b
                                          • Instruction ID: 93a64cdc9a1e96a61050d1e144e6faf95418c6769c42f4386ead7c8f4cc57c02
                                          • Opcode Fuzzy Hash: ea4bf111182db255c8dde81f174b45db471d5c33be6842d1a114562d42bcbd0b
                                          • Instruction Fuzzy Hash: E9916B71D1021ADFDB20CFA8C845BEDBBB2BF49314F1482A9E809A7250DB759985CF91
                                          Function 0263ADA8 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1496 263ada8-263adb7 1497 263ade3-263ade7 1496->1497 1498 263adb9-263adc6 call 263a0cc 1496->1498 1500 263adfb-263ae3c 1497->1500 1501 263ade9-263adf3 1497->1501 1505 263adc8 1498->1505 1506 263addc 1498->1506 1507 263ae49-263ae57 1500->1507 1508 263ae3e-263ae46 1500->1508 1501->1500 1551 263adce call 263b031 1505->1551 1552 263adce call 263b040 1505->1552 1506->1497 1509 263ae7b-263ae7d 1507->1509 1510 263ae59-263ae5e 1507->1510 1508->1507 1515 263ae80-263ae87 1509->1515 1512 263ae60-263ae67 call 263a0d8 1510->1512 1513 263ae69 1510->1513 1511 263add4-263add6 1511->1506 1514 263af18-263afd8 1511->1514 1519 263ae6b-263ae79 1512->1519 1513->1519 1546 263afe0-263b00b GetModuleHandleW 1514->1546 1547 263afda-263afdd 1514->1547 1516 263ae94-263ae9b 1515->1516 1517 263ae89-263ae91 1515->1517 1520 263aea8-263aeaa call 263a0e8 1516->1520 1521 263ae9d-263aea5 1516->1521 1517->1516 1519->1515 1525 263aeaf-263aeb1 1520->1525 1521->1520 1527 263aeb3-263aebb 1525->1527 1528 263aebe-263aec3 1525->1528 1527->1528 1529 263aee1-263aeee 1528->1529 1530 263aec5-263aecc 1528->1530 1536 263af11-263af17 1529->1536 1537 263aef0-263af0e 1529->1537 1530->1529 1532 263aece-263aede call 263a0f8 call 263a108 1530->1532 1532->1529 1537->1536 1548 263b014-263b028 1546->1548 1549 263b00d-263b013 1546->1549 1547->1546 1549->1548 1551->1511 1552->1511
                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0263AFFE
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.1523347611.0000000002630000.00000040.00000800.00020000.00000000.sdmp, Offset: 02630000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_2630000_mpTrle.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: 9fe5061dcb6784cdc903b922045af3df8503a34489554c205ee8eed851036d4f
                                          • Instruction ID: ca5eecea1f72525d016a5094e9cc1ff52487c059c74901af1c81308f04d508bd
                                          • Opcode Fuzzy Hash: 9fe5061dcb6784cdc903b922045af3df8503a34489554c205ee8eed851036d4f
                                          • Instruction Fuzzy Hash: D0711170A00B058FD725DF6AD44476ABBF2FF88304F008A2ED48A97B50DB75E949DB91
                                          Function 026344C4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1676 26344c4-26359d9 CreateActCtxA 1679 26359e2-2635a3c 1676->1679 1680 26359db-26359e1 1676->1680 1687 2635a4b-2635a4f 1679->1687 1688 2635a3e-2635a41 1679->1688 1680->1679 1689 2635a51-2635a5d 1687->1689 1690 2635a60 1687->1690 1688->1687 1689->1690 1692 2635a61 1690->1692 1692->1692
                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 026359C9
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.1523347611.0000000002630000.00000040.00000800.00020000.00000000.sdmp, Offset: 02630000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_2630000_mpTrle.jbxd
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: 18bd3820ec0da98da40a90803dff2b3033e043611d977bfeb286320bd8397b7f
                                          • Instruction ID: df6641426e54c4572861f81ca0f3b013f611f0f587d02f21d78673795f4302a5
                                          • Opcode Fuzzy Hash: 18bd3820ec0da98da40a90803dff2b3033e043611d977bfeb286320bd8397b7f
                                          • Instruction Fuzzy Hash: F34102B1C0071DCBDB24DFAAC884B9EBBF5BF48304F60806AD409AB255DB756949CF90
                                          Function 0263590C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1693 263590c-26359d9 CreateActCtxA 1695 26359e2-2635a3c 1693->1695 1696 26359db-26359e1 1693->1696 1703 2635a4b-2635a4f 1695->1703 1704 2635a3e-2635a41 1695->1704 1696->1695 1705 2635a51-2635a5d 1703->1705 1706 2635a60 1703->1706 1704->1703 1705->1706 1708 2635a61 1706->1708 1708->1708
                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 026359C9
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.1523347611.0000000002630000.00000040.00000800.00020000.00000000.sdmp, Offset: 02630000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_2630000_mpTrle.jbxd
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: 0fbec2647d73176ae19468b26d0816e56ed691e41a14a8ece1015612cd6354b3
                                          • Instruction ID: 9cc8217ae79ecfb16612e1dcb208e81a7e66ce94bab5b198fe856de1df184ef5
                                          • Opcode Fuzzy Hash: 0fbec2647d73176ae19468b26d0816e56ed691e41a14a8ece1015612cd6354b3
                                          • Instruction Fuzzy Hash: 4B4102B1C0071DCBDB24DFAAC88479EBBF1BF48304F60806AD409AB254DB75694ACF90
                                          Function 04C64040 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1709 4c64040-4c6407c 1710 4c64082-4c64087 1709->1710 1711 4c6412c-4c6414c 1709->1711 1712 4c640da-4c64112 CallWindowProcW 1710->1712 1713 4c64089-4c640c0 1710->1713 1717 4c6414f-4c6415c 1711->1717 1715 4c64114-4c6411a 1712->1715 1716 4c6411b-4c6412a 1712->1716 1719 4c640c2-4c640c8 1713->1719 1720 4c640c9-4c640d8 1713->1720 1715->1716 1716->1717 1719->1720 1720->1717
                                          APIs
                                          • CallWindowProcW.USER32(?,?,?,?,?), ref: 04C64101
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.1542329873.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_4c60000_mpTrle.jbxd
                                          Similarity
                                          • API ID: CallProcWindow
                                          • String ID:
                                          • API String ID: 2714655100-0
                                          • Opcode ID: 6e0316d90288824822d8b729d74aec030cdbe3efaba10764f3d38824fd2c4b97
                                          • Instruction ID: 8f6c4d78bab364e4b78e0943b547b340eaf4ae250662ec0dcef1e8c806bfdb12
                                          • Opcode Fuzzy Hash: 6e0316d90288824822d8b729d74aec030cdbe3efaba10764f3d38824fd2c4b97
                                          • Instruction Fuzzy Hash: 3F414CB9900319DFDB14CF99C488AAABBF6FF88314F24C459D519AB321D334A940CFA4
                                          Function 052CA950 Relevance: 1.6, APIs: 1, Instructions: 82COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1723 52ca950-52ca954 1724 52ca8e5-52ca905 ReadProcessMemory 1723->1724 1725 52ca956-52ca9ca 1723->1725 1727 52ca90e-52ca93e 1724->1727 1728 52ca907-52ca90d 1724->1728 1734 52ca9cc-52ca9d2 1725->1734 1735 52ca9d3-52ca9f8 1725->1735 1728->1727 1734->1735
                                          APIs
                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 052CA8F8
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.1544104084.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_52c0000_mpTrle.jbxd
                                          Similarity
                                          • API ID: MemoryProcessRead
                                          • String ID:
                                          • API String ID: 1726664587-0
                                          • Opcode ID: 5ab9c6fe2f7e5668d7baba1653ac6783bbf7c85bd1c8bbca78b04af612edf7d9
                                          • Instruction ID: be0a7347d1d7d2cc2d18a0f00a08c45806b59cdc1a8072d78d3efafe2e26752a
                                          • Opcode Fuzzy Hash: 5ab9c6fe2f7e5668d7baba1653ac6783bbf7c85bd1c8bbca78b04af612edf7d9
                                          • Instruction Fuzzy Hash: 9A3185728043498FDB20DFA9D8457DEFFF0AF89320F14886EC459A7281C779A545CBA1
                                          Function 052CA780 Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1739 52ca780-52ca7d6 1742 52ca7d8-52ca7e4 1739->1742 1743 52ca7e6-52ca825 WriteProcessMemory 1739->1743 1742->1743 1745 52ca82e-52ca85e 1743->1745 1746 52ca827-52ca82d 1743->1746 1746->1745
                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 052CA818
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.1544104084.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_52c0000_mpTrle.jbxd
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: 5943c2d54873108c65f94e218cff3b140f4bc89a4746bb6fe119b405866ee97f
                                          • Instruction ID: 55adefd20c46a9e325542cd3e727ce3521f06cdaed9cb3d0762e9bb3c213e6d0
                                          • Opcode Fuzzy Hash: 5943c2d54873108c65f94e218cff3b140f4bc89a4746bb6fe119b405866ee97f
                                          • Instruction Fuzzy Hash: B021467690030D9FDB10DFA9C985BEEBBF5FF48310F10852AE919A7241C778A945CBA0
                                          Function 052CA788 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 052CA818
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.1544104084.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_52c0000_mpTrle.jbxd
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: 02423387d38145f83eb7b52bb81bcbffb595423b6b95bbc7b0f516d58920d199
                                          • Instruction ID: bbbc1777c26dfa3c6be4d7d05b04f2c488025452d37f83373ffb170df93c18a8
                                          • Opcode Fuzzy Hash: 02423387d38145f83eb7b52bb81bcbffb595423b6b95bbc7b0f516d58920d199
                                          • Instruction Fuzzy Hash: FD2124B690034D9FCB10DFA9C985BEEBBF5FF48310F10852AE919A7241D7789945CBA0
                                          Function 052CA870 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                          Download Yara Rule
                                          APIs
                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 052CA8F8
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.1544104084.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_52c0000_mpTrle.jbxd
                                          Similarity
                                          • API ID: MemoryProcessRead
                                          • String ID:
                                          • API String ID: 1726664587-0
                                          • Opcode ID: 3f79e6daa1b942026bd92233366caa4c126570255777dbde72ded19354a309e5
                                          • Instruction ID: d0e836da7fe0d7fdc5a65d5e14e0b3508a8f17e2d4e4d9a74144438e22669ee5
                                          • Opcode Fuzzy Hash: 3f79e6daa1b942026bd92233366caa4c126570255777dbde72ded19354a309e5
                                          • Instruction Fuzzy Hash: 652105B1D002599FDB10DFAAC881AEEBBF5FF48310F10842AE919A7240D7799955CBA1
                                          Function 0263D27C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                          Download Yara Rule
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0263D656,?,?,?,?,?), ref: 0263D717
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.1523347611.0000000002630000.00000040.00000800.00020000.00000000.sdmp, Offset: 02630000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_2630000_mpTrle.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: a0f7d59157596517b3221f3c995f9a0679b65501f088d47482c2439e5e100cbe
                                          • Instruction ID: a94dd8ce38836c94707a2cc6440ade0343f35aef29dbde56b4d2dcce1a3fa78c
                                          • Opcode Fuzzy Hash: a0f7d59157596517b3221f3c995f9a0679b65501f088d47482c2439e5e100cbe
                                          • Instruction Fuzzy Hash: 0421E4B5D00248AFDB10CFAAD584AEEFBF4EB48314F14805AE918B3310D374A954CFA5
                                          Function 052CA5E9 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 052CA66E
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.1544104084.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_52c0000_mpTrle.jbxd
                                          Similarity
                                          • API ID: ContextThreadWow64
