Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PROFORMA FATURA.exe

Overview

General Information

Sample name:PROFORMA FATURA.exe
Analysis ID:1525518
MD5:49c53c3c0868699a9cbe2ef3d5bfcb8e
SHA1:3113b54138af9199fd97f96a42542541b6a8fdb3
SHA256:0ad205b2d883bca56250246f308228379c27f6114d8b740014deeef53b3412bb
Tags:exeuser-lowmal3
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • PROFORMA FATURA.exe (PID: 2672 cmdline: "C:\Users\user\Desktop\PROFORMA FATURA.exe" MD5: 49C53C3C0868699A9CBE2EF3D5BFCB8E)
    • powershell.exe (PID: 2432 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PROFORMA FATURA.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 3800 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 1096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 3384 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 3496 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GvgUQlbRIXOe" /XML "C:\Users\user\AppData\Local\Temp\tmpAB7A.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • PROFORMA FATURA.exe (PID: 5396 cmdline: "C:\Users\user\Desktop\PROFORMA FATURA.exe" MD5: 49C53C3C0868699A9CBE2EF3D5BFCB8E)
  • GvgUQlbRIXOe.exe (PID: 6412 cmdline: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe MD5: 49C53C3C0868699A9CBE2EF3D5BFCB8E)
    • schtasks.exe (PID: 4784 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GvgUQlbRIXOe" /XML "C:\Users\user\AppData\Local\Temp\tmpBA20.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 3172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • GvgUQlbRIXOe.exe (PID: 6112 cmdline: "C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe" MD5: 49C53C3C0868699A9CBE2EF3D5BFCB8E)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "zqamcx.com", "Username": "sender@zqamcx.com", "Password": "Methodman991"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.4572147923.0000000002C1E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000E.00000002.4572147923.0000000002C48000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000009.00000002.4572408671.00000000028CE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000009.00000002.4572408671.00000000028F8000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          0000000E.00000002.4572147923.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 17 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            11.2.GvgUQlbRIXOe.exe.4beb6e0.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              11.2.GvgUQlbRIXOe.exe.4beb6e0.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                11.2.GvgUQlbRIXOe.exe.4beb6e0.3.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x33205:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x33277:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x33301:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x33393:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x333fd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x3346f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x33505:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x33595:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                11.2.GvgUQlbRIXOe.exe.4c27f00.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  11.2.GvgUQlbRIXOe.exe.4c27f00.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 19 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PROFORMA FATURA.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PROFORMA FATURA.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PROFORMA FATURA.exe", ParentImage: C:\Users\user\Desktop\PROFORMA FATURA.exe, ParentProcessId: 2672, ParentProcessName: PROFORMA FATURA.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PROFORMA FATURA.exe", ProcessId: 2432, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PROFORMA FATURA.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PROFORMA FATURA.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PROFORMA FATURA.exe", ParentImage: C:\Users\user\Desktop\PROFORMA FATURA.exe, ParentProcessId: 2672, ParentProcessName: PROFORMA FATURA.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PROFORMA FATURA.exe", ProcessId: 2432, ProcessName: powershell.exe
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GvgUQlbRIXOe" /XML "C:\Users\user\AppData\Local\Temp\tmpBA20.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GvgUQlbRIXOe" /XML "C:\Users\user\AppData\Local\Temp\tmpBA20.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe, ParentImage: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe, ParentProcessId: 6412, ParentProcessName: GvgUQlbRIXOe.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GvgUQlbRIXOe" /XML "C:\Users\user\AppData\Local\Temp\tmpBA20.tmp", ProcessId: 4784, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 78.110.166.82, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\PROFORMA FATURA.exe, Initiated: true, ProcessId: 5396, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 53953
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GvgUQlbRIXOe" /XML "C:\Users\user\AppData\Local\Temp\tmpAB7A.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GvgUQlbRIXOe" /XML "C:\Users\user\AppData\Local\Temp\tmpAB7A.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\PROFORMA FATURA.exe", ParentImage: C:\Users\user\Desktop\PROFORMA FATURA.exe, ParentProcessId: 2672, ParentProcessName: PROFORMA FATURA.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GvgUQlbRIXOe" /XML "C:\Users\user\AppData\Local\Temp\tmpAB7A.tmp", ProcessId: 3496, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PROFORMA FATURA.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PROFORMA FATURA.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PROFORMA FATURA.exe", ParentImage: C:\Users\user\Desktop\PROFORMA FATURA.exe, ParentProcessId: 2672, ParentProcessName: PROFORMA FATURA.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PROFORMA FATURA.exe", ProcessId: 2432, ProcessName: powershell.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Scheduled temp file as task from temp location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GvgUQlbRIXOe" /XML "C:\Users\user\AppData\Local\Temp\tmpAB7A.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GvgUQlbRIXOe" /XML "C:\Users\user\AppData\Local\Temp\tmpAB7A.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\PROFORMA FATURA.exe", ParentImage: C:\Users\user\Desktop\PROFORMA FATURA.exe, ParentProcessId: 2672, ParentProcessName: PROFORMA FATURA.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GvgUQlbRIXOe" /XML "C:\Users\user\AppData\Local\Temp\tmpAB7A.tmp", ProcessId: 3496, ProcessName: schtasks.exe