                                          • String ID:
                                          • API String ID: 983334009-0
                                          • Opcode ID: 19b8b831203c67a0f76d0eec340680da5579b65d73e233f5e6ab62c5dc3d0a54
                                          • Instruction ID: 4691cd7c510f49725cbe2840d664aab6948c827ff4f7bcf8bd7e4bea3dd73cab
                                          • Opcode Fuzzy Hash: 19b8b831203c67a0f76d0eec340680da5579b65d73e233f5e6ab62c5dc3d0a54
                                          • Instruction Fuzzy Hash: 45213472D102098FDB10DFAAC4857EEBBF4EF88324F14842ED559A7241CB78A945CFA1
                                          Function 052CA5F0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 052CA66E
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.1544104084.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_52c0000_mpTrle.jbxd
                                          Similarity
                                          • API ID: ContextThreadWow64
                                          • String ID:
                                          • API String ID: 983334009-0
                                          • Opcode ID: 4843178532932b52186fa0244755b4b7fbac22a91d76ad33c955c146306373c8
                                          • Instruction ID: 36f6fcb99b606d5d0b686011a3723381c59e8e03a5a8ebc5c6cd3506fe5bac0e
                                          • Opcode Fuzzy Hash: 4843178532932b52186fa0244755b4b7fbac22a91d76ad33c955c146306373c8
                                          • Instruction Fuzzy Hash: E4213571D002098FDB10DFAAC4857EEBBF4EF48324F14842ED419A7241CB78A945CFA1
                                          Function 052CA878 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                          Download Yara Rule
                                          APIs
                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 052CA8F8
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.1544104084.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_52c0000_mpTrle.jbxd
                                          Similarity
                                          • API ID: MemoryProcessRead
                                          • String ID:
                                          • API String ID: 1726664587-0
                                          • Opcode ID: c4698e2f1f5ff30d74bb11520fc082d8153078cabe0ef8d9f283661c3ba9d161
                                          • Instruction ID: 516efda1d072314e70bd3dd4e5dfc5c0c4d1bacc26dcd8b043225481d72ddf94
                                          • Opcode Fuzzy Hash: c4698e2f1f5ff30d74bb11520fc082d8153078cabe0ef8d9f283661c3ba9d161
                                          • Instruction Fuzzy Hash: 8D2116B1D0024D9FDB10DFAAC881ADEFBF5FF48310F10842AE519A7240C7799945CBA1
                                          Function 0263D689 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                          Download Yara Rule
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0263D656,?,?,?,?,?), ref: 0263D717
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.1523347611.0000000002630000.00000040.00000800.00020000.00000000.sdmp, Offset: 02630000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_2630000_mpTrle.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: 4b6cc2da1a1b7b55fe5eec6c03db3f341c41e9e6be838e654084cef14256624d
                                          • Instruction ID: 1dfa51566fdb5eea07b183b8a30b3a3616f7075d63a771f0a44747a01b2931a0
                                          • Opcode Fuzzy Hash: 4b6cc2da1a1b7b55fe5eec6c03db3f341c41e9e6be838e654084cef14256624d
                                          • Instruction Fuzzy Hash: B621E2B5D00249DFDB10CFA9D584ADEBBF5EB48314F14805AE918B3350D378AA54CFA5
                                          Function 052CA6C1 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 052CA736
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.1544104084.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_52c0000_mpTrle.jbxd
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: 1ab7358f47df32a185865e33c04b0ff41720b68991fe4722d0a08c5626679f0a
                                          • Instruction ID: d1a4645cc9597ee552c5f2075a119d9dc2e7c2b5da32d2292ea7457721bae25f
                                          • Opcode Fuzzy Hash: 1ab7358f47df32a185865e33c04b0ff41720b68991fe4722d0a08c5626679f0a
                                          • Instruction Fuzzy Hash: 5A1156728002099FDB20DFAAC845ADEFFF5FF88320F14841AE519A7250C775A944CFA0
                                          Function 052CA6C8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 052CA736
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.1544104084.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_52c0000_mpTrle.jbxd
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: 80e044ca6a9f83db995374f650912dbc3ef064da7ba9a63138c980a5a65d4a40
                                          • Instruction ID: 654239c8ad49af173715016ca02578b2253f72a0708ef8da63e5285f2c771640
                                          • Opcode Fuzzy Hash: 80e044ca6a9f83db995374f650912dbc3ef064da7ba9a63138c980a5a65d4a40
                                          • Instruction Fuzzy Hash: 67113472D002499FCB20DFAAC845ADEBFF5FF88320F14841AE519A7250C775A944CFA1
                                          Function 052CA100 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.1544104084.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_52c0000_mpTrle.jbxd
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: 9fed65c1a9225045f0143e006806e326f7cc7c96d1eba93b3ad04ebad1bda003
                                          • Instruction ID: 66805f777175eefc760d0bb950fc038b2c41f2b33aebcd65e4444cb86f0fffad
                                          • Opcode Fuzzy Hash: 9fed65c1a9225045f0143e006806e326f7cc7c96d1eba93b3ad04ebad1bda003
                                          • Instruction Fuzzy Hash: CE1146B1D042498FDB24DFAAC44579EFFF4EF88324F14841AD519A7240CB75A945CBA4
                                          Function 052CA108 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.1544104084.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_52c0000_mpTrle.jbxd
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: 3d4d26a825a6b17c5382f207f981d25d31f5df1119650587c5552bca11b3fbbc
                                          • Instruction ID: 8702fd70e70c809f455014529d7f54b42aa06403da40f20e12546402dece0e73
                                          • Opcode Fuzzy Hash: 3d4d26a825a6b17c5382f207f981d25d31f5df1119650587c5552bca11b3fbbc
                                          • Instruction Fuzzy Hash: 751136B1D042498FDB20DFAAC8457DEFFF4EF88324F24841AD419A7240CB75A945CBA5
                                          Function 052CAA18 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 052CD33D
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.1544104084.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_52c0000_mpTrle.jbxd
                                          Similarity
                                          • API ID: MessagePost
                                          • String ID:
                                          • API String ID: 410705778-0
                                          • Opcode ID: 1d4abccc9ea6a4ee9a504fa1d6efe13d204ee8e2dd40767c575e4f5da19d5c6a
                                          • Instruction ID: 8746652ca9e48d145131f9df04c2d06020e7287dd5a626fbe6c3e504510c518c
                                          • Opcode Fuzzy Hash: 1d4abccc9ea6a4ee9a504fa1d6efe13d204ee8e2dd40767c575e4f5da19d5c6a
                                          • Instruction Fuzzy Hash: 3F1122B68003499FDB10DF9AC849BDEBFF8EB48310F108459E918A7201C375A944CFA5
                                          Function 0263AF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0263AFFE
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.1523347611.0000000002630000.00000040.00000800.00020000.00000000.sdmp, Offset: 02630000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_2630000_mpTrle.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: 37991b71137dc6ea128051a35ce890bd6177cd47ec29e6db1cca887aced8960e
                                          • Instruction ID: 06f42f061b656536d2acad86f756e98a24a2be5ae6c8367774b68de223f3c273
                                          • Opcode Fuzzy Hash: 37991b71137dc6ea128051a35ce890bd6177cd47ec29e6db1cca887aced8960e
                                          • Instruction Fuzzy Hash: 4B11E0B6C002498FDB10DF9AD544ADEFBF4EF88318F14846AD829B7210D375A545CFA1
                                          Function 052CD2D8 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 052CD33D
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.1544104084.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_52c0000_mpTrle.jbxd
                                          Similarity
                                          • API ID: MessagePost
                                          • String ID:
                                          • API String ID: 410705778-0
                                          • Opcode ID: 17121ef22438ef10138eb905e4bb0f025c1b2f2ca7df2bd100520f911f78acac
                                          • Instruction ID: f34fcb6a9cca6836b82758088abda56790e9433ce20f355c9a3f47b240f5c9e2
                                          • Opcode Fuzzy Hash: 17121ef22438ef10138eb905e4bb0f025c1b2f2ca7df2bd100520f911f78acac
                                          • Instruction Fuzzy Hash: 7D11F2B58043499FDB20DF99D485BDEBFF4FB88314F24845AE558A7240C375A944CFA1
                                          Function 052CDD60 Relevance: 1.3, APIs: 1, Instructions: 50COMMON
                                          Download Yara Rule
                                          APIs
                                          • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,052CE759,?,?), ref: 052CE900
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.1544104084.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_52c0000_mpTrle.jbxd
                                          Similarity
                                          • API ID: CloseHandle
                                          • String ID:
                                          • API String ID: 2962429428-0
                                          • Opcode ID: a43e839cd7f861be616489b88aa25736b129de800d6e43c69ec4a7b59861f330
                                          • Instruction ID: f1731ccb1c2daf4b5a23957803931ae3d6ea51bd96ba59af97c0ec87fda50ea9
                                          • Opcode Fuzzy Hash: a43e839cd7f861be616489b88aa25736b129de800d6e43c69ec4a7b59861f330
                                          • Instruction Fuzzy Hash: 7F1158B18002098FDB20DF99C445BDEBBF4EF48320F118459D958A7241D378A544CFA5
                                          Function 052CDDAC Relevance: 1.3, APIs: 1, Instructions: 50COMMON
                                          Download Yara Rule
                                          APIs
                                          • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,052CE759,?,?), ref: 052CE900
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.1544104084.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_52c0000_mpTrle.jbxd
                                          Similarity
                                          • API ID: CloseHandle
                                          • String ID:
                                          • API String ID: 2962429428-0
                                          • Opcode ID: 5cffa7e60f368a2a74ef403c98cb45a43cad737c57d58cd6d85c219e98fe12df
                                          • Instruction ID: 8b758754b5a56a91d2358cda0ed0f239e9509d3f6ee8096bda72935caa3d68d5
                                          • Opcode Fuzzy Hash: 5cffa7e60f368a2a74ef403c98cb45a43cad737c57d58cd6d85c219e98fe12df
                                          • Instruction Fuzzy Hash: 8D1155B18002498FDB20DF99C489BEEBBF4EF48320F118469E958A7241D378A944CFA1
                                          Function 052CDDB8 Relevance: 1.3, APIs: 1, Instructions: 50COMMON
                                          Download Yara Rule
                                          APIs
                                          • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,052CE759,?,?), ref: 052CE900
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.1544104084.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_52c0000_mpTrle.jbxd
                                          Similarity
                                          • API ID: CloseHandle
                                          • String ID:
                                          • API String ID: 2962429428-0
                                          • Opcode ID: e31abd70ea04138670b1f35704f1d1b0c49b9ddf3377b28c68dc24b3b5dd70e0
                                          • Instruction ID: e6d7f9c98c4afde16d6acd565c2391d9990150e096b903e1f77107a4dfcf1231
                                          • Opcode Fuzzy Hash: e31abd70ea04138670b1f35704f1d1b0c49b9ddf3377b28c68dc24b3b5dd70e0
                                          • Instruction Fuzzy Hash: 021155B1C003498FDB20DF9AC489BDEBBF4EF48320F118469E958A7241D378A944CFA1
                                          Function 0245D1FC Relevance: .1, Instructions: 76COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.1522652459.000000000245D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0245D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_245d000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a6c47f30019f6345aca7349fbfb0d5ee294c3eab57a8be756b1cd0fdc0b6cee8
                                          • Instruction ID: abf20a78576beff635facbcfe50a12b4eadf2af8a03a800fa688202f49e79caf
                                          • Opcode Fuzzy Hash: a6c47f30019f6345aca7349fbfb0d5ee294c3eab57a8be756b1cd0fdc0b6cee8
                                          • Instruction Fuzzy Hash: 7621E0B1904200EFDB05DF54D980B2BBB65FF88310F20C5AAFD890E256C336D456CAA1
                                          Function 0245D4C4 Relevance: .1, Instructions: 75COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.1522652459.000000000245D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0245D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_245d000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3929e374409b8731e7201a8868872520e69257ccd8953110f22e8d0911560f33
                                          • Instruction ID: 21cc1613235912e7d7ddb2ef2554ef56b27c989a9d79d1aa74b40936355cb27a
                                          • Opcode Fuzzy Hash: 3929e374409b8731e7201a8868872520e69257ccd8953110f22e8d0911560f33
                                          • Instruction Fuzzy Hash: 9321C171904248EFDB05DF14D980B27BF65FF88318F24C56AED890B25BC336E456CAA1
                                          Function 0246D1D4 Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.1522741358.000000000246D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0246D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_246d000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bc7461ac59aaba378594031485550cfc2c6ee2a713c08e80147b95f75d929235
                                          • Instruction ID: 06004182ebb33d2df39a0567790264bd4ef2e1ea04b57a7bed541557c40839a9
                                          • Opcode Fuzzy Hash: bc7461ac59aaba378594031485550cfc2c6ee2a713c08e80147b95f75d929235
                                          • Instruction Fuzzy Hash: 57210771A04204DFDB05DF14D9C8B36BB65FB88314F24C56EE8094F355C376D446CA62
                                          Function 0246D01C Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.1522741358.000000000246D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0246D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_246d000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a25ac9bec341c8a70beefa52cedb12e85bfaffe5f9ab05d140fadc0f86244ae3
                                          • Instruction ID: 51e9226aa1e60f5f906a33852868a3491e930a647410e18f17b7fe76e96c9752
                                          • Opcode Fuzzy Hash: a25ac9bec341c8a70beefa52cedb12e85bfaffe5f9ab05d140fadc0f86244ae3
                                          • Instruction Fuzzy Hash: 2A21F275A04244DFDB14DF14D988B26BBA5EB88318F24C56AE90A4B356C33BD447CAA2
                                          Function 0246D006 Relevance: .1, Instructions: 62COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.1522741358.000000000246D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0246D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_246d000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7fba339e4aad9432d54dbb2d62e271234752fb63526b284214de9a9210b95fbe
                                          • Instruction ID: 4a07e7e554a4908a2bda4dd2c5ca567ddb6e8c46b5abb40dead5f7f2a2275a80
                                          • Opcode Fuzzy Hash: 7fba339e4aad9432d54dbb2d62e271234752fb63526b284214de9a9210b95fbe
                                          • Instruction Fuzzy Hash: 38218075509380CFCB02CF24D594716BF71EB46218F28C5DBD8898B2A7C33A940ACB62
                                          Function 0245D1F7 Relevance: .1, Instructions: 57COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.1522652459.000000000245D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0245D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_245d000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 21e913fbe4a6093fe52002ebff3728cbe293fe76fa7d723964536c1d21f6342d
                                          • Instruction ID: 37ba389ba308e781c02b213a96a4f75bfe1fcbe8315c26a1fec19838d43ec0df
                                          • Opcode Fuzzy Hash: 21e913fbe4a6093fe52002ebff3728cbe293fe76fa7d723964536c1d21f6342d
                                          • Instruction Fuzzy Hash: 1B219D76904244DFDB06CF50D9C4B16BF62FF84314F24C5AAED494A656C33AD42ACBA1
                                          Function 0245D4BF Relevance: .1, Instructions: 56COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.1522652459.000000000245D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0245D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_245d000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b6d9f8954513a289108155b17418e8e788e8b427863a5550f59da745f4ae8560
                                          • Instruction ID: 33269d842bf8007c44e35b889cf7cccaeeaff03b6026d467c85488b98cdf1bf2
                                          • Opcode Fuzzy Hash: b6d9f8954513a289108155b17418e8e788e8b427863a5550f59da745f4ae8560
                                          • Instruction Fuzzy Hash: 7711AF76904284CFCB16CF14D9C4B16BF71FB84318F24C6AADC490B656C336D45ACBA1
                                          Function 0246D1CF Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.1522741358.000000000246D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0246D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_246d000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a3be7094ea246a7cddba5200c6ce82fad2e7d53e3ec886449491685f026f1607
                                          • Instruction ID: 5542cb9b81cc53cd30d06756549755789c6f578414c04176affce8911cf29346
                                          • Opcode Fuzzy Hash: a3be7094ea246a7cddba5200c6ce82fad2e7d53e3ec886449491685f026f1607
                                          • Instruction Fuzzy Hash: E5118E75A04244DFDB15CF14D5C4B26BB61FB84214F28C6AAD8494F756C33AD44ACB52

                                          Execution Graph

                                          Execution Coverage:10.3%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:0%
                                          Total number of Nodes:126
                                          Total number of Limit Nodes:12
                                          execution_graph 42113 290d044 42114 290d05c 42113->42114 42115 290d0b6 42114->42115 42120 66fdbdb 42114->42120 42123 66faca4 42114->42123 42127 66fdaa7 42114->42127 42131 66fdaa8 42114->42131 42135 66facdc 42120->42135 42122 66fdbe7 42122->42115 42124 66facaf 42123->42124 42125 66fdbe7 42124->42125 42126 66facdc GetModuleHandleW 42124->42126 42125->42115 42126->42125 42128 66fdaa8 42127->42128 42129 66faca4 GetModuleHandleW 42128->42129 42130 66fdada 42129->42130 42130->42115 42132 66fdace 42131->42132 42133 66faca4 GetModuleHandleW 42132->42133 42134 66fdada 42133->42134 42134->42115 42136 66face7 42135->42136 42137 66faad0 GetModuleHandleW 42136->42137 42138 66fdcb8 42136->42138 42137->42138 42139 66f32d8 DuplicateHandle 42140 66f336e 42139->42140 41988 2a30848 41989 2a3084e 41988->41989 41990 2a3091b 41989->41990 41995 2a3138f 41989->41995 42001 2a314bf 41989->42001 42006 66f1f78 41989->42006 42010 66f1f88 41989->42010 41996 2a31353 41995->41996 41998 2a31393 41995->41998 41996->41989 41997 2a314ba 41997->41989 41998->41997 42000 2a314bf 2 API calls 41998->42000 42014 2a38258 41998->42014 42000->41998 42002 2a313a6 42001->42002 42003 2a314ba 42002->42003 42004 2a314bf 2 API calls 42002->42004 42005 2a38258 2 API calls 42002->42005 42003->41989 42004->42002 42005->42002 42007 66f1f97 42006->42007 42027 66f17c4 42007->42027 42011 66f1f97 42010->42011 42012 66f17c4 GetModuleHandleW 42011->42012 42013 66f1fb8 42012->42013 42013->41989 42015 2a38262 42014->42015 42016 2a3827c 42015->42016 42019 670fa30 42015->42019 42023 670fa1f 42015->42023 42016->41998 42020 670fa45 42019->42020 42021 670fc5a 42020->42021 42022 670fc70 GlobalMemoryStatusEx GlobalMemoryStatusEx 42020->42022 42021->42016 42022->42020 42025 670fa30 42023->42025 42024 670fc5a 42024->42016 42025->42024 42026 670fc70 GlobalMemoryStatusEx GlobalMemoryStatusEx 42025->42026 42026->42025 42030 66f17ca 42027->42030 42029 66f393e 42031 66f2f24 42030->42031 42033 66f2f2f 42031->42033 42032 66f4064 42032->42029 42033->42032 42036 66f5ce8 42033->42036 42040 66f5cd8 42033->42040 42037 66f5d09 42036->42037 42038 66f5d2d 42037->42038 42044 66f5e98 42037->42044 42038->42032 42041 66f5cdc 42040->42041 42042 66f5d2d 42041->42042 42043 66f5e98 GetModuleHandleW 42041->42043 42042->42032 42043->42042 42045 66f5ea5 42044->42045 42046 66f5ede 42045->42046 42048 66f3e30 42045->42048 42046->42038 42049 66f3e3b 42048->42049 42051 66f5f50 42049->42051 42052 66f49a8 42049->42052 42051->42051 42053 66f49b3 42052->42053 42059 66f49b8 42053->42059 42055 66f5fbf 42063 66fb453 42055->42063 42069 66fb458 42055->42069 42056 66f5ff9 42056->42051 42062 66f49c3 42059->42062 42060 66f73c0 42060->42055 42061 66f5ce8 GetModuleHandleW 42061->42060 42062->42060 42062->42061 42065 66fb589 42063->42065 42066 66fb489 42063->42066 42064 66fb495 42064->42056 42065->42056 42066->42064 42075 66fc9cb 42066->42075 42082 66fc9d0 42066->42082 42070 66fb489 42069->42070 42072 66fb589 42069->42072 42071 66fb495 42070->42071 42073 66fc9cb GetModuleHandleW 42070->42073 42074 66fc9d0 GetModuleHandleW 42070->42074 42071->42056 42072->42056 42073->42072 42074->42072 42076 66fc9fb 42075->42076 42089 66fcf1b 42076->42089 42094 66fcf20 42076->42094 42077 66fca7e 42078 66faad0 GetModuleHandleW 42077->42078 42079 66fcaaa 42077->42079 42078->42079 42083 66fc9fb 42082->42083 42087 66fcf1b GetModuleHandleW 42083->42087 42088 66fcf20 GetModuleHandleW 42083->42088 42084 66fca7e 42086 66fcaaa 42084->42086 42099 66faad0 42084->42099 42087->42084 42088->42084 42090 66fcf4d 42089->42090 42091 66fcfce 42090->42091 42092 66fd08b GetModuleHandleW 42090->42092 42093 66fd090 GetModuleHandleW 42090->42093 42092->42091 42093->42091 42095 66fcf4d 42094->42095 42096 66fcfce 42095->42096 42097 66fd08b GetModuleHandleW 42095->42097 42098 66fd090 GetModuleHandleW 42095->42098 42097->42096 42098->42096 42100 66fb910 GetModuleHandleW 42099->42100 42102 66fb985 42100->42102 42102->42086 42103 66fb720 42104 66fb731 42103->42104 42107 66fb74c 42103->42107 42105 66faad0 GetModuleHandleW 42104->42105 42106 66fb73c 42105->42106 42106->42107 42109 66fb9a9 42106->42109 42110 66fb9b3 42109->42110 42110->42110 42111 66faad0 GetModuleHandleW 42110->42111 42112 66fb9cc 42111->42112 42112->42107 42141 66fd8f0 42142 66fd958 CreateWindowExW 42141->42142 42144 66fda14 42142->42144

                                          Executed Functions

                                          Function 0670B230 Relevance: 8.3, Strings: 6, Instructions: 770COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $_q$$_q$$_q$$_q$$_q$$_q