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 0.2.PROFORMA FATURA.exe.4ab7388.1.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "zqamcx.com", "Username": "sender@zqamcx.com", "Password": "Methodman991"}
                    Multi AV Scanner detection for domain / URL
                    Source: zqamcx.comVirustotal: Detection: 9%Perma Link
                    Source: http://zqamcx.comVirustotal: Detection: 9%Perma Link
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeReversingLabs: Detection: 75%
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeVirustotal: Detection: 56%Perma Link
                    Multi AV Scanner detection for submitted file
                    Source: PROFORMA FATURA.exeReversingLabs: Detection: 75%
                    Source: PROFORMA FATURA.exeVirustotal: Detection: 56%Perma Link
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: PROFORMA FATURA.exeJoe Sandbox ML: detected
                    Source: PROFORMA FATURA.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: PROFORMA FATURA.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: ThhL.pdbSHA256g source: PROFORMA FATURA.exe, GvgUQlbRIXOe.exe.0.dr
                    Source: Binary string: ThhL.pdb source: PROFORMA FATURA.exe, GvgUQlbRIXOe.exe.0.dr
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeCode function: 4x nop then jmp 0747B7A6h0_2_0747B899
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeCode function: 4x nop then jmp 0721AA06h11_2_0721AAF9
                    Source: global trafficTCP traffic: 192.168.2.6:53953 -> 78.110.166.82:587
                    Source: Joe Sandbox ViewIP Address: 78.110.166.82 78.110.166.82
                    Source: Joe Sandbox ViewASN Name: UKSERVERS-ASUKDedicatedServersHostingandCo-Location UKSERVERS-ASUKDedicatedServersHostingandCo-Location
                    Source: global trafficTCP traffic: 192.168.2.6:53953 -> 78.110.166.82:587
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficDNS traffic detected: DNS query: zqamcx.com
                    Source: PROFORMA FATURA.exe, GvgUQlbRIXOe.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                    Source: PROFORMA FATURA.exe, GvgUQlbRIXOe.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                    Source: PROFORMA FATURA.exe, GvgUQlbRIXOe.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
                    Source: PROFORMA FATURA.exe, 00000009.00000002.4583291405.0000000006252000.00000004.00000020.00020000.00000000.sdmp, PROFORMA FATURA.exe, 00000009.00000002.4569708487.0000000000B85000.00000004.00000020.00020000.00000000.sdmp, PROFORMA FATURA.exe, 00000009.00000002.4572408671.000000000297B000.00000004.00000800.00020000.00000000.sdmp, PROFORMA FATURA.exe, 00000009.00000002.4569708487.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, PROFORMA FATURA.exe, 00000009.00000002.4572408671.00000000028CE000.00000004.00000800.00020000.00000000.sdmp, GvgUQlbRIXOe.exe, 0000000E.00000002.4569767009.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, GvgUQlbRIXOe.exe, 0000000E.00000002.4569767009.0000000001016000.00000004.00000020.00020000.00000000.sdmp, GvgUQlbRIXOe.exe, 0000000E.00000002.4583496379.00000000062F2000.00000004.00000020.00020000.00000000.sdmp, GvgUQlbRIXOe.exe, 0000000E.00000002.4572147923.0000000002CCB000.00000004.00000800.00020000.00000000.sdmp, GvgUQlbRIXOe.exe, 0000000E.00000002.4572147923.0000000002C1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r11.i.lencr.org/0#
                    Source: PROFORMA FATURA.exe, 00000009.00000002.4583291405.0000000006252000.00000004.00000020.00020000.00000000.sdmp, PROFORMA FATURA.exe, 00000009.00000002.4569708487.0000000000B85000.00000004.00000020.00020000.00000000.sdmp, PROFORMA FATURA.exe, 00000009.00000002.4572408671.000000000297B000.00000004.00000800.00020000.00000000.sdmp, PROFORMA FATURA.exe, 00000009.00000002.4569708487.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, PROFORMA FATURA.exe, 00000009.00000002.4572408671.00000000028CE000.00000004.00000800.00020000.00000000.sdmp, GvgUQlbRIXOe.exe, 0000000E.00000002.4569767009.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, GvgUQlbRIXOe.exe, 0000000E.00000002.4569767009.0000000001016000.00000004.00000020.00020000.00000000.sdmp, GvgUQlbRIXOe.exe, 0000000E.00000002.4583496379.00000000062F2000.00000004.00000020.00020000.00000000.sdmp, GvgUQlbRIXOe.exe, 0000000E.00000002.4572147923.0000000002CCB000.00000004.00000800.00020000.00000000.sdmp, GvgUQlbRIXOe.exe, 0000000E.00000002.4572147923.0000000002C1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r11.o.lencr.org0#
                    Source: PROFORMA FATURA.exe, 00000000.00000002.2170478140.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, GvgUQlbRIXOe.exe, 0000000B.00000002.2216843841.0000000003260000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: PROFORMA FATURA.exe, 00000009.00000002.4583291405.0000000006252000.00000004.00000020.00020000.00000000.sdmp, PROFORMA FATURA.exe, 00000009.00000002.4569708487.0000000000B85000.00000004.00000020.00020000.00000000.sdmp, PROFORMA FATURA.exe, 00000009.00000002.4572408671.000000000297B000.00000004.00000800.00020000.00000000.sdmp, PROFORMA FATURA.exe, 00000009.00000002.4569708487.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, PROFORMA FATURA.exe, 00000009.00000002.4572408671.00000000028CE000.00000004.00000800.00020000.00000000.sdmp, GvgUQlbRIXOe.exe, 0000000E.00000002.4583496379.0000000006328000.00000004.00000020.00020000.00000000.sdmp, GvgUQlbRIXOe.exe, 0000000E.00000002.4569767009.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, GvgUQlbRIXOe.exe, 0000000E.00000002.4569767009.0000000001016000.00000004.00000020.00020000.00000000.sdmp, GvgUQlbRIXOe.exe, 0000000E.00000002.4583496379.00000000062F2000.00000004.00000020.00020000.00000000.sdmp, GvgUQlbRIXOe.exe, 0000000E.00000002.4572147923.0000000002CCB000.00000004.00000800.00020000.00000000.sdmp, GvgUQlbRIXOe.exe, 0000000E.00000002.4572147923.0000000002C1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                    Source: PROFORMA FATURA.exe, 00000009.00000002.4583291405.0000000006252000.00000004.00000020.00020000.00000000.sdmp, PROFORMA FATURA.exe, 00000009.00000002.4569708487.0000000000B85000.00000004.00000020.00020000.00000000.sdmp, PROFORMA FATURA.exe, 00000009.00000002.4572408671.000000000297B000.00000004.00000800.00020000.00000000.sdmp, PROFORMA FATURA.exe, 00000009.00000002.4569708487.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, PROFORMA FATURA.exe, 00000009.00000002.4572408671.00000000028CE000.00000004.00000800.00020000.00000000.sdmp, GvgUQlbRIXOe.exe, 0000000E.00000002.4583496379.0000000006328000.00000004.00000020.00020000.00000000.sdmp, GvgUQlbRIXOe.exe, 0000000E.00000002.4569767009.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, GvgUQlbRIXOe.exe, 0000000E.00000002.4569767009.0000000001016000.00000004.00000020.00020000.00000000.sdmp, GvgUQlbRIXOe.exe, 0000000E.00000002.4583496379.00000000062F2000.00000004.00000020.00020000.00000000.sdmp, GvgUQlbRIXOe.exe, 0000000E.00000002.4572147923.0000000002CCB000.00000004.00000800.00020000.00000000.sdmp, GvgUQlbRIXOe.exe, 0000000E.00000002.4572147923.0000000002C1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                    Source: PROFORMA FATURA.exe, 00000009.00000002.4572408671.000000000297B000.00000004.00000800.00020000.00000000.sdmp, PROFORMA FATURA.exe, 00000009.00000002.4572408671.00000000028CE000.00000004.00000800.00020000.00000000.sdmp, GvgUQlbRIXOe.exe, 0000000E.00000002.4572147923.0000000002CCB000.00000004.00000800.00020000.00000000.sdmp, GvgUQlbRIXOe.exe, 0000000E.00000002.4572147923.0000000002C1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://zqamcx.com
                    Source: PROFORMA FATURA.exe, 00000000.00000002.2171035964.0000000004A7A000.00000004.00000800.00020000.00000000.sdmp, PROFORMA FATURA.exe, 00000009.00000002.4568852604.0000000000437000.00000040.00000400.00020000.00000000.sdmp, GvgUQlbRIXOe.exe, 0000000B.00000002.2219115296.0000000004BEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: PROFORMA FATURA.exe, GvgUQlbRIXOe.exe.0.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.PROFORMA FATURA.exe.4ab7388.1.raw.unpack, O9KGcRw9bkp.cs.Net Code: KAZ
                    Source: 0.2.PROFORMA FATURA.exe.4a7ab68.4.raw.unpack, O9KGcRw9bkp.cs.Net Code: KAZ
                    Installs a global keyboard hook
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\PROFORMA FATURA.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 11.2.GvgUQlbRIXOe.exe.4beb6e0.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 11.2.GvgUQlbRIXOe.exe.4c27f00.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.PROFORMA FATURA.exe.4a7ab68.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.PROFORMA FATURA.exe.4ab7388.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.PROFORMA FATURA.exe.4ab7388.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 11.2.GvgUQlbRIXOe.exe.4c27f00.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.PROFORMA FATURA.exe.4a7ab68.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 11.2.GvgUQlbRIXOe.exe.4beb6e0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess Stats: CPU usage > 49%
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeCode function: 0_2_02CAD5BC0_2_02CAD5BC
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeCode function: 0_2_053B6BE00_2_053B6BE0
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeCode function: 0_2_053B00110_2_053B0011
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeCode function: 0_2_053B00400_2_053B0040
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeCode function: 0_2_053B6BD00_2_053B6BD0
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeCode function: 0_2_074777280_2_07477728
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeCode function: 0_2_074756C00_2_074756C0
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeCode function: 0_2_074756D00_2_074756D0
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeCode function: 0_2_074752980_2_07475298
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeCode function: 0_2_07474E600_2_07474E60
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeCode function: 0_2_07476D780_2_07476D78
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeCode function: 9_2_00DA4A889_2_00DA4A88
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeCode function: 9_2_00DA9B409_2_00DA9B40
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeCode function: 9_2_00DACDC09_2_00DACDC0
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeCode function: 9_2_00DA3E709_2_00DA3E70
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeCode function: 9_2_00DA41B89_2_00DA41B8
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeCode function: 9_2_00DAF4A89_2_00DAF4A8
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeCode function: 9_2_0551C9009_2_0551C900
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeCode function: 9_2_055110109_2_05511010
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeCode function: 9_2_055113D89_2_055113D8
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeCode function: 9_2_0551F2D09_2_0551F2D0
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeCode function: 9_2_05D6DD3D9_2_05D6DD3D
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeCode function: 9_2_05D68C0A9_2_05D68C0A
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeCode function: 9_2_05D657609_2_05D65760