                                          • API String ID: 0-155944776
                                          • Opcode ID: ce4ecb2b665ac3595305ff7962dcf415794b6f1a4cf7dbda6d6ca9ec44cbe0cc
                                          • Instruction ID: bbe702cceeafdcdd2ef18b607425e7bd899baca85eb2f795c0e8bdb15c0d746e
                                          • Opcode Fuzzy Hash: ce4ecb2b665ac3595305ff7962dcf415794b6f1a4cf7dbda6d6ca9ec44cbe0cc
                                          • Instruction Fuzzy Hash: BF528134E10209DFEF64CB68C5847ADB7E2EB85710F20886AE405DB395DB36DE45CBA1
                                          Function 06703490 Relevance: 8.0, Strings: 6, Instructions: 545COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 941 6703490-67034b1 943 67034b3-67034b6 941->943 944 67034b8-67034d7 943->944 945 67034dc-67034df 943->945 944->945 946 6703c80-6703c82 945->946 947 67034e5-6703504 945->947 948 6703c84 946->948 949 6703c89-6703c8c 946->949 955 6703506-6703509 947->955 956 670351d-6703527 947->956 948->949 949->943 951 6703c92-6703c9b 949->951 955->956 957 670350b-670351b 955->957 960 670352d-670353c 956->960 957->960 1070 670353e call 6703cb0 960->1070 1071 670353e call 6703ca8 960->1071 961 6703543-6703548 962 6703555-6703832 961->962 963 670354a-6703550 961->963 984 6703c72-6703c7f 962->984 985 6703838-67038e7 962->985 963->951 994 6703910 985->994 995 67038e9-670390e 985->995 997 6703919-670392c 994->997 995->997 999 6703932-6703954 call 670307c 997->999 1000 6703c59-6703c65 997->1000 999->1000 1004 670395a-6703964 999->1004 1000->985 1001 6703c6b 1000->1001 1001->984 1004->1000 1005 670396a-6703975 1004->1005 1005->1000 1006 670397b-6703a51 1005->1006 1018 6703a53-6703a55 1006->1018 1019 6703a5f-6703a8f 1006->1019 1018->1019 1023 6703a91-6703a93 1019->1023 1024 6703a9d-6703aa9 1019->1024 1023->1024 1025 6703b09-6703b0d 1024->1025 1026 6703aab-6703aaf 1024->1026 1027 6703b13-6703b4f 1025->1027 1028 6703c4a-6703c53 1025->1028 1026->1025 1029 6703ab1-6703adb 1026->1029 1041 6703b51-6703b53 1027->1041 1042 6703b5d-6703b6b 1027->1042 1028->1000 1028->1006 1036 6703ae9-6703b06 call 6703088 1029->1036 1037 6703add-6703adf 1029->1037 1036->1025 1037->1036 1041->1042 1044 6703b82-6703b8d 1042->1044 1045 6703b6d-6703b78 1042->1045 1049 6703ba5-6703bb6 1044->1049 1050 6703b8f-6703b95 1044->1050 1045->1044 1048 6703b7a 1045->1048 1048->1044 1054 6703bb8-6703bbe 1049->1054 1055 6703bce-6703bda 1049->1055 1051 6703b97 1050->1051 1052 6703b99-6703b9b 1050->1052 1051->1049 1052->1049 1056 6703bc0 1054->1056 1057 6703bc2-6703bc4 1054->1057 1059 6703bf2-6703c43 1055->1059 1060 6703bdc-6703be2 1055->1060 1056->1055 1057->1055 1059->1028 1061 6703be4 1060->1061 1062 6703be6-6703be8 1060->1062 1061->1059 1062->1059 1070->961 1071->961
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $_q$$_q$$_q$$_q$$_q$$_q
                                          • API String ID: 0-155944776
                                          • Opcode ID: c71dc17d1fee2503356ff997e967695b426f5b0cb4b508d8e6d6f1ab2aa47e7f
                                          • Instruction ID: ce612dc6ecf58efd56559e66b0a42f54b8d21ea0715e0230e81d1ba4d0ac2b11
                                          • Opcode Fuzzy Hash: c71dc17d1fee2503356ff997e967695b426f5b0cb4b508d8e6d6f1ab2aa47e7f
                                          • Instruction Fuzzy Hash: B7322F34E1061ACFDB14EF75C8946ADB7F2BFC9310F11C6AAD409A7264EB709985CB90
                                          Function 06707D70 Relevance: 3.0, Strings: 2, Instructions: 474COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1982 6707d70-6707d8e 1983 6707d90-6707d93 1982->1983 1984 6707db4-6707db7 1983->1984 1985 6707d95-6707daf 1983->1985 1986 6707dc4-6707dc7 1984->1986 1987 6707db9-6707dc3 1984->1987 1985->1984 1989 6707dc9-6707de5 1986->1989 1990 6707dea-6707ded 1986->1990 1989->1990 1991 6707e04-6707e06 1990->1991 1992 6707def-6707dfd 1990->1992 1993 6707e08 1991->1993 1994 6707e0d-6707e10 1991->1994 1998 6707e16-6707e2c 1992->1998 1999 6707dff 1992->1999 1993->1994 1994->1983 1994->1998 2002 6707e32-6707e3b 1998->2002 2003 6708047-6708051 1998->2003 1999->1991 2004 6707e41-6707e5e 2002->2004 2005 6708052-6708066 2002->2005 2012 6708034-6708041 2004->2012 2013 6707e64-6707e8c 2004->2013 2008 6708068-670806c 2005->2008 2009 670806d-6708087 2005->2009 2008->2009 2011 6708089-670808c 2009->2011 2014 67082c1-67082c4 2011->2014 2015 6708092-67080a1 2011->2015 2012->2002 2012->2003 2013->2012 2032 6707e92-6707e9b 2013->2032 2016 67082c6-67082e2 2014->2016 2017 67082e7-67082ea 2014->2017 2025 67080c0-6708104 2015->2025 2026 67080a3-67080be 2015->2026 2016->2017 2019 67082f0-67082fc 2017->2019 2020 6708395-6708397 2017->2020 2029 6708307-6708309 2019->2029 2023 6708399 2020->2023 2024 670839e-67083a1 2020->2024 2023->2024 2024->2011 2027 67083a7-67083b0 2024->2027 2036 6708295-67082ab 2025->2036 2037 670810a-670811b 2025->2037 2026->2025 2033 6708321-6708325 2029->2033 2034 670830b-6708311 2029->2034 2032->2005 2038 6707ea1-6707ebd 2032->2038 2041 6708333 2033->2041 2042 6708327-6708331 2033->2042 2039 6708313 2034->2039 2040 6708315-6708317 2034->2040 2036->2014 2050 6708280-670828f 2037->2050 2051 6708121-670813e 2037->2051 2052 6708022-670802e 2038->2052 2053 6707ec3-6707eed 2038->2053 2039->2033 2040->2033 2043 6708338-670833a 2041->2043 2042->2043 2048 670834b-6708384 2043->2048 2049 670833c-670833f 2043->2049 2048->2015 2069 670838a-6708394 2048->2069 2049->2027 2050->2036 2050->2037 2051->2050 2062 6708144-670823a call 6706598 2051->2062 2052->2012 2052->2032 2066 6707ef3-6707f1b 2053->2066 2067 6708018-670801d 2053->2067 2117 6708248 2062->2117 2118 670823c-6708246 2062->2118 2066->2067 2075 6707f21-6707f4f 2066->2075 2067->2052 2075->2067 2081 6707f55-6707f5e 2075->2081 2081->2067 2082 6707f64-6707f96 2081->2082 2089 6707fa1-6707fbd 2082->2089 2090 6707f98-6707f9c 2082->2090 2089->2052 2093 6707fbf-6708016 call 6706598 2089->2093 2090->2067 2092 6707f9e 2090->2092 2092->2089 2093->2052 2119 670824d-670824f 2117->2119 2118->2119 2119->2050 2120 6708251-6708256 2119->2120 2121 6708264 2120->2121 2122 6708258-6708262 2120->2122 2123 6708269-670826b 2121->2123 2122->2123 2123->2050 2124 670826d-6708279 2123->2124 2124->2050
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $_q$$_q
                                          • API String ID: 0-458585787
                                          • Opcode ID: b80228b0dfc07b09b77d3854b93300c12166f23f38f69daad8b9cf3266fef2f5
                                          • Instruction ID: 15536c7d40f3928e3a2401854aeee66e263ce63e1e57b76f22f6cbcc333fa464
                                          • Opcode Fuzzy Hash: b80228b0dfc07b09b77d3854b93300c12166f23f38f69daad8b9cf3266fef2f5
                                          • Instruction Fuzzy Hash: D9029A34B00606DFEF54DB68D994AAEB7E2BF84314F148529D409DB394DB31EC46CBA2
                                          Function 067065E8 Relevance: .8, Instructions: 810COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 968f18f91af523f93034e59aa641a5d49444d276ea597624589077f8bbda4e96
                                          • Instruction ID: 1c7711702a4f6c1382f1e457b2234d66739fd9d92a92d22c91f4e9b78d1c2272
                                          • Opcode Fuzzy Hash: 968f18f91af523f93034e59aa641a5d49444d276ea597624589077f8bbda4e96
                                          • Instruction Fuzzy Hash: A3628C34A10205CFEB54DB68D594BADB7F2EF88314F208569E406EB394DB35ED46CBA0
                                          Function 0670C178 Relevance: .6, Instructions: 643COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cb7afce68aeb186aa7b1ab1bf49151c6d60654dbfa6e15a3060214384b1e05ea
                                          • Instruction ID: ddca9df1ba0ae2a71b88e5d679b1e61d488bf6e9f6fae55daff39ff9a6b01e1e
                                          • Opcode Fuzzy Hash: cb7afce68aeb186aa7b1ab1bf49151c6d60654dbfa6e15a3060214384b1e05ea
                                          • Instruction Fuzzy Hash: 87327D34B10209DFEB55DB68D984BADB7F2FB88314F108625E505EB395DB30EC468BA1
                                          Function 067055D0 Relevance: .6, Instructions: 587COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 08b7cd4eed13352a8886e670fe2b949709543975c83d624ae7ae02be45153686
                                          • Instruction ID: 86a4309551f2214a88c178227a71af2cfeae948996291fc3f8bc9731b0ce4c50
                                          • Opcode Fuzzy Hash: 08b7cd4eed13352a8886e670fe2b949709543975c83d624ae7ae02be45153686
                                          • Instruction Fuzzy Hash: 6B12D075E10205DBFF64DB64C98067EBBE2EB85310F248969D81ADB384DA34DC46CFA1
                                          Function 0670ACC8 Relevance: 10.4, Strings: 8, Instructions: 390COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 527 670acc8-670ace6 528 670ace8-670aceb 527->528 529 670ad05-670ad08 528->529 530 670aced-670ad00 528->530 531 670ad0a-670ad17 529->531 532 670ad1c-670ad1f 529->532 530->529 531->532 534 670ad21-670ad2a 532->534 535 670ad39-670ad3c 532->535 537 670ad30-670ad34 534->537 538 670aeff-670af36 534->538 539 670ad3e-670ad5a 535->539 540 670ad5f-670ad62 535->540 537->535 550 670af38-670af3b 538->550 539->540 541 670ad72-670ad75 540->541 542 670ad64-670ad6d 540->542 544 670aee5-670aeee 541->544 545 670ad7b-670ad7e 541->545 542->541 544->534 547 670aef4-670aefe 544->547 548 670ad80-670ad85 545->548 549 670ad88-670ad8b 545->549 548->549 554 670ad9c-670ad9e 549->554 555 670ad8d-670ad91 549->555 551 670af48-670af4b 550->551 552 670af3d-670af41 550->552 558 670af58-670af5b 551->558 559 670af4d-670af57 551->559 556 670af61-670af9c 552->556 557 670af43 552->557 561 670ada0 554->561 562 670ada5-670ada8 554->562 555->547 560 670ad97 555->560 569 670afa2-670afae 556->569 570 670b18f-670b1a2 556->570 557->551 558->556 563 670b1c4-670b1c7 558->563 560->554 561->562 562->528 564 670adae-670add2 562->564 566 670b1c9-670b1e5 563->566 567 670b1ea-670b1ed 563->567 581 670aee2 564->581 582 670add8-670ade7 564->582 566->567 571 670b1fc-670b1fe 567->571 572 670b1ef 567->572 583 670afb0-670afc9 569->583 584 670afce-670b012 569->584 575 670b1a4 570->575 573 670b200 571->573 574 670b205-670b208 571->574 650 670b1ef call 670b230 572->650 651 670b1ef call 670b220 572->651 573->574 574->550 579 670b20e-670b218 574->579 575->563 577 670b1f5-670b1f7 577->571 581->544 588 670ade9-670adef 582->588 589 670adff-670ae3a call 6706598 582->589 583->575 600 670b014-670b026 584->600 601 670b02e-670b06d 584->601 590 670adf1 588->590 591 670adf3-670adf5 588->591 606 670ae52-670ae69 589->606 607 670ae3c-670ae42 589->607 590->589 591->589 600->601 608 670b073-670b14e call 6706598 601->608 609 670b154-670b169 601->609 619 670ae81-670ae92 606->619 620 670ae6b-670ae71 606->620 612 670ae44 607->612 613 670ae46-670ae48 607->613 608->609 609->570 612->606 613->606 626 670ae94-670ae9a 619->626 627 670aeaa-670aedb 619->627 621 670ae73 620->621 622 670ae75-670ae77 620->622 621->619 622->619 628 670ae9c 626->628 629 670ae9e-670aea0 626->629 627->581 628->627 629->627 650->577 651->577
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $_q$$_q$$_q$$_q$$_q$$_q$$_q$$_q
                                          • API String ID: 0-2216122830
                                          • Opcode ID: ea2986ad5e123adf87d566bb2b667e2963b873ecb8d96a0dddc6a1bf6275c89a
                                          • Instruction ID: f8cba34e7c4458dc9de2f7a0176513819f80b4470586be72c19d82ed808cdb37
                                          • Opcode Fuzzy Hash: ea2986ad5e123adf87d566bb2b667e2963b873ecb8d96a0dddc6a1bf6275c89a
                                          • Instruction Fuzzy Hash: 00E16C34E1030ACFDB55DB68D5946AEB7F2BB85304F208529E805EB399DB31EC46CB91