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeCode function: 9_2_05D62F089_2_05D62F08
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeCode function: 9_2_05D63F389_2_05D63F38
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeCode function: 9_2_05D600409_2_05D60040
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeCode function: 9_2_05D6BD909_2_05D6BD90
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeCode function: 9_2_05D636379_2_05D63637
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeCode function: 9_2_05D649E89_2_05D649E8
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeCode function: 9_2_05D650689_2_05D65068
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeCode function: 11_2_0163D5BC11_2_0163D5BC
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeCode function: 11_2_05556BE011_2_05556BE0
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeCode function: 11_2_0555004011_2_05550040
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeCode function: 11_2_0555000611_2_05550006
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeCode function: 11_2_05556BD011_2_05556BD0
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeCode function: 11_2_07214E6011_2_07214E60
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeCode function: 11_2_0721772811_2_07217728
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeCode function: 11_2_072156C011_2_072156C0
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeCode function: 11_2_072156D011_2_072156D0
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeCode function: 11_2_0721529811_2_07215298
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeCode function: 11_2_07216D7811_2_07216D78
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeCode function: 14_2_010E41B814_2_010E41B8
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeCode function: 14_2_010E9B4014_2_010E9B40
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeCode function: 14_2_010E4A8814_2_010E4A88
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeCode function: 14_2_010ECDC014_2_010ECDC0
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeCode function: 14_2_010E3E7014_2_010E3E70
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeCode function: 14_2_010EF4B914_2_010EF4B9
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeCode function: 14_2_05FCDD3D14_2_05FCDD3D
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeCode function: 14_2_05FC8C0B14_2_05FC8C0B
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeCode function: 14_2_05FC576014_2_05FC5760
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeCode function: 14_2_05FC3F3814_2_05FC3F38
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeCode function: 14_2_05FC2F0814_2_05FC2F08
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeCode function: 14_2_05FC004014_2_05FC0040
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeCode function: 14_2_05FCBD9014_2_05FCBD90
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeCode function: 14_2_05FC363714_2_05FC3637
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeCode function: 14_2_05FC49E814_2_05FC49E8
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeCode function: 14_2_05FC506814_2_05FC5068
                    Source: PROFORMA FATURA.exeStatic PE information: invalid certificate
                    Source: PROFORMA FATURA.exe, 00000000.00000000.2115763119.0000000000B28000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameThhL.exe@ vs PROFORMA FATURA.exe
                    Source: PROFORMA FATURA.exe, 00000000.00000002.2169367415.0000000000F7E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PROFORMA FATURA.exe
                    Source: PROFORMA FATURA.exe, 00000000.00000002.2171035964.0000000004712000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs PROFORMA FATURA.exe
                    Source: PROFORMA FATURA.exe, 00000000.00000002.2170478140.00000000030F0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameb9cb78e8-c1d3-4ab9-8530-a3a5b5ca79e5.exe4 vs PROFORMA FATURA.exe
                    Source: PROFORMA FATURA.exe, 00000000.00000002.2175247224.000000000A080000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs PROFORMA FATURA.exe
                    Source: PROFORMA FATURA.exe, 00000000.00000002.2171035964.0000000004A7A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameb9cb78e8-c1d3-4ab9-8530-a3a5b5ca79e5.exe4 vs PROFORMA FATURA.exe
                    Source: PROFORMA FATURA.exe, 00000009.00000002.4569368222.00000000007F9000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs PROFORMA FATURA.exe
                    Source: PROFORMA FATURA.exe, 00000009.00000002.4568852604.0000000000439000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameb9cb78e8-c1d3-4ab9-8530-a3a5b5ca79e5.exe4 vs PROFORMA FATURA.exe
                    Source: PROFORMA FATURA.exeBinary or memory string: OriginalFilenameThhL.exe@ vs PROFORMA FATURA.exe
                    Source: PROFORMA FATURA.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 11.2.GvgUQlbRIXOe.exe.4beb6e0.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 11.2.GvgUQlbRIXOe.exe.4c27f00.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.PROFORMA FATURA.exe.4a7ab68.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.PROFORMA FATURA.exe.4ab7388.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.PROFORMA FATURA.exe.4ab7388.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 11.2.GvgUQlbRIXOe.exe.4c27f00.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.PROFORMA FATURA.exe.4a7ab68.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 11.2.GvgUQlbRIXOe.exe.4beb6e0.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: PROFORMA FATURA.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: GvgUQlbRIXOe.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.PROFORMA FATURA.exe.4ab7388.1.raw.unpack, CMa60k.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PROFORMA FATURA.exe.4ab7388.1.raw.unpack, CMa60k.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PROFORMA FATURA.exe.4ab7388.1.raw.unpack, CMa60k.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PROFORMA FATURA.exe.4ab7388.1.raw.unpack, CMa60k.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PROFORMA FATURA.exe.4ab7388.1.raw.unpack, EgTglEucnUn.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PROFORMA FATURA.exe.4ab7388.1.raw.unpack, EgTglEucnUn.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PROFORMA FATURA.exe.4ab7388.1.raw.unpack, MmVR.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PROFORMA FATURA.exe.4ab7388.1.raw.unpack, MmVR.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 0.2.PROFORMA FATURA.exe.499d360.0.raw.unpack, EGW1In2sxEk72sqfx8.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.PROFORMA FATURA.exe.499d360.0.raw.unpack, EGW1In2sxEk72sqfx8.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.PROFORMA FATURA.exe.499d360.0.raw.unpack, EGW1In2sxEk72sqfx8.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.PROFORMA FATURA.exe.a080000.6.raw.unpack, YytYwTXRVn7U81VOno.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.PROFORMA FATURA.exe.491f340.2.raw.unpack, YytYwTXRVn7U81VOno.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.PROFORMA FATURA.exe.491f340.2.raw.unpack, EGW1In2sxEk72sqfx8.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.PROFORMA FATURA.exe.491f340.2.raw.unpack, EGW1In2sxEk72sqfx8.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.PROFORMA FATURA.exe.491f340.2.raw.unpack, EGW1In2sxEk72sqfx8.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.PROFORMA FATURA.exe.a080000.6.raw.unpack, EGW1In2sxEk72sqfx8.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.PROFORMA FATURA.exe.a080000.6.raw.unpack, EGW1In2sxEk72sqfx8.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.PROFORMA FATURA.exe.a080000.6.raw.unpack, EGW1In2sxEk72sqfx8.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.PROFORMA FATURA.exe.499d360.0.raw.unpack, YytYwTXRVn7U81VOno.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@19/15@1/1
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeFile created: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1096:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6068:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3172:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:948:120:WilError_03
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeMutant created: \Sessions\1\BaseNamedObjects\LUhAgCfBCnbQ
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeFile created: C:\Users\user\AppData\Local\Temp\tmpAB7A.tmpJump to behavior
                    Source: PROFORMA FATURA.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: PROFORMA FATURA.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: PROFORMA FATURA.exeReversingLabs: Detection: 75%
                    Source: PROFORMA FATURA.exeVirustotal: Detection: 56%
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeFile read: C:\Users\user\Desktop\PROFORMA FATURA.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\PROFORMA FATURA.exe "C:\Users\user\Desktop\PROFORMA FATURA.exe"
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PROFORMA FATURA.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GvgUQlbRIXOe" /XML "C:\Users\user\AppData\Local\Temp\tmpAB7A.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess created: C:\Users\user\Desktop\PROFORMA FATURA.exe "C:\Users\user\Desktop\PROFORMA FATURA.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GvgUQlbRIXOe" /XML "C:\Users\user\AppData\Local\Temp\tmpBA20.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess created: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe "C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe"
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PROFORMA FATURA.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GvgUQlbRIXOe" /XML "C:\Users\user\AppData\Local\Temp\tmpAB7A.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess created: C:\Users\user\Desktop\PROFORMA FATURA.exe "C:\Users\user\Desktop\PROFORMA FATURA.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GvgUQlbRIXOe" /XML "C:\Users\user\AppData\Local\Temp\tmpBA20.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess created: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe "C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: vaultcli.dll
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: rasadhlp.dll
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: fwpuclnt.dll
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: secur32.dll
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: schannel.dll
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: mskeyprotect.dll
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: ntasn1.dll
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: ncrypt.dll
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: ncryptsslp.dll
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeSection loaded: dpapi.dll
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: PROFORMA FATURA.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: PROFORMA FATURA.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: PROFORMA FATURA.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: ThhL.pdbSHA256g source: PROFORMA FATURA.exe, GvgUQlbRIXOe.exe.0.dr
                    Source: Binary string: ThhL.pdb source: PROFORMA FATURA.exe, GvgUQlbRIXOe.exe.0.dr