                                          Function 06709148 Relevance: 5.2, Strings: 4, Instructions: 230COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1072 6709148-670916d 1073 670916f-6709172 1072->1073 1074 6709a30-6709a33 1073->1074 1075 6709178-670918d 1073->1075 1076 6709a35-6709a54 1074->1076 1077 6709a59-6709a5b 1074->1077 1082 67091a5-67091bb 1075->1082 1083 670918f-6709195 1075->1083 1076->1077 1079 6709a62-6709a65 1077->1079 1080 6709a5d 1077->1080 1079->1073 1084 6709a6b-6709a75 1079->1084 1080->1079 1089 67091c6-67091c8 1082->1089 1085 6709197 1083->1085 1086 6709199-670919b 1083->1086 1085->1082 1086->1082 1090 67091e0-6709251 1089->1090 1091 67091ca-67091d0 1089->1091 1102 6709253-6709276 1090->1102 1103 670927d-6709299 1090->1103 1092 67091d2 1091->1092 1093 67091d4-67091d6 1091->1093 1092->1090 1093->1090 1102->1103 1108 67092c5-67092e0 1103->1108 1109 670929b-67092be 1103->1109 1114 67092e2-6709304 1108->1114 1115 670930b-6709326 1108->1115 1109->1108 1114->1115 1120 6709328-6709344 1115->1120 1121 670934b-6709359 1115->1121 1120->1121 1122 6709369-67093e3 1121->1122 1123 670935b-6709364 1121->1123 1129 6709430-6709445 1122->1129 1130 67093e5-6709403 1122->1130 1123->1084 1129->1074 1134 6709405-6709414 1130->1134 1135 670941f-670942e 1130->1135 1134->1135 1135->1129 1135->1130
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $_q$$_q$$_q$$_q
                                          • API String ID: 0-1171383116
                                          • Opcode ID: 745a219443ef7280b508ad9abeadbf21b0e79af2f250b32d4ddda66be4891a74
                                          • Instruction ID: 41147bee07e9b30d25702fa3c175dc1ff8cea14d09c99461de7dfcdfcdec406b
                                          • Opcode Fuzzy Hash: 745a219443ef7280b508ad9abeadbf21b0e79af2f250b32d4ddda66be4891a74
                                          • Instruction Fuzzy Hash: 65919030F0060A9FDB54DF74D9507AEB3F6BB88200F108469D509EB389EA70AD46CB91
                                          Function 0670CF38 Relevance: 4.5, Strings: 3, Instructions: 799COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1138 670cf38-670cf53 1140 670cf55-670cf58 1138->1140 1141 670cfa1-670cfa4 1140->1141 1142 670cf5a-670cf9c 1140->1142 1143 670cfa6-670cfb5 1141->1143 1144 670cfed-670cff0 1141->1144 1142->1141 1145 670cfc4-670cfd0 1143->1145 1146 670cfb7-670cfbc 1143->1146 1148 670cff2-670cff4 1144->1148 1149 670cfff-670d002 1144->1149 1150 670d955-670d96e 1145->1150 1151 670cfd6-670cfe8 1145->1151 1146->1145 1152 670d421 1148->1152 1153 670cffa 1148->1153 1154 670d004-670d01a 1149->1154 1155 670d01f-670d022 1149->1155 1167 670d970-670d974 1150->1167 1168 670d975-670d98e 1150->1168 1151->1144 1156 670d424-670d430 1152->1156 1153->1149 1154->1155 1157 670d024-670d066 1155->1157 1158 670d06b-670d06e 1155->1158 1161 670d436-670d723 1156->1161 1162 670d17c-670d18b 1156->1162 1157->1158 1164 670d070-670d0b2 1158->1164 1165 670d0b7-670d0ba 1158->1165 1354 670d729-670d72f 1161->1354 1355 670d94a-670d954 1161->1355 1170 670d19a-670d1a6 1162->1170 1171 670d18d-670d192 1162->1171 1164->1165 1172 670d0c9-670d0cc 1165->1172 1173 670d0bc-670d0be 1165->1173 1167->1168 1177 670d990-670d993 1168->1177 1170->1150 1181 670d1ac-670d1be 1170->1181 1171->1170 1182 670d115-670d118 1172->1182 1183 670d0ce-670d110 1172->1183 1179 670d0c4 1173->1179 1180 670d2df-670d2e8 1173->1180 1184 670d9a2-670d9a5 1177->1184 1185 670d995 1177->1185 1179->1172 1189 670d2f7-670d303 1180->1189 1190 670d2ea-670d2ef 1180->1190 1201 670d1c3-670d1c6 1181->1201 1187 670d161-670d164 1182->1187 1188 670d11a-670d15c 1182->1188 1183->1182 1198 670d9a7-670d9c3 1184->1198 1199 670d9c8-670d9cb 1184->1199 1401 670d995 call 670dac0 1185->1401 1402 670d995 call 670daad 1185->1402 1187->1156 1197 670d16a-670d16d 1187->1197 1188->1187 1193 670d414-670d419 1189->1193 1194 670d309-670d31d 1189->1194 1190->1189 1193->1152 1194->1152 1225 670d323-670d335 1194->1225 1208 670d177-670d17a 1197->1208 1209 670d16f-670d174 1197->1209 1198->1199 1205 670d9cd-670d9f9 1199->1205 1206 670d9fe-670da00 1199->1206 1210 670d1c8-670d20a 1201->1210 1211 670d20f-670d212 1201->1211 1202 670d99b-670d99d 1202->1184 1205->1206 1215 670da02 1206->1215 1216 670da07-670da0a 1206->1216 1208->1162 1208->1201 1209->1208 1210->1211 1221 670d214-670d256 1211->1221 1222 670d25b-670d25e 1211->1222 1215->1216 1216->1177 1224 670da0c-670da1b 1216->1224 1221->1222 1231 670d260-670d2a2 1222->1231 1232 670d2a7-670d2aa 1222->1232 1245 670da82-670da97 1224->1245 1246 670da1d-670da80 call 6706598 1224->1246 1247 670d337-670d33d 1225->1247 1248 670d359-670d35b 1225->1248 1231->1232 1233 670d2ac-670d2c8 1232->1233 1234 670d2cd-670d2cf 1232->1234 1233->1234 1242 670d2d1 1234->1242 1243 670d2d6-670d2d9 1234->1243 1242->1243 1243->1140 1243->1180 1265 670da98 1245->1265 1246->1245 1255 670d341-670d34d 1247->1255 1256 670d33f 1247->1256 1257 670d365-670d371 1248->1257 1262 670d34f-670d357 1255->1262 1256->1262 1276 670d373-670d37d 1257->1276 1277 670d37f 1257->1277 1262->1257 1265->1265 1280 670d384-670d386 1276->1280 1277->1280 1280->1152 1284 670d38c-670d3a8 call 6706598 1280->1284 1295 670d3b7-670d3c3 1284->1295 1296 670d3aa-670d3af 1284->1296 1295->1193 1298 670d3c5-670d412 1295->1298 1296->1295 1298->1152 1356 670d731-670d736 1354->1356 1357 670d73e-670d747 1354->1357 1356->1357 1357->1150 1358 670d74d-670d760 1357->1358 1360 670d766-670d76c 1358->1360 1361 670d93a-670d944 1358->1361 1362 670d77b-670d784 1360->1362 1363 670d76e-670d773 1360->1363 1361->1354 1361->1355 1362->1150 1364 670d78a-670d7ab 1362->1364 1363->1362 1367 670d7ba-670d7c3 1364->1367 1368 670d7ad-670d7b2 1364->1368 1367->1150 1369 670d7c9-670d7e6 1367->1369 1368->1367 1369->1361 1372 670d7ec-670d7f2 1369->1372 1372->1150 1373 670d7f8-670d811 1372->1373 1375 670d817-670d83e 1373->1375 1376 670d92d-670d934 1373->1376 1375->1150 1379 670d844-670d84e 1375->1379 1376->1361 1376->1372 1379->1150 1380 670d854-670d86b 1379->1380 1382 670d87a-670d895 1380->1382 1383 670d86d-670d878 1380->1383 1382->1376 1388 670d89b-670d8b4 call 6706598 1382->1388 1383->1382 1392 670d8c3-670d8cc 1388->1392 1393 670d8b6-670d8bb 1388->1393 1392->1150 1394 670d8d2-670d926 1392->1394 1393->1392 1394->1376 1401->1202 1402->1202
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $_q$$_q$$_q
                                          • API String ID: 0-2441406858
                                          • Opcode ID: 37d3684b3f180899643374d3db1fe2e9b630dabe43568e5c70611f1475df8105
                                          • Instruction ID: 5bd5f4234de78c765756b3b56ec20bc08f7b7c855f392b02f06a09cfa1a83109
                                          • Opcode Fuzzy Hash: 37d3684b3f180899643374d3db1fe2e9b630dabe43568e5c70611f1475df8105
                                          • Instruction Fuzzy Hash: 5B622C34A00206DFDB55EBA8D590B5DB7F2FF84304B208A69D009DB769DB71EC4ACB91
                                          Function 06704B98 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1403 6704b98-6704bbc 1405 6704bbe-6704bc1 1403->1405 1406 67052a0-67052a3 1405->1406 1407 6704bc7-6704cbf 1405->1407 1408 67052c4-67052c6 1406->1408 1409 67052a5-67052bf 1406->1409 1427 6704d42-6704d49 1407->1427 1428 6704cc5-6704d0d 1407->1428 1411 67052c8 1408->1411 1412 67052cd-67052d0 1408->1412 1409->1408 1411->1412 1412->1405 1414 67052d6-67052e3 1412->1414 1429 6704dcd-6704dd6 1427->1429 1430 6704d4f-6704dbf 1427->1430 1449 6704d12 call 6705450 1428->1449 1450 6704d12 call 6705440 1428->1450 1429->1414 1447 6704dc1 1430->1447 1448 6704dca 1430->1448 1441 6704d18-6704d34 1444 6704d36 1441->1444 1445 6704d3f 1441->1445 1444->1445 1445->1427 1447->1448 1448->1429 1449->1441 1450->1441
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: fdq$XPdq$\Odq
                                          • API String ID: 0-727959394
                                          • Opcode ID: 4af000e5640831e8e63af98a4830c1b3b2e80d445134ad6c7de2ceeab10fcfa7
                                          • Instruction ID: bb96d96ced5ae3181044d828e1a96ab8d9500c550708300d4cfd0e21467d8e93
                                          • Opcode Fuzzy Hash: 4af000e5640831e8e63af98a4830c1b3b2e80d445134ad6c7de2ceeab10fcfa7
                                          • Instruction Fuzzy Hash: E5616F74E00218DFEB549BA9C8547AEBBF6EF88310F20842AD605EB395DB754C458F91
                                          Function 0670913A Relevance: 2.7, Strings: 2, Instructions: 155COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2358 670913a-670916d 2359 670916f-6709172 2358->2359 2360 6709a30-6709a33 2359->2360 2361 6709178-670918d 2359->2361 2362 6709a35-6709a54 2360->2362 2363 6709a59-6709a5b 2360->2363 2368 67091a5-67091bb 2361->2368 2369 670918f-6709195 2361->2369 2362->2363 2365 6709a62-6709a65 2363->2365 2366 6709a5d 2363->2366 2365->2359 2370 6709a6b-6709a75 2365->2370 2366->2365 2375 67091c6-67091c8 2368->2375 2371 6709197 2369->2371 2372 6709199-670919b 2369->2372 2371->2368 2372->2368 2376 67091e0-6709251 2375->2376 2377 67091ca-67091d0 2375->2377 2388 6709253-6709276 2376->2388 2389 670927d-6709299 2376->2389 2378 67091d2 2377->2378 2379 67091d4-67091d6 2377->2379 2378->2376 2379->2376 2388->2389 2394 67092c5-67092e0 2389->2394 2395 670929b-67092be 2389->2395 2400 67092e2-6709304 2394->2400 2401 670930b-6709326 2394->2401 2395->2394 2400->2401 2406 6709328-6709344 2401->2406 2407 670934b-6709359 2401->2407 2406->2407 2408 6709369-67093e3 2407->2408 2409 670935b-6709364 2407->2409 2415 6709430-6709445 2408->2415 2416 67093e5-6709403 2408->2416 2409->2370 2415->2360 2420 6709405-6709414 2416->2420 2421 670941f-670942e 2416->2421 2420->2421 2421->2415 2421->2416
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $_q$$_q
                                          • API String ID: 0-458585787
                                          • Opcode ID: 2d1fc5a8d0f64ef7dcbd915b55f515fbb34d265fa3f4c0ac4e41ac315ca9057f
                                          • Instruction ID: f65b336db270c37c66c9ecb8599bd336ceb7f7999b94b0fd56d0ef0173cceac5
                                          • Opcode Fuzzy Hash: 2d1fc5a8d0f64ef7dcbd915b55f515fbb34d265fa3f4c0ac4e41ac315ca9057f
                                          • Instruction Fuzzy Hash: 20518374F005069FEB54DB74D950BAEB3F6BB88640F10842AD509DB399EA31EC42CBA1
                                          Function 066FD8EF Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2453 66fd8ef-66fd956 2455 66fd958-66fd95e 2453->2455 2456 66fd961-66fd968 2453->2456 2455->2456 2457 66fd96a-66fd970 2456->2457 2458 66fd973-66fd9ab 2456->2458 2457->2458 2459 66fd9b3-66fda12 CreateWindowExW 2458->2459 2460 66fda1b-66fda53 2459->2460 2461 66fda14-66fda1a 2459->2461 2465 66fda55-66fda58 2460->2465 2466 66fda60 2460->2466 2461->2460 2465->2466 2467 66fda61 2466->2467 2467->2467
                                          APIs
                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 066FDA02
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560235585.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_66f0000_mpTrle.jbxd
                                          Similarity
                                          • API ID: CreateWindow
                                          • String ID:
                                          • API String ID: 716092398-0
                                          • Opcode ID: 445930e3a0605dc332b05754149d8bab542713b4b52f859ea16c598913069564
                                          • Instruction ID: a6169c7f77f2286985e65e97f88f93a9e804f1faccab6d07fdf38ced4a04919a
                                          • Opcode Fuzzy Hash: 445930e3a0605dc332b05754149d8bab542713b4b52f859ea16c598913069564
                                          • Instruction Fuzzy Hash: C241C0B1D103099FDB14CFA9C884ADEFBF5BF49310F24812AE819AB210D774A885CF90
                                          Function 066FD8F0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2468 66fd8f0-66fd956 2469 66fd958-66fd95e 2468->2469 2470 66fd961-66fd968 2468->2470 2469->2470 2471 66fd96a-66fd970 2470->2471 2472 66fd973-66fda12 CreateWindowExW 2470->2472 2471->2472 2474 66fda1b-66fda53 2472->2474 2475 66fda14-66fda1a 2472->2475 2479 66fda55-66fda58 2474->2479 2480 66fda60 2474->2480 2475->2474 2479->2480 2481 66fda61 2480->2481 2481->2481
                                          APIs
                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 066FDA02
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560235585.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_66f0000_mpTrle.jbxd
                                          Similarity
                                          • API ID: CreateWindow
                                          • String ID:
                                          • API String ID: 716092398-0