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: PROFORMA FATURA.exe, Form1.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
                    Source: GvgUQlbRIXOe.exe.0.dr, Form1.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
                    Source: 0.2.PROFORMA FATURA.exe.3efa190.3.raw.unpack, MainForm.cs.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.PROFORMA FATURA.exe.59d0000.5.raw.unpack, MainForm.cs.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.PROFORMA FATURA.exe.491f340.2.raw.unpack, EGW1In2sxEk72sqfx8.cs.Net Code: yZlktfWd1o System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.PROFORMA FATURA.exe.a080000.6.raw.unpack, EGW1In2sxEk72sqfx8.cs.Net Code: yZlktfWd1o System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.PROFORMA FATURA.exe.499d360.0.raw.unpack, EGW1In2sxEk72sqfx8.cs.Net Code: yZlktfWd1o System.Reflection.Assembly.Load(byte[])
                    Source: PROFORMA FATURA.exeStatic PE information: 0xDEBF553A [Thu Jun 3 06:05:46 2088 UTC]
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeCode function: 0_2_0747E7ED push FFFFFF8Bh; iretd 0_2_0747E7EF
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeCode function: 11_2_0721DA4D push FFFFFF8Bh; iretd 11_2_0721DA4F
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeCode function: 14_2_05FCF708 push F4057CCFh; iretd 14_2_05FCF711
                    Source: PROFORMA FATURA.exeStatic PE information: section name: .text entropy: 7.502265215302294
                    Source: GvgUQlbRIXOe.exe.0.drStatic PE information: section name: .text entropy: 7.502265215302294
                    Source: 0.2.PROFORMA FATURA.exe.491f340.2.raw.unpack, g4Qs8M5oWwROxbKec3.csHigh entropy of concatenated method names: 'fGG6ov0mZ1', 'z9861YA9qS', 'O8W6tBllRO', 'RZf6Ev8JCW', 'c1q6JVyrhH', 'qFy6l03KBO', 'v4E60y3waN', 'XgV69ehsdG', 'FLQ6ZwkB9k', 'QcI6aJgQw9'
                    Source: 0.2.PROFORMA FATURA.exe.491f340.2.raw.unpack, zgxQIxz5lAukYUxvcV.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LYurI4lJjl', 'DZQre7PP7g', 'AetrDsDgK8', 'b1KrN59af1', 'SJmrOnkyC9', 'PAZrrXZ5KF', 'AFYr24Uy4L'
                    Source: 0.2.PROFORMA FATURA.exe.491f340.2.raw.unpack, JTnk9wqS5upEMWkVDI.csHigh entropy of concatenated method names: 'GODHWatdyD3ai5D1mqb', 'wX7NoKtHR7EPQpZs1Cu', 'rl9HOgrwQ3', 'obXHrWJFf7', 'fOTH2E62eW', 'DNVxNAt0Ia2l0xdeW2U', 'g4ZJ6stceAIeDFVhj9b'
                    Source: 0.2.PROFORMA FATURA.exe.491f340.2.raw.unpack, SIM1vrU83M80n3ghnSU.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HHt27t0dj1', 'P6e25Aj47u', 'f822nRZ0KS', 'kry2gEkAIN', 'dFk2mY6FjV', 'hlY2RQK7k7', 'nn82crIklZ'
                    Source: 0.2.PROFORMA FATURA.exe.491f340.2.raw.unpack, a9Jf6RK6DvE2Wnfcjo.csHigh entropy of concatenated method names: 'SgFOKOZ7jN', 'hdPO3nLxXA', 'IuCOpkPas1', 'nCWOSFBJaE', 'PrwOHREnrc', 'GqfO6MTlq0', 'xlFOd5LqVr', 'FcyOP1ioIq', 'bSVO8SuU9p', 'wNrOMyTk2S'
                    Source: 0.2.PROFORMA FATURA.exe.491f340.2.raw.unpack, KGrF0bFArvIPSaM0rx.csHigh entropy of concatenated method names: 'j7R6KrOXAv', 'vlK6pleJPp', 'bDd6H6KmlL', 'pa4Hu9CPFO', 'Q6GHzydtKx', 'nTc64MpboE', 'C5f6X89O3m', 'FLo6LyareV', 'sdO6jnCGYy', 'uub6kiZVeu'
                    Source: 0.2.PROFORMA FATURA.exe.491f340.2.raw.unpack, EGW1In2sxEk72sqfx8.csHigh entropy of concatenated method names: 'w8ijq3hQbi', 'RZjjKT3yWN', 'InBj3trNVt', 'frpjpLw6f9', 'GonjSyJEsT', 'nMojHN4oJc', 'a3rj6s71t0', 'BEPjdDGFqu', 'zfPjPpH7wZ', 'Fw3j85RExc'
                    Source: 0.2.PROFORMA FATURA.exe.491f340.2.raw.unpack, JGt8leideG3tEw3FFw.csHigh entropy of concatenated method names: 'p8BX69Chcm', 'UdpXdAgx8X', 'pTdX8nRXOG', 'Y1DXM4BNDw', 'IPBXeP2W5U', 'V47XDb8nZZ', 'M7WVG0WMmBLAQT0Nk1', 'GrTuMf1AHyW0wtkhgm', 'kiVgIFkicWxHjSBOOQ', 'wITXXrC79k'
                    Source: 0.2.PROFORMA FATURA.exe.491f340.2.raw.unpack, qq8b56hyCVeqo4mhxD.csHigh entropy of concatenated method names: 'L2VOWS122e', 'e0JOACvmn6', 'JH3OQf8KJ5', 'l0pOsWDL3b', 'HFCO7ep4Xh', 'VePOiTR8oR', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.PROFORMA FATURA.exe.491f340.2.raw.unpack, z5urZkslVeJkKSP9xS.csHigh entropy of concatenated method names: 'l2EeT1qhRI', 'jYeebNyP8b', 'Cmle7GWpFr', 'OT6e54YlQW', 'lK0eAyVwwA', 'vv2eQSSfsl', 'nOfesef6a5', 'iCIeiMNFnj', 'lJdewQnU0s', 'q2HeCgVLQP'
                    Source: 0.2.PROFORMA FATURA.exe.491f340.2.raw.unpack, LpC6HlESRmbB0HCWjb.csHigh entropy of concatenated method names: 'I1IrXvySP7', 'bPRrjLiKld', 'zIsrk9F5nP', 'GN0rKWEyxT', 'dO3r3vuvGE', 'kwvrSguksF', 'mHirH1VBOu', 'rwVOc3f1Eh', 'hFUOhxg0HP', 'quZOy4Json'
                    Source: 0.2.PROFORMA FATURA.exe.491f340.2.raw.unpack, FpLxU0USGQJ0hASUnF9.csHigh entropy of concatenated method names: 'vyLrojyPsh', 'd6Wr1VCg7Y', 'twlrtyio0H', 'LMtrEGXROm', 'e4JrJ8F9g8', 'juxrlZSMbK', 'J8Hr0byZk5', 'iY4r946lWx', 'kTbrZnahfs', 'KErraLc6ld'
                    Source: 0.2.PROFORMA FATURA.exe.491f340.2.raw.unpack, EQSd2GR5QIKoQb3pwL.csHigh entropy of concatenated method names: 'Dispose', 'FMbXyt4mVu', 'gB4LAHpEeU', 'XbiVVNu8KF', 'BaPXueQq8L', 'rdMXzu6F6m', 'ProcessDialogKey', 'hDoL4o7n0C', 'tI5LXTJfFI', 'mHSLLMvn5X'
                    Source: 0.2.PROFORMA FATURA.exe.491f340.2.raw.unpack, YytYwTXRVn7U81VOno.csHigh entropy of concatenated method names: 'i0p37pHOV4', 'cqL35EtsJm', 'sDZ3noBtXj', 'Fpe3g5miCu', 'CEN3m3L8eX', 'sXF3RfPcUB', 'EZr3cbFn9p', 'mFo3hnHetx', 'QNh3y2YjO1', 'HYU3u0bxtc'
                    Source: 0.2.PROFORMA FATURA.exe.491f340.2.raw.unpack, VkYf5BPjdXsGlTY65o.csHigh entropy of concatenated method names: 'SxIpEN6DTu', 'nckplmVpkn', 'SZIp9KW9iu', 'JffpZ40gCj', 'qohpeXV1ti', 'yvMpDKy4ev', 'LTppNWvUGU', 'ypOpOYiyNg', 'NI7pr08V0a', 'IFhp2ElSPx'
                    Source: 0.2.PROFORMA FATURA.exe.491f340.2.raw.unpack, MCfrSMWdlxWVY1IL1f.csHigh entropy of concatenated method names: 'ID3I9I8why', 'sPsIZDLsUK', 'RjbIW0rOAZ', 'LHBIA7rIpf', 'q5pIsyM4ff', 'sC1IipnrZd', 'jwPICf1Uxx', 'QPwIGGvWyw', 'XaxITJdgdg', 'CRWIf1WYjN'
                    Source: 0.2.PROFORMA FATURA.exe.491f340.2.raw.unpack, boHndMrnP1k12e3lIF.csHigh entropy of concatenated method names: 'a69Nh8xuT6', 'eHYNubMpPh', 'C37O4cOH0m', 'P1FOXmZ7Re', 'byHNfIywoB', 'oYUNbRyQaL', 'wUrNYDV574', 'q5XN7EYIHj', 'ICSN5RR8PQ', 'X5HNndBiEf'
                    Source: 0.2.PROFORMA FATURA.exe.491f340.2.raw.unpack, CFC8oSAR2QsHjWaGqv.csHigh entropy of concatenated method names: 'gXXtV7N8f', 'VM9EyVCGl', 'gEDlu2red', 'MDQ0i5x24', 'FeqZNnCFY', 'pJGahV8rN', 'vLFOcvFxvkQxqmT7ZW', 'Mla4EfKO5pGeg00Eew', 'Br2OaRLQA', 'hay2g3TJH'
                    Source: 0.2.PROFORMA FATURA.exe.491f340.2.raw.unpack, J4ugg54wIbg5846ALq.csHigh entropy of concatenated method names: 'la7Hq9VSxc', 'aOHH3yGFAY', 'ItIHS3DB6v', 'YJQH6lopwl', 'ErwHdj0tBY', 't9oSmkXEcX', 'MtPSRBLA0Y', 'kBpScqIPBb', 'XSUShWqoe0', 'WnNSyEt9bp'
                    Source: 0.2.PROFORMA FATURA.exe.491f340.2.raw.unpack, hIIN84dB4yLGgx3Xmo.csHigh entropy of concatenated method names: 'KNFN8NcRIV', 'OvDNMdJccD', 'ToString', 'HSwNKchN9D', 'PYYN33RFbY', 'iYFNprc0lR', 'X0GNSISsMI', 'VpcNHWkyAr', 'yD1N6uIZ7j', 'SPfNdnynLO'
                    Source: 0.2.PROFORMA FATURA.exe.a080000.6.raw.unpack, g4Qs8M5oWwROxbKec3.csHigh entropy of concatenated method names: 'fGG6ov0mZ1', 'z9861YA9qS', 'O8W6tBllRO', 'RZf6Ev8JCW', 'c1q6JVyrhH', 'qFy6l03KBO', 'v4E60y3waN', 'XgV69ehsdG', 'FLQ6ZwkB9k', 'QcI6aJgQw9'
                    Source: 0.2.PROFORMA FATURA.exe.a080000.6.raw.unpack, zgxQIxz5lAukYUxvcV.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LYurI4lJjl', 'DZQre7PP7g', 'AetrDsDgK8', 'b1KrN59af1', 'SJmrOnkyC9', 'PAZrrXZ5KF', 'AFYr24Uy4L'
                    Source: 0.2.PROFORMA FATURA.exe.a080000.6.raw.unpack, JTnk9wqS5upEMWkVDI.csHigh entropy of concatenated method names: 'GODHWatdyD3ai5D1mqb', 'wX7NoKtHR7EPQpZs1Cu', 'rl9HOgrwQ3', 'obXHrWJFf7', 'fOTH2E62eW', 'DNVxNAt0Ia2l0xdeW2U', 'g4ZJ6stceAIeDFVhj9b'
                    Source: 0.2.PROFORMA FATURA.exe.a080000.6.raw.unpack, SIM1vrU83M80n3ghnSU.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HHt27t0dj1', 'P6e25Aj47u', 'f822nRZ0KS', 'kry2gEkAIN', 'dFk2mY6FjV', 'hlY2RQK7k7', 'nn82crIklZ'
                    Source: 0.2.PROFORMA FATURA.exe.a080000.6.raw.unpack, a9Jf6RK6DvE2Wnfcjo.csHigh entropy of concatenated method names: 'SgFOKOZ7jN', 'hdPO3nLxXA', 'IuCOpkPas1', 'nCWOSFBJaE', 'PrwOHREnrc', 'GqfO6MTlq0', 'xlFOd5LqVr', 'FcyOP1ioIq', 'bSVO8SuU9p', 'wNrOMyTk2S'
                    Source: 0.2.PROFORMA FATURA.exe.a080000.6.raw.unpack, KGrF0bFArvIPSaM0rx.csHigh entropy of concatenated method names: 'j7R6KrOXAv', 'vlK6pleJPp', 'bDd6H6KmlL', 'pa4Hu9CPFO', 'Q6GHzydtKx', 'nTc64MpboE', 'C5f6X89O3m', 'FLo6LyareV', 'sdO6jnCGYy', 'uub6kiZVeu'
                    Source: 0.2.PROFORMA FATURA.exe.a080000.6.raw.unpack, EGW1In2sxEk72sqfx8.csHigh entropy of concatenated method names: 'w8ijq3hQbi', 'RZjjKT3yWN', 'InBj3trNVt', 'frpjpLw6f9', 'GonjSyJEsT', 'nMojHN4oJc', 'a3rj6s71t0', 'BEPjdDGFqu', 'zfPjPpH7wZ', 'Fw3j85RExc'
                    Source: 0.2.PROFORMA FATURA.exe.a080000.6.raw.unpack, JGt8leideG3tEw3FFw.csHigh entropy of concatenated method names: 'p8BX69Chcm', 'UdpXdAgx8X', 'pTdX8nRXOG', 'Y1DXM4BNDw', 'IPBXeP2W5U', 'V47XDb8nZZ', 'M7WVG0WMmBLAQT0Nk1', 'GrTuMf1AHyW0wtkhgm', 'kiVgIFkicWxHjSBOOQ', 'wITXXrC79k'