                                          • Opcode ID: ec96bb054124f0060ca4c38678f8888b16f767fd617b0f5cd95ebc0a385b5d30
                                          • Instruction ID: abe940c0d1ec0497382b457ed69849014c3918d69bfbf854d8c38417424d749a
                                          • Opcode Fuzzy Hash: ec96bb054124f0060ca4c38678f8888b16f767fd617b0f5cd95ebc0a385b5d30
                                          • Instruction Fuzzy Hash: D141CFB1D103099FDB14CFA9C884ADEFBF5BF49310F24812AE819AB210D774A885CF90
                                          Function 02A3F018 Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                          Download Yara Rule
                                          APIs
                                          • GlobalMemoryStatusEx.KERNELBASE ref: 02A3F0BF
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2544979083.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_2a30000_mpTrle.jbxd
                                          Similarity
                                          • API ID: GlobalMemoryStatus
                                          • String ID:
                                          • API String ID: 1890195054-0
                                          • Opcode ID: 5dd823e8f5832bb086ffe15fed6ce4cc0501f7901c691aa932014306b130d5fc
                                          • Instruction ID: fc6bf6eb859ab1be0b2256123c2b751f0d11921748dd305fe12469d88e25db2d
                                          • Opcode Fuzzy Hash: 5dd823e8f5832bb086ffe15fed6ce4cc0501f7901c691aa932014306b130d5fc
                                          • Instruction Fuzzy Hash: 0A219AB1C0425A9FCB14DFA9D44479EFBF4AF48320F11856AE808A7641E738A945CFA1
                                          Function 066F32D0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                          Download Yara Rule
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 066F335F
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560235585.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_66f0000_mpTrle.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: 983357db90b3e705e9aeeb7efc7421bd07884c6cf9e748882205f2262f61a712
                                          • Instruction ID: ffdc5acf4b6e6cf7bd916bbbb6e771301ca7e69f0f914b839c889abe100c76bf
                                          • Opcode Fuzzy Hash: 983357db90b3e705e9aeeb7efc7421bd07884c6cf9e748882205f2262f61a712
                                          • Instruction Fuzzy Hash: D021E3B5D002489FDB10CFA9D984AEEBBF4EB48310F14801AE918A3350D374A954CFA1
                                          Function 066F32D8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                          Download Yara Rule
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 066F335F
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560235585.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_66f0000_mpTrle.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: a5f39057e8850b14ce81da2de73bfe81c866d4ec621ba78977c187452fce7b06
                                          • Instruction ID: b42da6980561ce61675ac0509709b12b58503d754a781dd81fb0b52a54e4b6e2
                                          • Opcode Fuzzy Hash: a5f39057e8850b14ce81da2de73bfe81c866d4ec621ba78977c187452fce7b06
                                          • Instruction Fuzzy Hash: 5521B3B5D00248AFDB50CFAAD984ADEBBF4EB48310F14841AE918A3350D374A954CFA5
                                          Function 02A3F058 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                          Download Yara Rule
                                          APIs
                                          • GlobalMemoryStatusEx.KERNELBASE ref: 02A3F0BF
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2544979083.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_2a30000_mpTrle.jbxd
                                          Similarity
                                          • API ID: GlobalMemoryStatus
                                          • String ID:
                                          • API String ID: 1890195054-0
                                          • Opcode ID: ef2d9ae50bd2784c2acce3fe75578c6e1e10a76faf90808effb3ea080a993359
                                          • Instruction ID: 006ac760415a5432f2af19edcd75f7b6f6052dcac45ad8e09238d35b3f7b4846
                                          • Opcode Fuzzy Hash: ef2d9ae50bd2784c2acce3fe75578c6e1e10a76faf90808effb3ea080a993359
                                          • Instruction Fuzzy Hash: 041123B1C006599FCB10DF9AC544BDEFBF4AF48320F11816AE818B7240D778A944CFA1
                                          Function 066FAAD0 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,066FB73C), ref: 066FB976
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560235585.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_66f0000_mpTrle.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: 7d7cb13539db56f182a4d60d008ff7ed1f9bdc224f7be0967bd4a805586c9c28
                                          • Instruction ID: c96c137e6a60eeb24a6008caeae734ab132b95a4461d17b985b7f454ea94c1da
                                          • Opcode Fuzzy Hash: 7d7cb13539db56f182a4d60d008ff7ed1f9bdc224f7be0967bd4a805586c9c28
                                          • Instruction Fuzzy Hash: B31132B5C002498FCB50DF9AC444A9EFBF4EB49310F10842AD929B7310C375A545CFA1
                                          Function 06704B88 Relevance: 1.4, Strings: 1, Instructions: 131COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: XPdq
                                          • API String ID: 0-1708276200
                                          • Opcode ID: 36ef1edb5881575a15e999ecca25eb70658e5f07b210cf074edae21de6cf63e9
                                          • Instruction ID: ed39a4f9e8d0119a61b37f2263a3aec6a6cebfd7e9a01670358895cd4b912881
                                          • Opcode Fuzzy Hash: 36ef1edb5881575a15e999ecca25eb70658e5f07b210cf074edae21de6cf63e9
                                          • Instruction Fuzzy Hash: 93415174F102089FEB549FA5C854BAEBBF7AF88700F208529E205EB395DA714C058B51
                                          Function 0670DAC0 Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: PH_q
                                          • API String ID: 0-2397113591
                                          • Opcode ID: 597430c096eba761b5b885647ae091db26ba14a05c61f32b646f2ee5e98ab386
                                          • Instruction ID: 258eacba1828f1f8a054d5afafbb1c90b6113d553b8df2794795c8da040a54f8
                                          • Opcode Fuzzy Hash: 597430c096eba761b5b885647ae091db26ba14a05c61f32b646f2ee5e98ab386
                                          • Instruction Fuzzy Hash: 5A415070E0030ADFEB64DFA5C5546AEBBF6BF85340F208929E406D7284DB71E945CB91
                                          Function 0670DAAD Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: PH_q
                                          • API String ID: 0-2397113591
                                          • Opcode ID: 43d34126cae9a17a715f06d973e9e43bef0e268a343e0c0fb1bebe96df6a023b
                                          • Instruction ID: 5dd006e717d28cedc958fb1e12baff499b6080f5790c23b329446e113611466b
                                          • Opcode Fuzzy Hash: 43d34126cae9a17a715f06d973e9e43bef0e268a343e0c0fb1bebe96df6a023b
                                          • Instruction Fuzzy Hash: 9D416270E00305DFEB65DFA5C5946AEBBF6BF85300F104929E805DB280DB71E946CB51
                                          Function 067021E5 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: PH_q
                                          • API String ID: 0-2397113591
                                          • Opcode ID: dd0f54c802279d437366f694dffd31383e6f492e43314cc286998e4715bf9f56
                                          • Instruction ID: c1088aea726df2eaca8a4a9843bfa44a1e84c9d179f7cfc48c44bfa54b71b906
                                          • Opcode Fuzzy Hash: dd0f54c802279d437366f694dffd31383e6f492e43314cc286998e4715bf9f56
                                          • Instruction Fuzzy Hash: 1131EE31B002018FEB49ABB4D45877E7BE6AB89300F218969D406DB396DF35DD46CBA1
                                          Function 067021F8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: PH_q
                                          • API String ID: 0-2397113591
                                          • Opcode ID: 519542d73457db70bfabacf70985b9a14622175cc58957e5e986fa21398a676b
                                          • Instruction ID: bfc96859ed205442c8dffa9e2e8eb391cf158e3a5c1783721607ba3b8056059c
                                          • Opcode Fuzzy Hash: 519542d73457db70bfabacf70985b9a14622175cc58957e5e986fa21398a676b
                                          • Instruction Fuzzy Hash: 8731F031B002018FEB49ABB4C41867E7BE7AB88300F218869D406DB395DE35DD46CBA1
                                          Function 067082C0 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $_q
                                          • API String ID: 0-238743419
                                          • Opcode ID: 7b83c227e09aca68fae45fe46b1fdda3a1d90f25fb010141376674be983b41a8
                                          • Instruction ID: bbbd96d1014f9a3ee72947fecdbffbaff65aeb8c24ec43816321ce54f06b640d
                                          • Opcode Fuzzy Hash: 7b83c227e09aca68fae45fe46b1fdda3a1d90f25fb010141376674be983b41a8
                                          • Instruction Fuzzy Hash: 00F08C35A00205CFEF649AB5EA806BCB3E5EBC8354F148066D905CB295D631EA41C762
                                          Function 0670B220 Relevance: .3, Instructions: 291COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 02ec563ba2db85a5314a2074a3d73498c974b824e750d1f9ad13e9523c5c2652
                                          • Instruction ID: 032cb011a52dabf071175f02d9c4149c6f50efeb5b46cf06e84a33616ee148d7
                                          • Opcode Fuzzy Hash: 02ec563ba2db85a5314a2074a3d73498c974b824e750d1f9ad13e9523c5c2652
                                          • Instruction Fuzzy Hash: 2AA18334E00109DBFF64CB6CD5947BEB7E6EB89710F204829E409E73D5DA25DD818B61
                                          Function 0670B638 Relevance: .3, Instructions: 270COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 49ff879484bcd5733b658007a068513166bc81ed039f15346b8777f76da36fe3
                                          • Instruction ID: a462b0a052089871fc603dca524e2197d81de4114b6e89b36905a4825ef771f7
                                          • Opcode Fuzzy Hash: 49ff879484bcd5733b658007a068513166bc81ed039f15346b8777f76da36fe3
                                          • Instruction Fuzzy Hash: AAA15834E1020ACBEFA0CB69C484BADB7F1EB45710F148966E419DB395D732DE85CBA1
                                          Function 067061E8 Relevance: .2, Instructions: 229COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 407c2798c037f1a2b37177db27f787b0479d909832b5f4a193dc7e1107331f2a
                                          • Instruction ID: 3ba03156e9a1d246950b968c7b89c987804da14bc0298a9dcb193ebaaeb547bd
                                          • Opcode Fuzzy Hash: 407c2798c037f1a2b37177db27f787b0479d909832b5f4a193dc7e1107331f2a
                                          • Instruction Fuzzy Hash: 84618EB1F400114FDB549B6DC89466FBADBAFC4224B154439E80EDB364DEA5DD0287D2
                                          Function 067045E8 Relevance: .2, Instructions: 222COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d482988d8145dfcac4c3aa5baa5c54f2cff9f6a19193f32455847bd82b151a1e
                                          • Instruction ID: 176d303c6404bff4f55c26c1fcacba187ac3588b77ecedf6575fe24781366cd4
                                          • Opcode Fuzzy Hash: d482988d8145dfcac4c3aa5baa5c54f2cff9f6a19193f32455847bd82b151a1e
                                          • Instruction Fuzzy Hash: 83913C34E10259CFDF60DF68C890B9DB7B1FF85300F208599D549AB299EB70AA85CF91
                                          Function 067042CA Relevance: .2, Instructions: 219COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d25438568ba5f9e8794c62bec0e7cba3303275bb7185bd55eefd56ac1a7ef629