                    Source: 0.2.PROFORMA FATURA.exe.a080000.6.raw.unpack, qq8b56hyCVeqo4mhxD.csHigh entropy of concatenated method names: 'L2VOWS122e', 'e0JOACvmn6', 'JH3OQf8KJ5', 'l0pOsWDL3b', 'HFCO7ep4Xh', 'VePOiTR8oR', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.PROFORMA FATURA.exe.a080000.6.raw.unpack, z5urZkslVeJkKSP9xS.csHigh entropy of concatenated method names: 'l2EeT1qhRI', 'jYeebNyP8b', 'Cmle7GWpFr', 'OT6e54YlQW', 'lK0eAyVwwA', 'vv2eQSSfsl', 'nOfesef6a5', 'iCIeiMNFnj', 'lJdewQnU0s', 'q2HeCgVLQP'
                    Source: 0.2.PROFORMA FATURA.exe.a080000.6.raw.unpack, LpC6HlESRmbB0HCWjb.csHigh entropy of concatenated method names: 'I1IrXvySP7', 'bPRrjLiKld', 'zIsrk9F5nP', 'GN0rKWEyxT', 'dO3r3vuvGE', 'kwvrSguksF', 'mHirH1VBOu', 'rwVOc3f1Eh', 'hFUOhxg0HP', 'quZOy4Json'
                    Source: 0.2.PROFORMA FATURA.exe.a080000.6.raw.unpack, FpLxU0USGQJ0hASUnF9.csHigh entropy of concatenated method names: 'vyLrojyPsh', 'd6Wr1VCg7Y', 'twlrtyio0H', 'LMtrEGXROm', 'e4JrJ8F9g8', 'juxrlZSMbK', 'J8Hr0byZk5', 'iY4r946lWx', 'kTbrZnahfs', 'KErraLc6ld'
                    Source: 0.2.PROFORMA FATURA.exe.a080000.6.raw.unpack, EQSd2GR5QIKoQb3pwL.csHigh entropy of concatenated method names: 'Dispose', 'FMbXyt4mVu', 'gB4LAHpEeU', 'XbiVVNu8KF', 'BaPXueQq8L', 'rdMXzu6F6m', 'ProcessDialogKey', 'hDoL4o7n0C', 'tI5LXTJfFI', 'mHSLLMvn5X'
                    Source: 0.2.PROFORMA FATURA.exe.a080000.6.raw.unpack, YytYwTXRVn7U81VOno.csHigh entropy of concatenated method names: 'i0p37pHOV4', 'cqL35EtsJm', 'sDZ3noBtXj', 'Fpe3g5miCu', 'CEN3m3L8eX', 'sXF3RfPcUB', 'EZr3cbFn9p', 'mFo3hnHetx', 'QNh3y2YjO1', 'HYU3u0bxtc'
                    Source: 0.2.PROFORMA FATURA.exe.a080000.6.raw.unpack, VkYf5BPjdXsGlTY65o.csHigh entropy of concatenated method names: 'SxIpEN6DTu', 'nckplmVpkn', 'SZIp9KW9iu', 'JffpZ40gCj', 'qohpeXV1ti', 'yvMpDKy4ev', 'LTppNWvUGU', 'ypOpOYiyNg', 'NI7pr08V0a', 'IFhp2ElSPx'
                    Source: 0.2.PROFORMA FATURA.exe.a080000.6.raw.unpack, MCfrSMWdlxWVY1IL1f.csHigh entropy of concatenated method names: 'ID3I9I8why', 'sPsIZDLsUK', 'RjbIW0rOAZ', 'LHBIA7rIpf', 'q5pIsyM4ff', 'sC1IipnrZd', 'jwPICf1Uxx', 'QPwIGGvWyw', 'XaxITJdgdg', 'CRWIf1WYjN'
                    Source: 0.2.PROFORMA FATURA.exe.a080000.6.raw.unpack, boHndMrnP1k12e3lIF.csHigh entropy of concatenated method names: 'a69Nh8xuT6', 'eHYNubMpPh', 'C37O4cOH0m', 'P1FOXmZ7Re', 'byHNfIywoB', 'oYUNbRyQaL', 'wUrNYDV574', 'q5XN7EYIHj', 'ICSN5RR8PQ', 'X5HNndBiEf'
                    Source: 0.2.PROFORMA FATURA.exe.a080000.6.raw.unpack, CFC8oSAR2QsHjWaGqv.csHigh entropy of concatenated method names: 'gXXtV7N8f', 'VM9EyVCGl', 'gEDlu2red', 'MDQ0i5x24', 'FeqZNnCFY', 'pJGahV8rN', 'vLFOcvFxvkQxqmT7ZW', 'Mla4EfKO5pGeg00Eew', 'Br2OaRLQA', 'hay2g3TJH'
                    Source: 0.2.PROFORMA FATURA.exe.a080000.6.raw.unpack, J4ugg54wIbg5846ALq.csHigh entropy of concatenated method names: 'la7Hq9VSxc', 'aOHH3yGFAY', 'ItIHS3DB6v', 'YJQH6lopwl', 'ErwHdj0tBY', 't9oSmkXEcX', 'MtPSRBLA0Y', 'kBpScqIPBb', 'XSUShWqoe0', 'WnNSyEt9bp'
                    Source: 0.2.PROFORMA FATURA.exe.a080000.6.raw.unpack, hIIN84dB4yLGgx3Xmo.csHigh entropy of concatenated method names: 'KNFN8NcRIV', 'OvDNMdJccD', 'ToString', 'HSwNKchN9D', 'PYYN33RFbY', 'iYFNprc0lR', 'X0GNSISsMI', 'VpcNHWkyAr', 'yD1N6uIZ7j', 'SPfNdnynLO'
                    Source: 0.2.PROFORMA FATURA.exe.499d360.0.raw.unpack, g4Qs8M5oWwROxbKec3.csHigh entropy of concatenated method names: 'fGG6ov0mZ1', 'z9861YA9qS', 'O8W6tBllRO', 'RZf6Ev8JCW', 'c1q6JVyrhH', 'qFy6l03KBO', 'v4E60y3waN', 'XgV69ehsdG', 'FLQ6ZwkB9k', 'QcI6aJgQw9'
                    Source: 0.2.PROFORMA FATURA.exe.499d360.0.raw.unpack, zgxQIxz5lAukYUxvcV.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LYurI4lJjl', 'DZQre7PP7g', 'AetrDsDgK8', 'b1KrN59af1', 'SJmrOnkyC9', 'PAZrrXZ5KF', 'AFYr24Uy4L'
                    Source: 0.2.PROFORMA FATURA.exe.499d360.0.raw.unpack, JTnk9wqS5upEMWkVDI.csHigh entropy of concatenated method names: 'GODHWatdyD3ai5D1mqb', 'wX7NoKtHR7EPQpZs1Cu', 'rl9HOgrwQ3', 'obXHrWJFf7', 'fOTH2E62eW', 'DNVxNAt0Ia2l0xdeW2U', 'g4ZJ6stceAIeDFVhj9b'
                    Source: 0.2.PROFORMA FATURA.exe.499d360.0.raw.unpack, SIM1vrU83M80n3ghnSU.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HHt27t0dj1', 'P6e25Aj47u', 'f822nRZ0KS', 'kry2gEkAIN', 'dFk2mY6FjV', 'hlY2RQK7k7', 'nn82crIklZ'
                    Source: 0.2.PROFORMA FATURA.exe.499d360.0.raw.unpack, a9Jf6RK6DvE2Wnfcjo.csHigh entropy of concatenated method names: 'SgFOKOZ7jN', 'hdPO3nLxXA', 'IuCOpkPas1', 'nCWOSFBJaE', 'PrwOHREnrc', 'GqfO6MTlq0', 'xlFOd5LqVr', 'FcyOP1ioIq', 'bSVO8SuU9p', 'wNrOMyTk2S'
                    Source: 0.2.PROFORMA FATURA.exe.499d360.0.raw.unpack, KGrF0bFArvIPSaM0rx.csHigh entropy of concatenated method names: 'j7R6KrOXAv', 'vlK6pleJPp', 'bDd6H6KmlL', 'pa4Hu9CPFO', 'Q6GHzydtKx', 'nTc64MpboE', 'C5f6X89O3m', 'FLo6LyareV', 'sdO6jnCGYy', 'uub6kiZVeu'
                    Source: 0.2.PROFORMA FATURA.exe.499d360.0.raw.unpack, EGW1In2sxEk72sqfx8.csHigh entropy of concatenated method names: 'w8ijq3hQbi', 'RZjjKT3yWN', 'InBj3trNVt', 'frpjpLw6f9', 'GonjSyJEsT', 'nMojHN4oJc', 'a3rj6s71t0', 'BEPjdDGFqu', 'zfPjPpH7wZ', 'Fw3j85RExc'
                    Source: 0.2.PROFORMA FATURA.exe.499d360.0.raw.unpack, JGt8leideG3tEw3FFw.csHigh entropy of concatenated method names: 'p8BX69Chcm', 'UdpXdAgx8X', 'pTdX8nRXOG', 'Y1DXM4BNDw', 'IPBXeP2W5U', 'V47XDb8nZZ', 'M7WVG0WMmBLAQT0Nk1', 'GrTuMf1AHyW0wtkhgm', 'kiVgIFkicWxHjSBOOQ', 'wITXXrC79k'
                    Source: 0.2.PROFORMA FATURA.exe.499d360.0.raw.unpack, qq8b56hyCVeqo4mhxD.csHigh entropy of concatenated method names: 'L2VOWS122e', 'e0JOACvmn6', 'JH3OQf8KJ5', 'l0pOsWDL3b', 'HFCO7ep4Xh', 'VePOiTR8oR', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.PROFORMA FATURA.exe.499d360.0.raw.unpack, z5urZkslVeJkKSP9xS.csHigh entropy of concatenated method names: 'l2EeT1qhRI', 'jYeebNyP8b', 'Cmle7GWpFr', 'OT6e54YlQW', 'lK0eAyVwwA', 'vv2eQSSfsl', 'nOfesef6a5', 'iCIeiMNFnj', 'lJdewQnU0s', 'q2HeCgVLQP'
                    Source: 0.2.PROFORMA FATURA.exe.499d360.0.raw.unpack, LpC6HlESRmbB0HCWjb.csHigh entropy of concatenated method names: 'I1IrXvySP7', 'bPRrjLiKld', 'zIsrk9F5nP', 'GN0rKWEyxT', 'dO3r3vuvGE', 'kwvrSguksF', 'mHirH1VBOu', 'rwVOc3f1Eh', 'hFUOhxg0HP', 'quZOy4Json'
                    Source: 0.2.PROFORMA FATURA.exe.499d360.0.raw.unpack, FpLxU0USGQJ0hASUnF9.csHigh entropy of concatenated method names: 'vyLrojyPsh', 'd6Wr1VCg7Y', 'twlrtyio0H', 'LMtrEGXROm', 'e4JrJ8F9g8', 'juxrlZSMbK', 'J8Hr0byZk5', 'iY4r946lWx', 'kTbrZnahfs', 'KErraLc6ld'
                    Source: 0.2.PROFORMA FATURA.exe.499d360.0.raw.unpack, EQSd2GR5QIKoQb3pwL.csHigh entropy of concatenated method names: 'Dispose', 'FMbXyt4mVu', 'gB4LAHpEeU', 'XbiVVNu8KF', 'BaPXueQq8L', 'rdMXzu6F6m', 'ProcessDialogKey', 'hDoL4o7n0C', 'tI5LXTJfFI', 'mHSLLMvn5X'
                    Source: 0.2.PROFORMA FATURA.exe.499d360.0.raw.unpack, YytYwTXRVn7U81VOno.csHigh entropy of concatenated method names: 'i0p37pHOV4', 'cqL35EtsJm', 'sDZ3noBtXj', 'Fpe3g5miCu', 'CEN3m3L8eX', 'sXF3RfPcUB', 'EZr3cbFn9p', 'mFo3hnHetx', 'QNh3y2YjO1', 'HYU3u0bxtc'
                    Source: 0.2.PROFORMA FATURA.exe.499d360.0.raw.unpack, VkYf5BPjdXsGlTY65o.csHigh entropy of concatenated method names: 'SxIpEN6DTu', 'nckplmVpkn', 'SZIp9KW9iu', 'JffpZ40gCj', 'qohpeXV1ti', 'yvMpDKy4ev', 'LTppNWvUGU', 'ypOpOYiyNg', 'NI7pr08V0a', 'IFhp2ElSPx'
                    Source: 0.2.PROFORMA FATURA.exe.499d360.0.raw.unpack, MCfrSMWdlxWVY1IL1f.csHigh entropy of concatenated method names: 'ID3I9I8why', 'sPsIZDLsUK', 'RjbIW0rOAZ', 'LHBIA7rIpf', 'q5pIsyM4ff', 'sC1IipnrZd', 'jwPICf1Uxx', 'QPwIGGvWyw', 'XaxITJdgdg', 'CRWIf1WYjN'
                    Source: 0.2.PROFORMA FATURA.exe.499d360.0.raw.unpack, boHndMrnP1k12e3lIF.csHigh entropy of concatenated method names: 'a69Nh8xuT6', 'eHYNubMpPh', 'C37O4cOH0m', 'P1FOXmZ7Re', 'byHNfIywoB', 'oYUNbRyQaL', 'wUrNYDV574', 'q5XN7EYIHj', 'ICSN5RR8PQ', 'X5HNndBiEf'
                    Source: 0.2.PROFORMA FATURA.exe.499d360.0.raw.unpack, CFC8oSAR2QsHjWaGqv.csHigh entropy of concatenated method names: 'gXXtV7N8f', 'VM9EyVCGl', 'gEDlu2red', 'MDQ0i5x24', 'FeqZNnCFY', 'pJGahV8rN', 'vLFOcvFxvkQxqmT7ZW', 'Mla4EfKO5pGeg00Eew', 'Br2OaRLQA', 'hay2g3TJH'
                    Source: 0.2.PROFORMA FATURA.exe.499d360.0.raw.unpack, J4ugg54wIbg5846ALq.csHigh entropy of concatenated method names: 'la7Hq9VSxc', 'aOHH3yGFAY', 'ItIHS3DB6v', 'YJQH6lopwl', 'ErwHdj0tBY', 't9oSmkXEcX', 'MtPSRBLA0Y', 'kBpScqIPBb', 'XSUShWqoe0', 'WnNSyEt9bp'
                    Source: 0.2.PROFORMA FATURA.exe.499d360.0.raw.unpack, hIIN84dB4yLGgx3Xmo.csHigh entropy of concatenated method names: 'KNFN8NcRIV', 'OvDNMdJccD', 'ToString', 'HSwNKchN9D', 'PYYN33RFbY', 'iYFNprc0lR', 'X0GNSISsMI', 'VpcNHWkyAr', 'yD1N6uIZ7j', 'SPfNdnynLO'
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeFile created: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GvgUQlbRIXOe" /XML "C:\Users\user\AppData\Local\Temp\tmpAB7A.tmp"