                                          • Instruction ID: 60bd18daf0873d7ba72f8fc9b575a0c40f9f7f4bb6725a19a0cfe6f08626e08f
                                          • Opcode Fuzzy Hash: d25438568ba5f9e8794c62bec0e7cba3303275bb7185bd55eefd56ac1a7ef629
                                          • Instruction Fuzzy Hash: AC813C34B0020ADFEB54DBB4D55476EB7F2AB88304F108529E50AEB398EB71DC428B91
                                          Function 067042D8 Relevance: .2, Instructions: 218COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: aebf4d0794fd58124eebac29fd274ff599b45db50578d4f545d1d394d6cec2bb
                                          • Instruction ID: 01d97996040fc57411b53677253d1f7f2d8ce74a0b18980e5631e792316a13a9
                                          • Opcode Fuzzy Hash: aebf4d0794fd58124eebac29fd274ff599b45db50578d4f545d1d394d6cec2bb
                                          • Instruction Fuzzy Hash: 19814C34B0020ADFDF54DBB4D55476EB7F6AB88304F108529E50AEB398EB71DC428B91
                                          Function 06704600 Relevance: .2, Instructions: 210COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5f1c3cccc8618564a7316e30d663b879cee9a38ba858fdaea29ca2144952d9ea
                                          • Instruction ID: 8335b3992db290009f666bcde5d05550cba408f0da28c80e64251a77f02a2dfd
                                          • Opcode Fuzzy Hash: 5f1c3cccc8618564a7316e30d663b879cee9a38ba858fdaea29ca2144952d9ea
                                          • Instruction Fuzzy Hash: E0913E34E10619CBDF60DF68C880B9DB7F1FF89310F208599D549BB295EB70AA858F91
                                          Function 0670EF00 Relevance: .2, Instructions: 203COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 09783b5a2ef4898f7ccc63a6160ae85548f11551ad03b0f81c6ed146c8cdb6bd
                                          • Instruction ID: e730cd76af7e97f868d30102b0a0fef214cc498a7212e3eee04a2552f074f231
                                          • Opcode Fuzzy Hash: 09783b5a2ef4898f7ccc63a6160ae85548f11551ad03b0f81c6ed146c8cdb6bd
                                          • Instruction Fuzzy Hash: E4713C74A00209DFDB94DBA8D984AADBBF6FF84300F148429E509EB254DB30ED46CB51
                                          Function 0670EF10 Relevance: .2, Instructions: 201COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 34b4aed690422c711c1f335b69d5ae2d4092ba00db6f515873ab7d7e0a30b6c2
                                          • Instruction ID: 5c2d776c9b4d4f17977322e400f2279706c49424aaaeef55a908cabb7180cf93
                                          • Opcode Fuzzy Hash: 34b4aed690422c711c1f335b69d5ae2d4092ba00db6f515873ab7d7e0a30b6c2
                                          • Instruction Fuzzy Hash: F5714B74A00209DFDB94DBA9D984AADBBF6FF84300F148429E509EB358DB30EC46CB51
                                          Function 0670FC70 Relevance: .2, Instructions: 174COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: be1ff7ed75006ee9970f5a4b21565ca37c69b8988ee9f80ac7dbcc1189f43edd
                                          • Instruction ID: 83c844f7d8f14cc4e01f3c1b8f81f0028745dc2520bdcdde88fec93c39317423
                                          • Opcode Fuzzy Hash: be1ff7ed75006ee9970f5a4b21565ca37c69b8988ee9f80ac7dbcc1189f43edd
                                          • Instruction Fuzzy Hash: 1E513431E00105DFEB64EF78E4542ADBBF2FB84315F20886AE909D7290DF398845CB91
                                          Function 0670FA1F Relevance: .2, Instructions: 169COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c598b0d28d372cf6112237e8720fd8ca5b4e66a6587ce11b75b6c4d618a955ca
                                          • Instruction ID: 445081e5162bf47e2a9d3406268bd5b3095b8b447cd7696fc40783db411c765d
                                          • Opcode Fuzzy Hash: c598b0d28d372cf6112237e8720fd8ca5b4e66a6587ce11b75b6c4d618a955ca
                                          • Instruction Fuzzy Hash: 6F51A730B50205DBFFB46678D95477F2AAAD789710F20492AF80AC73D9CA7DCC4587A2
                                          Function 0670FA30 Relevance: .2, Instructions: 163COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c26311281bc86cff37d0129bc6fd3f5e34d8f7b92e79972744d89fcaab646280
                                          • Instruction ID: 36271615abdb7d125b724fb7c0aa7733e0b50d6f640b7b245c67bcbf6da99ff3
                                          • Opcode Fuzzy Hash: c26311281bc86cff37d0129bc6fd3f5e34d8f7b92e79972744d89fcaab646280
                                          • Instruction Fuzzy Hash: 3051A270B50205DBFFB4666CD954B7F26AAD789710F20482AE80AC73D8CABDCC4547A2
                                          Function 06705450 Relevance: .1, Instructions: 126COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f5fa4ef206573cf914d683ca1fae4a6ec6764e445eea8d7fe1cd5e280cc861f3
                                          • Instruction ID: cec8c5ce43964e45641b392fc25e2aa3b0cdb262d345e0281fddab7972c364e6
                                          • Opcode Fuzzy Hash: f5fa4ef206573cf914d683ca1fae4a6ec6764e445eea8d7fe1cd5e280cc861f3
                                          • Instruction Fuzzy Hash: 3A413D75E006099FEB60CE99D980ABFB7F2FB84210F10492AE215D7690D770E8958FA0
                                          Function 067055C1 Relevance: .1, Instructions: 107COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5fa968bb10f9cbd6642ec849bdb8e5e67a07613e39e02c487d707ba40175638a
                                          • Instruction ID: e45f366116f0dc5a81d55e66855b120bafb29ac3032fe1e49d92bf0c9a3f0b1d
                                          • Opcode Fuzzy Hash: 5fa968bb10f9cbd6642ec849bdb8e5e67a07613e39e02c487d707ba40175638a
                                          • Instruction Fuzzy Hash: 8E31AF70E00205CBFF70CA68CA8077EB7F2EB45720F24892AD059DB281E635D991DFA1
                                          Function 0670D960 Relevance: .1, Instructions: 100COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 726e5f2b63ba23c198b9254dce17b4b503cf38253b504bb3754e6572a3ca1bb8
                                          • Instruction ID: eac626134c027451c4212ec493bc472a29462cd6d43b4fb7c01ab10520c74c1d
                                          • Opcode Fuzzy Hash: 726e5f2b63ba23c198b9254dce17b4b503cf38253b504bb3754e6572a3ca1bb8
                                          • Instruction Fuzzy Hash: 66319430E1030ADBDF64DFA9D89069EB7F6FF85304F204929E405EB254EB70A9468B91
                                          Function 067020A8 Relevance: .1, Instructions: 98COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5420679bf381a79e3ed21e7490b8af8902ed1516a6f5c736549e2628c1886f0f
                                          • Instruction ID: fe987c6e10b8d94ffe58e74810fadcf03f7b052230d271894b15d9dd0122e269
                                          • Opcode Fuzzy Hash: 5420679bf381a79e3ed21e7490b8af8902ed1516a6f5c736549e2628c1886f0f
                                          • Instruction Fuzzy Hash: D831A031E1060ADBDB15CF64C854AAEBBF6AF89310F10C529E815EB395DB71AD42CB50
                                          Function 067020B8 Relevance: .1, Instructions: 91COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 45a922c578d459873b51cb5c29b52b21a2057e37828158d0bb360fa83463a70d
                                          • Instruction ID: 17db6f8a1623a42b62538afa51709d22533ed761d6242a2737ce8c04cac1ce8b
                                          • Opcode Fuzzy Hash: 45a922c578d459873b51cb5c29b52b21a2057e37828158d0bb360fa83463a70d
                                          • Instruction Fuzzy Hash: F9317031E1020ADBDB54CF64D85469EB7F2AF89310F10C929E816E7795DB71AD42CB50
                                          Function 06703ED1 Relevance: .1, Instructions: 80COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ce23e7339f6d485b2ef1ac48f2cd15b22ed1af6299ce175c7b95b6d02cae788c
                                          • Instruction ID: f2de4ddd062eb69ee8ebffabed119a9376dac996aa8135809be18992eef63689
                                          • Opcode Fuzzy Hash: ce23e7339f6d485b2ef1ac48f2cd15b22ed1af6299ce175c7b95b6d02cae788c
                                          • Instruction Fuzzy Hash: 3D21A075F00206DFEB10CF78D944BAEBBF5AB48620F148166E905E7394E735EC418B90
                                          Function 06703EE0 Relevance: .1, Instructions: 78COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1d1acd2aef6b934c8041001571a0716d514b605a68b8a24879657ee99a1b6cbc
                                          • Instruction ID: 5b503c2867609ddc63bcb583879326bf4f27950b6c10f5305b4b021d47caa631
                                          • Opcode Fuzzy Hash: 1d1acd2aef6b934c8041001571a0716d514b605a68b8a24879657ee99a1b6cbc
                                          • Instruction Fuzzy Hash: 7B217C75F00216DFEB50DF69D980AAEBBF5AB48710F108066E905E7394E731EC418BA1
                                          Function 06705440 Relevance: .1, Instructions: 77COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ed6fc09ea619473ebe04a8a44f381df280e1c4ef4a9a29a5559ddd3ba1949e73
                                          • Instruction ID: 81ffc9d0ce6945382df50464e39d734f7efdb0c0b855ee7dbce0133640e6e73c
                                          • Opcode Fuzzy Hash: ed6fc09ea619473ebe04a8a44f381df280e1c4ef4a9a29a5559ddd3ba1949e73
                                          • Instruction Fuzzy Hash: 5C218171E00709DFEB60CEA9D985AAFFBF2FB44310F104929E15993590D770E8458FA0
                                          Function 0290D044 Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2544461749.000000000290D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0290D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_290d000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ee11e88901e04761db60706af9b2ff144ac7800cf7728537da75dc984264ab16
                                          • Instruction ID: 9aa8076471b72bb932f45566e237ab010828862a314d7d1730b5b57329a713e9
                                          • Opcode Fuzzy Hash: ee11e88901e04761db60706af9b2ff144ac7800cf7728537da75dc984264ab16
                                          • Instruction Fuzzy Hash: 6321F275504208DFDB14CF64D9C4F26BBB9FB88314F20C9A9E84D4B296C77AD846CA71
                                          Function 06703481 Relevance: .1, Instructions: 71COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3b6085ea49ea30184dfbc59d8d5e515719d0e373c79e708c897fc537640a73db
                                          • Instruction ID: 3749f1a12370d12c7b033f8f694150034c83a5c14ce43f0d8778415f0ed7e925
                                          • Opcode Fuzzy Hash: 3b6085ea49ea30184dfbc59d8d5e515719d0e373c79e708c897fc537640a73db
                                          • Instruction Fuzzy Hash: 3E21D574E002199FDF549B79D8449EEB7F6EB89320F508969E10AE7340EA31D941CBA1
                                          Function 06706D08 Relevance: .1, Instructions: 68COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 39b8051144b5914f843f79c460a8c84fd039ee644b07f3ba99772552c39e05e0
                                          • Instruction ID: 60f90944f47d6cabf1ead0b39fcbbd065a2ee9c874edc86007aad9aa00c2c869
                                          • Opcode Fuzzy Hash: 39b8051144b5914f843f79c460a8c84fd039ee644b07f3ba99772552c39e05e0
                                          • Instruction Fuzzy Hash: AD21A230F10119DFEF44DB69E9547ADB7F6EB84310F208425D505E7384DB31AC558B90
                                          Function 06703FF0 Relevance: .1, Instructions: 59COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3463450c99280ac335ede3eeb46df69eb70aaa51ef81bb6c439155ca48ca4f79
                                          • Instruction ID: b87fc9988894b7b28b52a375ef4b21d0c7017f1e6e8e87a3b73c1e805eff8660
                                          • Opcode Fuzzy Hash: 3463450c99280ac335ede3eeb46df69eb70aaa51ef81bb6c439155ca48ca4f79
                                          • Instruction Fuzzy Hash: 6611A535B24015DBEB48D678D8146EE73F6EBC8311F008575D506E7384EE66DC028BA1
                                          Function 06704229 Relevance: .1, Instructions: 57COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 70f7ebd545377a2e06616cae5f1f0a4ad052727337ead842919e5534fcf68290
                                          • Instruction ID: 8a686bcd8abc8fb0fe2892261f0bfdeaf3a139a2581227ae887f169e2bcd9d63
                                          • Opcode Fuzzy Hash: 70f7ebd545377a2e06616cae5f1f0a4ad052727337ead842919e5534fcf68290
                                          • Instruction Fuzzy Hash: 0101F130B000148BEBA0D5AD9854B6BA7DADBC9720F10843AE20AC7399DD61DC0243E1
                                          Function 06703CA8 Relevance: .1, Instructions: 55COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 08fedf1171086261ecc382027cdae6d7d1b7c1435aa6217be30ba8a98f5febb4
                                          • Instruction ID: 6fcc6095b077b89d811432a6e037f15223d9285f29780cdaa12da8bb5a983839
                                          • Opcode Fuzzy Hash: 08fedf1171086261ecc382027cdae6d7d1b7c1435aa6217be30ba8a98f5febb4
                                          • Instruction Fuzzy Hash: C921EFB5804259AFCB00DF9AD884ADEFBB4FB49320F10852AE918B3240D374A954CBA5
                                          Function 06703FDF Relevance: .1, Instructions: 54COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: aa835685e16647fabb2a0ca0c0366aac4088e47cefb0683605cbce98daa6cc23
                                          • Instruction ID: 1717fc473cdf45c9e8cdfe83301d62141ae0a8c25cdffe42b7d81bacba50fcd1
                                          • Opcode Fuzzy Hash: aa835685e16647fabb2a0ca0c0366aac4088e47cefb0683605cbce98daa6cc23
                                          • Instruction Fuzzy Hash: 0F012832B24025EBEB449668DC046EF73FAEBC5310F008075D506E7384EE619C0247E1
                                          Function 0290D03F Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2544461749.000000000290D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0290D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_290d000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a3be7094ea246a7cddba5200c6ce82fad2e7d53e3ec886449491685f026f1607
                                          • Instruction ID: f3499c10a61bbe0946e3fa9634b83c396319b7b4d7835f8354180ae843900d9f
                                          • Opcode Fuzzy Hash: a3be7094ea246a7cddba5200c6ce82fad2e7d53e3ec886449491685f026f1607
                                          • Instruction Fuzzy Hash: 0411DD75504288CFCB15CF50D9C4B15BBB2FB88318F24C6A9E8494B692C33AD84ACF62
                                          Function 06703CB0 Relevance: .1, Instructions: 52COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3e34efd325da558c8457d18633d509a7753ba696462fe023d21ae62af9ff2462
                                          • Instruction ID: ef22d84dff2ce9ffd607a4cf9d0c10307bd6c01682c82cf7b6dc6620ef1b6010
                                          • Opcode Fuzzy Hash: 3e34efd325da558c8457d18633d509a7753ba696462fe023d21ae62af9ff2462
                                          • Instruction Fuzzy Hash: 0511CFB5D01259AFCB00DF9AD884ADEFBB4FB49320F10812AE918B7240C375A954CFA5
                                          Function 0670F17F Relevance: .1, Instructions: 52COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4e0a517abbba74dba62c341c37b6090d339c6f7d58a1632b1c059048f3a992ac
                                          • Instruction ID: 84b9ab4ffffe1306c712adb8d1efbd46da166f9170f8b2b0056c071c3e22330e
                                          • Opcode Fuzzy Hash: 4e0a517abbba74dba62c341c37b6090d339c6f7d58a1632b1c059048f3a992ac
                                          • Instruction Fuzzy Hash: DA01F77AB000158BEB61DA7CE45577EA3D6DBC4320F10883AE90AC7385EE24CC0247A0
                                          Function 06704238 Relevance: .1, Instructions: 51COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 44c968ce2570f32c312be6f7696a3fc58fd63c6a2624eb05e4e7c3e58bed1d13
                                          • Instruction ID: 12ea35c95f7a7d533006ae2dc1bcebd7e037f6a4377d074bddfbe021d02705cb
                                          • Opcode Fuzzy Hash: 44c968ce2570f32c312be6f7696a3fc58fd63c6a2624eb05e4e7c3e58bed1d13
                                          • Instruction Fuzzy Hash: 0001AD30B100248BEBA4D5AD9454B2AA2DADBC8720F10C43AE60AC7398EE61DC0243E1
                                          Function 0670F190 Relevance: .0, Instructions: 49COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d55ba08a0f1dcc9cb5195671455b8c5dfb3a4a70e8a974bcef92e39d28364a7c
                                          • Instruction ID: 617fed94122d66130e92fcffbd0960928c7bc11afbd6c797811255f22215b2cc
                                          • Opcode Fuzzy Hash: d55ba08a0f1dcc9cb5195671455b8c5dfb3a4a70e8a974bcef92e39d28364a7c
                                          • Instruction Fuzzy Hash: 1801D135B000148BDB60DA7DE854B3E63D6DBC8720F108839E90AC7385EE25DC0243A1
                                          Function 0670A2FA Relevance: .0, Instructions: 47COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fc1318f9dca18fa689abb967c346a4555726623423f4984b944b5ce54efb54eb
                                          • Instruction ID: 83d1a79b4972e97bf6738f7b3893f3caf6f7c0a3db53ae571ed8744203e49853
                                          • Opcode Fuzzy Hash: fc1318f9dca18fa689abb967c346a4555726623423f4984b944b5ce54efb54eb
                                          • Instruction Fuzzy Hash: 1301A275F042004FEB50EA3CD955B2EA7D2EB8D761F508429E50AC7395EE21DC018791
                                          Function 0670A308 Relevance: .0, Instructions: 46COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 06d1273df1044d7ad59d9d15921ddcd6f338d2f60dc55410c898e507b9eb8ea4
                                          • Instruction ID: fcce76b25461525953762a711ce0bf4a23d42acdb9242209c5ee19026a16632e
                                          • Opcode Fuzzy Hash: 06d1273df1044d7ad59d9d15921ddcd6f338d2f60dc55410c898e507b9eb8ea4
                                          • Instruction Fuzzy Hash: 17018134F102148FDB60EA3DD454B2EB7D6EB8A760F508439E50AC7395EE21DC028794
                                          Function 06706468 Relevance: .0, Instructions: 28COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 82c92709b17fe2e6318dfe21e154c2cdd12154e8d2fa5f5dd12fef6e1edb2371
                                          • Instruction ID: e5da28c039a9b894439dcbd8cc6111d64dab022597b834fc559d88df0e4e9aee
                                          • Opcode Fuzzy Hash: 82c92709b17fe2e6318dfe21e154c2cdd12154e8d2fa5f5dd12fef6e1edb2371
                                          • Instruction Fuzzy Hash: E8F06530D05248EFEB50DFB0C959B2977E8DB01214F1188A5D418CB192E176DA6187A1
                                          Function 06706478 Relevance: .0, Instructions: 22COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 60989437eb31f36a88b24c626a9401e03f262ae62647aa4789d74cd00d0c7935
                                          • Instruction ID: 3a7170094d19c42f8bb05e1734f6cc1f32a591b508787ff70cf7ffca82e1b713
                                          • Opcode Fuzzy Hash: 60989437eb31f36a88b24c626a9401e03f262ae62647aa4789d74cd00d0c7935
                                          • Instruction Fuzzy Hash: 9EE0EC71E14109EBEF50DEA4D969B6A77EDEB01214F2088A5E408C7281F176DA1187A0
                                          Function 0670FEDF Relevance: .0, Instructions: 5COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f4f780d7f8647d8221705cde4ea9edbe3bea2c4acc937c6568a59dfb1e18cdfa
                                          • Instruction ID: a2b5a62bad4de1841563697679d4386ee2ffc6aae8c069ef4cb911bb00ffe93a
                                          • Opcode Fuzzy Hash: f4f780d7f8647d8221705cde4ea9edbe3bea2c4acc937c6568a59dfb1e18cdfa
                                          • Instruction Fuzzy Hash: 4AA00139112200CBCA9AAB7088509A53666BA8528A7E008AC952A0A2958A3AD843DA55

                                          Non-executed Functions

                                          Function 06707690 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $_q$$_q$$_q$$_q$$_q$$_q$$_q$$_q$$_q$$_q
                                          • API String ID: 0-698649689
                                          • Opcode ID: 24bea5727133d4119a8159900d9b7aa2c31dfeb77df12d8a3c7e562556ed106b
                                          • Instruction ID: 5be86cd6942f1703475addd5e02acb4abe6bf0b81e5d0432c2d109be5741285b
                                          • Opcode Fuzzy Hash: 24bea5727133d4119a8159900d9b7aa2c31dfeb77df12d8a3c7e562556ed106b
                                          • Instruction Fuzzy Hash: 12124F30E00219CFDB68DF65C954AAEB7F6BF88304F208569D509AB3A4DB31AD45CF91
                                          Function 0670A930 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $_q$$_q$$_q$$_q$$_q$$_q$$_q$$_q
                                          • API String ID: 0-2216122830
                                          • Opcode ID: 264e462ef45d046ecc24973b1c1a53dd043277c5c505e6ff7cfd78b1171824f5
                                          • Instruction ID: c2970060c1276d06121b514984326e662772623dd329899ccfb66d3d8991aa4c
                                          • Opcode Fuzzy Hash: 264e462ef45d046ecc24973b1c1a53dd043277c5c505e6ff7cfd78b1171824f5
                                          • Instruction Fuzzy Hash: 9A916C70A10309DFEB64EB65DA94BBEB7F2BF84300F208529E40197296DB759C45CBA0
                                          Function 06707090 Relevance: 9.2, Strings: 7, Instructions: 405COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: .5wq$$_q$$_q$$_q$$_q$$_q$$_q
                                          • API String ID: 0-3129995876
                                          • Opcode ID: d9b837bb99c6ada8fe9f8dbd56c9074aca6ce8b8c0a2801c00aa99d28b6da4ea
                                          • Instruction ID: 8c5f9f894c88da7c12ca154e14a4f45468c47f242e19b1b7dcf0e0f774d745f6
                                          • Opcode Fuzzy Hash: d9b837bb99c6ada8fe9f8dbd56c9074aca6ce8b8c0a2801c00aa99d28b6da4ea
                                          • Instruction Fuzzy Hash: 67F12D34A00209DFEB59EF64D594B6EB7F3BF84300F248569D4069B3A9DB31AC46CB91
                                          Function 067083C8 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $_q$$_q$$_q$$_q
                                          • API String ID: 0-1171383116
                                          • Opcode ID: 39159727a52c8eb00c7bc18934a190b909bdf89394a57b9d8a678c899d4499bb
                                          • Instruction ID: 0c665384798c1b89d04ff2e5e53fb8e86820b6dc4aa2e3f4ef76ee56ad4a27ed
                                          • Opcode Fuzzy Hash: 39159727a52c8eb00c7bc18934a190b909bdf89394a57b9d8a678c899d4499bb
                                          • Instruction Fuzzy Hash: B4B13B34A00209CFEB54EFA8C59466EB7F2BF84300F248869E405DB399DB75DC86CB91
                                          Function 067087E0 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: LR_q$LR_q$$_q$$_q
                                          • API String ID: 0-2912794808
                                          • Opcode ID: d04c5b8fffc3fd1549f8f32759e5561eb84e6065a3783f15360b559c6083377b
                                          • Instruction ID: ddc1f97aa0496bb00be35f0948f54d96eb42faed20efdf460918aea68a0d19bd
                                          • Opcode Fuzzy Hash: d04c5b8fffc3fd1549f8f32759e5561eb84e6065a3783f15360b559c6083377b
                                          • Instruction Fuzzy Hash: 4C51A034B10205DFEB58EB68C944B6AB7E6BF84304B148569E405DB3E9DB31EC41CBA2
                                          Function 0670ACBA Relevance: 5.2, Strings: 4, Instructions: 158COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2560333774.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_6700000_mpTrle.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $_q$$_q$$_q$$_q
                                          • API String ID: 0-1171383116
                                          • Opcode ID: e02fdabc340976b8ca4ed7f4ec8384dd143a701c32779e4a7281d28e0b2a90e7
                                          • Instruction ID: 1d9194412ccff955adbc457d638bc3145027d39b9ca3c925ca9f221ce1279d12
                                          • Opcode Fuzzy Hash: e02fdabc340976b8ca4ed7f4ec8384dd143a701c32779e4a7281d28e0b2a90e7
                                          • Instruction Fuzzy Hash: 68514C34A10305DFEF65DB68D584AADB3F6FB88311F248529E805D729ADB31DC42CB61