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: PROFORMA FATURA.exe PID: 2672, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: GvgUQlbRIXOe.exe PID: 6412, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeMemory allocated: 2C40000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeMemory allocated: 2E90000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeMemory allocated: 2CC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeMemory allocated: 7980000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeMemory allocated: 8980000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeMemory allocated: 8B20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeMemory allocated: 9B20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeMemory allocated: A100000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeMemory allocated: B100000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeMemory allocated: C100000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeMemory allocated: DA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeMemory allocated: 2880000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeMemory allocated: 4880000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeMemory allocated: 1630000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeMemory allocated: 3000000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeMemory allocated: 5000000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeMemory allocated: 7A50000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeMemory allocated: 8A50000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeMemory allocated: 8BF0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeMemory allocated: 9BF0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeMemory allocated: 9F20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeMemory allocated: AF20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeMemory allocated: BF20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeMemory allocated: 10E0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeMemory allocated: 2BD0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeMemory allocated: 4BD0000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6979Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7524Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1408Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeWindow / User API: threadDelayed 5378Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeWindow / User API: threadDelayed 4439Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeWindow / User API: threadDelayed 6586
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeWindow / User API: threadDelayed 3269
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exe TID: 3108Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4892Thread sleep count: 6979 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4892Thread sleep count: 240 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7028Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 404Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6268Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2016Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exe TID: 6204Thread sleep count: 36 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exe TID: 6204Thread sleep time: -33204139332677172s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exe TID: 6204Thread sleep time: -200000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exe TID: 6204Thread sleep time: -99874s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exe TID: 4236Thread sleep count: 5378 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exe TID: 4236Thread sleep count: 4439 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exe TID: 6204Thread sleep time: -99765s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exe TID: 6204Thread sleep time: -99654s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exe TID: 6204Thread sleep time: -99531s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exe TID: 6204Thread sleep time: -99421s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exe TID: 6204Thread sleep time: -99312s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exe TID: 6204Thread sleep time: -99203s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exe TID: 6204Thread sleep time: -99093s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exe TID: 6204Thread sleep time: -98980s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exe TID: 6204Thread sleep time: -98859s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exe TID: 6204Thread sleep time: -98749s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exe TID: 6204Thread sleep time: -98640s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exe TID: 6204Thread sleep time: -98531s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exe TID: 6204Thread sleep time: -98403s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exe TID: 6204Thread sleep time: -98296s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exe TID: 6204Thread sleep time: -98186s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exe TID: 6204Thread sleep time: -98010s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exe TID: 6204Thread sleep time: -97895s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exe TID: 6204Thread sleep time: -97777s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exe TID: 6204Thread sleep time: -97671s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exe TID: 6204Thread sleep time: -97559s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exe TID: 6204Thread sleep time: -97452s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exe TID: 6204Thread sleep time: -97343s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exe TID: 6204Thread sleep time: -97234s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exe TID: 6204Thread sleep time: -97124s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exe TID: 6204Thread sleep time: -97015s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exe TID: 6204Thread sleep time: -96906s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exe TID: 6204Thread sleep time: -96796s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exe TID: 6204Thread sleep time: -96687s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exe TID: 6204Thread sleep time: -96577s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exe TID: 6204Thread sleep time: -96468s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exe TID: 6204Thread sleep time: -96359s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exe TID: 6204Thread sleep time: -96249s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exe TID: 6204Thread sleep time: -96140s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exe TID: 6204Thread sleep time: -96017s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exe TID: 6204Thread sleep time: -95906s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exe TID: 6204Thread sleep time: -95796s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exe TID: 6204Thread sleep time: -95678s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exe TID: 6204Thread sleep time: -95562s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exe TID: 6204Thread sleep time: -95446s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exe TID: 6204Thread sleep time: -99890s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exe TID: 6204Thread sleep time: -99781s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exe TID: 6204Thread sleep time: -99672s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exe TID: 6204Thread sleep time: -99547s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exe TID: 6204Thread sleep time: -99437s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exe TID: 6204Thread sleep time: -99328s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exe TID: 6204Thread sleep time: -99218s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exe TID: 6204Thread sleep time: -99109s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exe TID: 6204Thread sleep time: -99000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe TID: 7100Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe TID: 5208Thread sleep count: 34 > 30
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe TID: 5208Thread sleep time: -31359464925306218s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe TID: 5208Thread sleep time: -100000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe TID: 5208Thread sleep time: -99890s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe TID: 2848Thread sleep count: 6586 > 30
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe TID: 2848Thread sleep count: 3269 > 30
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe TID: 5208Thread sleep time: -99780s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe TID: 5208Thread sleep time: -99671s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe TID: 5208Thread sleep time: -99561s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe TID: 5208Thread sleep time: -99453s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe TID: 5208Thread sleep time: -99343s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe TID: 5208Thread sleep time: -99220s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe TID: 5208Thread sleep time: -99094s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe TID: 5208Thread sleep time: -98984s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe TID: 5208Thread sleep time: -98874s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe TID: 5208Thread sleep time: -98714s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe TID: 5208Thread sleep time: -98216s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe TID: 5208Thread sleep time: -98109s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe TID: 5208Thread sleep time: -97998s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe TID: 5208Thread sleep time: -97888s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe TID: 5208Thread sleep time: -97779s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe TID: 5208Thread sleep time: -97671s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe TID: 5208Thread sleep time: -97562s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe TID: 5208Thread sleep time: -97450s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe TID: 5208Thread sleep time: -97343s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe TID: 5208Thread sleep time: -97234s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe TID: 5208Thread sleep time: -97124s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe TID: 5208Thread sleep time: -97015s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe TID: 5208Thread sleep time: -96906s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe TID: 5208Thread sleep time: -96797s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe TID: 5208Thread sleep time: -96687s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe TID: 5208Thread sleep time: -96578s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe TID: 5208Thread sleep time: -96468s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe TID: 5208Thread sleep time: -96359s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe TID: 5208Thread sleep time: -96250s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe TID: 5208Thread sleep time: -96140s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe TID: 5208Thread sleep time: -96031s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe TID: 5208Thread sleep time: -95921s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe TID: 5208Thread sleep time: -99984s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe TID: 5208Thread sleep time: -99875s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe TID: 5208Thread sleep time: -99765s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe TID: 5208Thread sleep time: -99656s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe TID: 5208Thread sleep time: -99547s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe TID: 5208Thread sleep time: -99437s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe TID: 5208Thread sleep time: -99328s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe TID: 5208Thread sleep time: -99218s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe TID: 5208Thread sleep time: -99109s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe TID: 5208Thread sleep time: -99000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe TID: 5208Thread sleep time: -98890s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe TID: 5208Thread sleep time: -98781s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe TID: 5208Thread sleep time: -98672s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe TID: 5208Thread sleep time: -98562s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe TID: 5208Thread sleep time: -98453s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe TID: 5208Thread sleep time: -98343s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe TID: 5208Thread sleep time: -98234s >= -30000s
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeThread delayed: delay time: 99874Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeThread delayed: delay time: 99765Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeThread delayed: delay time: 99654Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeThread delayed: delay time: 99531Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeThread delayed: delay time: 99421Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeThread delayed: delay time: 99312Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeThread delayed: delay time: 99203Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeThread delayed: delay time: 99093Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeThread delayed: delay time: 98980Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeThread delayed: delay time: 98859Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeThread delayed: delay time: 98749Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeThread delayed: delay time: 98640Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeThread delayed: delay time: 98531Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeThread delayed: delay time: 98403Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeThread delayed: delay time: 98296Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeThread delayed: delay time: 98186Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeThread delayed: delay time: 98010Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeThread delayed: delay time: 97895Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeThread delayed: delay time: 97777Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeThread delayed: delay time: 97671Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeThread delayed: delay time: 97559Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeThread delayed: delay time: 97452Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeThread delayed: delay time: 97343Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeThread delayed: delay time: 97234Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeThread delayed: delay time: 97124Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeThread delayed: delay time: 97015Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeThread delayed: delay time: 96906Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeThread delayed: delay time: 96796Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeThread delayed: delay time: 96687Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeThread delayed: delay time: 96577Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeThread delayed: delay time: 96468Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeThread delayed: delay time: 96359Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeThread delayed: delay time: 96249Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeThread delayed: delay time: 96140Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeThread delayed: delay time: 96017Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeThread delayed: delay time: 95906Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeThread delayed: delay time: 95796Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeThread delayed: delay time: 95678Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeThread delayed: delay time: 95562Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeThread delayed: delay time: 95446Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeThread delayed: delay time: 99890Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeThread delayed: delay time: 99781Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeThread delayed: delay time: 99672Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeThread delayed: delay time: 99547Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeThread delayed: delay time: 99437Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeThread delayed: delay time: 99328Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeThread delayed: delay time: 99218Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeThread delayed: delay time: 99109Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeThread delayed: delay time: 99000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeThread delayed: delay time: 100000
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeThread delayed: delay time: 99890
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeThread delayed: delay time: 99780
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeThread delayed: delay time: 99671
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeThread delayed: delay time: 99561
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeThread delayed: delay time: 99453
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeThread delayed: delay time: 99343
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeThread delayed: delay time: 99220
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeThread delayed: delay time: 99094
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeThread delayed: delay time: 98984
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeThread delayed: delay time: 98874
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeThread delayed: delay time: 98714
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeThread delayed: delay time: 98216
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeThread delayed: delay time: 98109
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeThread delayed: delay time: 97998
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeThread delayed: delay time: 97888
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeThread delayed: delay time: 97779
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeThread delayed: delay time: 97671
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeThread delayed: delay time: 97562
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeThread delayed: delay time: 97450
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeThread delayed: delay time: 97343
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeThread delayed: delay time: 97234
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeThread delayed: delay time: 97124
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeThread delayed: delay time: 97015
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeThread delayed: delay time: 96906
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeThread delayed: delay time: 96797
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeThread delayed: delay time: 96687
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeThread delayed: delay time: 96578
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeThread delayed: delay time: 96468
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeThread delayed: delay time: 96359
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeThread delayed: delay time: 96250
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeThread delayed: delay time: 96140
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeThread delayed: delay time: 96031
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeThread delayed: delay time: 95921
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeThread delayed: delay time: 99984
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeThread delayed: delay time: 99875
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeThread delayed: delay time: 99765
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeThread delayed: delay time: 99656
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeThread delayed: delay time: 99547
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeThread delayed: delay time: 99437
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeThread delayed: delay time: 99328
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeThread delayed: delay time: 99218
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeThread delayed: delay time: 99109
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeThread delayed: delay time: 99000
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeThread delayed: delay time: 98890
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeThread delayed: delay time: 98781
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeThread delayed: delay time: 98672
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeThread delayed: delay time: 98562
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeThread delayed: delay time: 98453
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeThread delayed: delay time: 98343
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeThread delayed: delay time: 98234
                    Source: PROFORMA FATURA.exe, 00000009.00000002.4569708487.0000000000B85000.00000004.00000020.00020000.00000000.sdmp, GvgUQlbRIXOe.exe, 0000000E.00000002.4569767009.0000000001016000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PROFORMA FATURA.exe"
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe"
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PROFORMA FATURA.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe"Jump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeMemory written: C:\Users\user\Desktop\PROFORMA FATURA.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeMemory written: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PROFORMA FATURA.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GvgUQlbRIXOe" /XML "C:\Users\user\AppData\Local\Temp\tmpAB7A.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeProcess created: C:\Users\user\Desktop\PROFORMA FATURA.exe "C:\Users\user\Desktop\PROFORMA FATURA.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GvgUQlbRIXOe" /XML "C:\Users\user\AppData\Local\Temp\tmpBA20.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeProcess created: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe "C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeQueries volume information: C:\Users\user\Desktop\PROFORMA FATURA.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeQueries volume information: C:\Users\user\Desktop\PROFORMA FATURA.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeQueries volume information: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeQueries volume information: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 11.2.GvgUQlbRIXOe.exe.4beb6e0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.GvgUQlbRIXOe.exe.4c27f00.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PROFORMA FATURA.exe.4a7ab68.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PROFORMA FATURA.exe.4ab7388.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PROFORMA FATURA.exe.4ab7388.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.GvgUQlbRIXOe.exe.4c27f00.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PROFORMA FATURA.exe.4a7ab68.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.GvgUQlbRIXOe.exe.4beb6e0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000E.00000002.4572147923.0000000002C1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.4572147923.0000000002C48000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.4572408671.00000000028CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.4572408671.00000000028F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.4572147923.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2219115296.0000000004BEB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.4572408671.0000000002881000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2171035964.0000000004A7A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: PROFORMA FATURA.exe PID: 2672, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: PROFORMA FATURA.exe PID: 5396, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: GvgUQlbRIXOe.exe PID: 6412, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: GvgUQlbRIXOe.exe PID: 6112, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeFile opened: C:\FTP Navigator\Ftplist.txt
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\PROFORMA FATURA.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: Yara matchFile source: 11.2.GvgUQlbRIXOe.exe.4beb6e0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.GvgUQlbRIXOe.exe.4c27f00.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PROFORMA FATURA.exe.4a7ab68.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PROFORMA FATURA.exe.4ab7388.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PROFORMA FATURA.exe.4ab7388.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.GvgUQlbRIXOe.exe.4c27f00.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PROFORMA FATURA.exe.4a7ab68.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.GvgUQlbRIXOe.exe.4beb6e0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000E.00000002.4572147923.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2219115296.0000000004BEB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.4572408671.0000000002881000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2171035964.0000000004A7A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: PROFORMA FATURA.exe PID: 2672, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: PROFORMA FATURA.exe PID: 5396, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: GvgUQlbRIXOe.exe PID: 6412, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: GvgUQlbRIXOe.exe PID: 6112, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 11.2.GvgUQlbRIXOe.exe.4beb6e0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.GvgUQlbRIXOe.exe.4c27f00.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PROFORMA FATURA.exe.4a7ab68.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PROFORMA FATURA.exe.4ab7388.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PROFORMA FATURA.exe.4ab7388.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.GvgUQlbRIXOe.exe.4c27f00.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PROFORMA FATURA.exe.4a7ab68.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.GvgUQlbRIXOe.exe.4beb6e0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000E.00000002.4572147923.0000000002C1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.4572147923.0000000002C48000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.4572408671.00000000028CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.4572408671.00000000028F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.4572147923.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2219115296.0000000004BEB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.4572408671.0000000002881000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2171035964.0000000004A7A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: PROFORMA FATURA.exe PID: 2672, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: PROFORMA FATURA.exe PID: 5396, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: GvgUQlbRIXOe.exe PID: 6412, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: GvgUQlbRIXOe.exe PID: 6112, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		111
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		21
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    Scheduled Task/Job                    		3
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		1
                    Query Registry                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                    Software Packing                    		NTDS211
                    Security Software Discovery                    		Distributed Component Object Model21
                    Input Capture                    		11
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Timestomp                    		LSA Secrets1
                    Process Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading                    		Cached Domain Credentials141
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Masquerading                    		DCSync1
                    Application Window Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job141
                    Virtualization/Sandbox Evasion                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt111
                    Process Injection                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1525518 Sample: PROFORMA FATURA.exe Startdate: 04/10/2024 Architecture: WINDOWS Score: 100 46 zqamcx.com 2->46 50 Multi AV Scanner detection for domain / URL 2->50 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 12 other signatures 2->56 8 PROFORMA FATURA.exe 7 2->8         started        12 GvgUQlbRIXOe.exe 5 2->12         started        signatures3 process4 file5 38 C:\Users\user\AppData\...behaviorgraphvgUQlbRIXOe.exe, PE32 8->38 dropped 40 C:\Users\...behaviorgraphvgUQlbRIXOe.exe:Zone.Identifier, ASCII 8->40 dropped 42 C:\Users\user\AppData\Local\...\tmpAB7A.tmp, XML 8->42 dropped 44 C:\Users\user\...\PROFORMA FATURA.exe.log, ASCII 8->44 dropped 58 Adds a directory exclusion to Windows Defender 8->58 60 Injects a PE file into a foreign processes 8->60 14 PROFORMA FATURA.exe 2 8->14         started        18 powershell.exe 21 8->18         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        62 Multi AV Scanner detection for dropped file 12->62 64 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->64 66 Machine Learning detection for dropped file 12->66 24 GvgUQlbRIXOe.exe 12->24         started        26 schtasks.exe 12->26         started        signatures6 process7 dnsIp8 48 zqamcx.com 78.110.166.82, 53953, 53956, 53958 UKSERVERS-ASUKDedicatedServersHostingandCo-Location United Kingdom 14->48 68 Installs a global keyboard hook 14->68 70 Loading BitLocker PowerShell Module 18->70 28 WmiPrvSE.exe 18->28         started        30 conhost.exe 18->30         started        32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        72 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->72 74 Tries to steal Mail credentials (via file / registry access) 24->74 76 Tries to harvest and steal ftp login credentials 24->76 78 Tries to harvest and steal browser information (history, passwords, etc) 24->78 36 conhost.exe 26->36         started        signatures9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    PROFORMA FATURA.exe75%ReversingLabsByteCode-MSIL.Trojan.SnakeKeylogger
                    PROFORMA FATURA.exe57%VirustotalBrowse
                    PROFORMA FATURA.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe75%ReversingLabsByteCode-MSIL.Trojan.SnakeKeylogger
                    C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe57%VirustotalBrowse

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    zqamcx.com9%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    https://account.dyn.com/0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    https://www.chiark.greenend.org.uk/~sgtatham/putty/00%URL Reputationsafe
                    http://x1.c.lencr.org/00%URL Reputationsafe
                    http://x1.i.lencr.org/00%URL Reputationsafe
                    http://r11.i.lencr.org/0#0%VirustotalBrowse
                    http://zqamcx.com9%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    zqamcx.com
                    		78.110.166.82
                    		truetrueunknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://zqamcx.comPROFORMA FATURA.exe, 00000009.00000002.4572408671.000000000297B000.00000004.00000800.00020000.00000000.sdmp, PROFORMA FATURA.exe, 00000009.00000002.4572408671.00000000028CE000.00000004.00000800.00020000.00000000.sdmp, GvgUQlbRIXOe.exe, 0000000E.00000002.4572147923.0000000002CCB000.00000004.00000800.00020000.00000000.sdmp, GvgUQlbRIXOe.exe, 0000000E.00000002.4572147923.0000000002C1E000.00000004.00000800.00020000.00000000.sdmptrueunknown
                    https://account.dyn.com/PROFORMA FATURA.exe, 00000000.00000002.2171035964.0000000004A7A000.00000004.00000800.00020000.00000000.sdmp, PROFORMA FATURA.exe, 00000009.00000002.4568852604.0000000000437000.00000040.00000400.00020000.00000000.sdmp, GvgUQlbRIXOe.exe, 0000000B.00000002.2219115296.0000000004BEB000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://r11.o.lencr.org0#PROFORMA FATURA.exe, 00000009.00000002.4583291405.0000000006252000.00000004.00000020.00020000.00000000.sdmp, PROFORMA FATURA.exe, 00000009.00000002.4569708487.0000000000B85000.00000004.00000020.00020000.00000000.sdmp, PROFORMA FATURA.exe, 00000009.00000002.4572408671.000000000297B000.00000004.00000800.00020000.00000000.sdmp, PROFORMA FATURA.exe, 00000009.00000002.4569708487.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, PROFORMA FATURA.exe, 00000009.00000002.4572408671.00000000028CE000.00000004.00000800.00020000.00000000.sdmp, GvgUQlbRIXOe.exe, 0000000E.00000002.4569767009.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, GvgUQlbRIXOe.exe, 0000000E.00000002.4569767009.0000000001016000.00000004.00000020.00020000.00000000.sdmp, GvgUQlbRIXOe.exe, 0000000E.00000002.4583496379.00000000062F2000.00000004.00000020.00020000.00000000.sdmp, GvgUQlbRIXOe.exe, 0000000E.00000002.4572147923.0000000002CCB000.00000004.00000800.00020000.00000000.sdmp, GvgUQlbRIXOe.exe, 0000000E.00000002.4572147923.0000000002C1E000.00000004.00000800.00020000.00000000.sdmpfalse
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePROFORMA FATURA.exe, 00000000.00000002.2170478140.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, GvgUQlbRIXOe.exe, 0000000B.00000002.2216843841.0000000003260000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.chiark.greenend.org.uk/~sgtatham/putty/0PROFORMA FATURA.exe, GvgUQlbRIXOe.exe.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      http://r11.i.lencr.org/0#PROFORMA FATURA.exe, 00000009.00000002.4583291405.0000000006252000.00000004.00000020.00020000.00000000.sdmp, PROFORMA FATURA.exe, 00000009.00000002.4569708487.0000000000B85000.00000004.00000020.00020000.00000000.sdmp, PROFORMA FATURA.exe, 00000009.00000002.4572408671.000000000297B000.00000004.00000800.00020000.00000000.sdmp, PROFORMA FATURA.exe, 00000009.00000002.4569708487.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, PROFORMA FATURA.exe, 00000009.00000002.4572408671.00000000028CE000.00000004.00000800.00020000.00000000.sdmp, GvgUQlbRIXOe.exe, 0000000E.00000002.4569767009.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, GvgUQlbRIXOe.exe, 0000000E.00000002.4569767009.0000000001016000.00000004.00000020.00020000.00000000.sdmp, GvgUQlbRIXOe.exe, 0000000E.00000002.4583496379.00000000062F2000.00000004.00000020.00020000.00000000.sdmp, GvgUQlbRIXOe.exe, 0000000E.00000002.4572147923.0000000002CCB000.00000004.00000800.00020000.00000000.sdmp, GvgUQlbRIXOe.exe, 0000000E.00000002.4572147923.0000000002C1E000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                      http://x1.c.lencr.org/0PROFORMA FATURA.exe, 00000009.00000002.4583291405.0000000006252000.00000004.00000020.00020000.00000000.sdmp, PROFORMA FATURA.exe, 00000009.00000002.4569708487.0000000000B85000.00000004.00000020.00020000.00000000.sdmp, PROFORMA FATURA.exe, 00000009.00000002.4572408671.000000000297B000.00000004.00000800.00020000.00000000.sdmp, PROFORMA FATURA.exe, 00000009.00000002.4569708487.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, PROFORMA FATURA.exe, 00000009.00000002.4572408671.00000000028CE000.00000004.00000800.00020000.00000000.sdmp, GvgUQlbRIXOe.exe, 0000000E.00000002.4583496379.0000000006328000.00000004.00000020.00020000.00000000.sdmp, GvgUQlbRIXOe.exe, 0000000E.00000002.4569767009.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, GvgUQlbRIXOe.exe, 0000000E.00000002.4569767009.0000000001016000.00000004.00000020.00020000.00000000.sdmp, GvgUQlbRIXOe.exe, 0000000E.00000002.4583496379.00000000062F2000.00000004.00000020.00020000.00000000.sdmp, GvgUQlbRIXOe.exe, 0000000E.00000002.4572147923.0000000002CCB000.00000004.00000800.00020000.00000000.sdmp, GvgUQlbRIXOe.exe, 0000000E.00000002.4572147923.0000000002C1E000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://x1.i.lencr.org/0PROFORMA FATURA.exe, 00000009.00000002.4583291405.0000000006252000.00000004.00000020.00020000.00000000.sdmp, PROFORMA FATURA.exe, 00000009.00000002.4569708487.0000000000B85000.00000004.00000020.00020000.00000000.sdmp, PROFORMA FATURA.exe, 00000009.00000002.4572408671.000000000297B000.00000004.00000800.00020000.00000000.sdmp, PROFORMA FATURA.exe, 00000009.00000002.4569708487.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, PROFORMA FATURA.exe, 00000009.00000002.4572408671.00000000028CE000.00000004.00000800.00020000.00000000.sdmp, GvgUQlbRIXOe.exe, 0000000E.00000002.4583496379.0000000006328000.00000004.00000020.00020000.00000000.sdmp, GvgUQlbRIXOe.exe, 0000000E.00000002.4569767009.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, GvgUQlbRIXOe.exe, 0000000E.00000002.4569767009.0000000001016000.00000004.00000020.00020000.00000000.sdmp, GvgUQlbRIXOe.exe, 0000000E.00000002.4583496379.00000000062F2000.00000004.00000020.00020000.00000000.sdmp, GvgUQlbRIXOe.exe, 0000000E.00000002.4572147923.0000000002CCB000.00000004.00000800.00020000.00000000.sdmp, GvgUQlbRIXOe.exe, 0000000E.00000002.4572147923.0000000002C1E000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      78.110.166.82
                      		zqamcx.comUnited Kingdom
                      		42831UKSERVERS-ASUKDedicatedServersHostingandCo-Locationtrue

                      General Information

                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1525518
                      Start date and time:2024-10-04 10:59:53 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 9m 47s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:22
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:PROFORMA FATURA.exe
                      Detection:MAL
                      Classification:mal100.troj.spyw.evad.winEXE@19/15@1/1
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 182
                      • Number of non-executed functions: 9
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                      Warnings

                      • Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
                      • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtCreateKey calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Report size getting too big, too many NtReadVirtualMemory calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      05:00:43API Interceptor8540099x Sleep call for process: PROFORMA FATURA.exe modified
                      05:00:46API Interceptor28x Sleep call for process: powershell.exe modified
                      05:00:48API Interceptor6208296x Sleep call for process: GvgUQlbRIXOe.exe modified
                      11:00:48Task SchedulerRun new task: GvgUQlbRIXOe path: C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      78.110.166.82COB756883.vbsGet hashmaliciousCobaltStrikeBrowse
                      • windowsupdatesolutions.com/ServerCOB.txt
                      Ingreso_SII_Abril_2021.cmdGet hashmaliciousUnknownBrowse
                      • www.emolcl.com/namaste/puma.php
                      Ingreso_SII_Abril_2021.cmdGet hashmaliciousUnknownBrowse
                      • www.emolcl.com/namaste/puma.php

                      Domains

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      zqamcx.comeFatura_ETN2024000000575_Ekleri.exeGet hashmaliciousAgentTeslaBrowse
                      • 78.110.166.82
                      SecuriteInfo.com.Win32.MalwareX-gen.16545.12050.exeGet hashmaliciousAgentTeslaBrowse
                      • 78.110.166.82

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      UKSERVERS-ASUKDedicatedServersHostingandCo-Location30% SWIFT COPY DOWN PAYMENT-PDF.exeGet hashmaliciousAgentTeslaBrowse
                      • 78.110.166.82
                      z1quote93039-pdf.exeGet hashmaliciousAgentTeslaBrowse
                      • 78.110.166.82
                      z25RFQ945894-PDF.exeGet hashmaliciousAgentTeslaBrowse
                      • 78.110.166.82
                      https://client31.webvalue.party/wp-content/uploads/weTranser_edited/weTranser_edited/index.php/Get hashmaliciousUnknownBrowse
                      • 5.101.173.45
                      https://client31.webvalue.party/wp-content/uploads/weTranser_edited/weTranser_edited/index.php?email%5C=3mail@b.cGet hashmaliciousUnknownBrowse
                      • 5.101.173.45
                      450230549.exeGet hashmaliciousAgentTeslaBrowse
                      • 78.110.166.82
                      CCE_000110.exeGet hashmaliciousAgentTeslaBrowse
                      • 78.110.166.82
                      https://qrplanet.com/smdv5p/Get hashmaliciousUnknownBrowse
                      • 5.101.173.45
                      22.09.2024-22.09.2024.exeGet hashmaliciousAgentTeslaBrowse
                      • 78.110.166.82
                      FaturaHat#U0131rlatma.exeGet hashmaliciousAgentTeslaBrowse
                      • 78.110.166.82

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GvgUQlbRIXOe.exe.log

                      Download File
                      Process:C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):1216
                      Entropy (8bit):5.34331486778365
                      Encrypted:false
                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                      MD5:1330C80CAAC9A0FB172F202485E9B1E8
                      SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                      SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                      SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                      Malicious:false
                      Reputation:high, very likely benign file
                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PROFORMA FATURA.exe.log

                      Download File
                      Process:C:\Users\user\Desktop\PROFORMA FATURA.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):1216
                      Entropy (8bit):5.34331486778365
                      Encrypted:false
                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                      MD5:1330C80CAAC9A0FB172F202485E9B1E8
                      SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                      SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                      SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                      Malicious:true
                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):2232
                      Entropy (8bit):5.379736180876081
                      Encrypted:false
                      SSDEEP:48:tWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//ZSUyus:tLHyIFKL3IZ2KRH9Oug0s
                      MD5:23D14C8875D63B191CE7B80A7E0DA611
                      SHA1:61513364D1EA206DE2F86EA8CC14366BBE337FF4
                      SHA-256:1FF046748DCF57390C0519EF9CB2DE9C3ACD0B7D202A735346CEFEFC1B88CB78
                      SHA-512:6319AB379B2610ED0FDC6A3733E43995511DC444874FD880A78C4D144F3C10831A6191F157D49A2802E8620E24046F1D272A06367EA9C11F0FD4B1468465E128
                      Malicious:false
                      Preview:@...e.................................,..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3e0sehfq.oqt.ps1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_afmzpfvl.yoc.psm1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bc1nzdf0.2dh.psm1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mzk50qgb.gmp.ps1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nl20zavh.ruo.psm1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rafy1dfb.xgx.psm1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sozpsjhb.ot2.ps1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v1drupbt.qiz.ps1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\tmpAB7A.tmp

                      Download File
                      Process:C:\Users\user\Desktop\PROFORMA FATURA.exe
                      File Type:XML 1.0 document, ASCII text
                      Category:dropped
                      Size (bytes):1599
                      Entropy (8bit):5.100235785500619
                      Encrypted:false
                      SSDEEP:24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLXxvn:cge7QYrFdOFzOzN33ODOiDdKrsuTtv
                      MD5:D84EE81413BCE94AAD796C8A69D969D3
                      SHA1:1F9A55D47460C0E956D33DEB5AFD15E6B33E1B60
                      SHA-256:7B8B22FE621C7147A3967B3B1E7DB8C6691F7F371F2F9689F720D9D1FF77C083
                      SHA-512:2E9134B8948C581BAE325F596219A471307DE32B6D7A3657B5C8C112FA27C3677E105C63152265E37D15F04B5D66E8F621FA8621B1290418AAFA31FB7369629B
                      Malicious:true
                      Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

                      C:\Users\user\AppData\Local\Temp\tmpBA20.tmp

                      Download File
                      Process:C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe
                      File Type:XML 1.0 document, ASCII text
                      Category:dropped
                      Size (bytes):1599
                      Entropy (8bit):5.100235785500619
                      Encrypted:false
                      SSDEEP:24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLXxvn:cge7QYrFdOFzOzN33ODOiDdKrsuTtv
                      MD5:D84EE81413BCE94AAD796C8A69D969D3
                      SHA1:1F9A55D47460C0E956D33DEB5AFD15E6B33E1B60
                      SHA-256:7B8B22FE621C7147A3967B3B1E7DB8C6691F7F371F2F9689F720D9D1FF77C083
                      SHA-512:2E9134B8948C581BAE325F596219A471307DE32B6D7A3657B5C8C112FA27C3677E105C63152265E37D15F04B5D66E8F621FA8621B1290418AAFA31FB7369629B
                      Malicious:false
                      Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

                      C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe

                      Download File
                      Process:C:\Users\user\Desktop\PROFORMA FATURA.exe
                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):823816
                      Entropy (8bit):7.509349012348611
                      Encrypted:false
                      SSDEEP:12288:DrG4eUyzwoF6w7g9vZ7Bw6/992kJ9TaRdxkYv8HrAvTmeXNig8g7N5hkR:WvUClwR7BVvRJ9GOted77Ni
                      MD5:49C53C3C0868699A9CBE2EF3D5BFCB8E
                      SHA1:3113B54138AF9199FD97F96A42542541B6A8FDB3
                      SHA-256:0AD205B2D883BCA56250246F308228379C27F6114D8B740014DEEEF53B3412BB
                      SHA-512:2A3A51767F4409A70E5FFF84468A0AEBD2EB7EA200F09AEBDB2FB70274A4D25FA05C15E1194D4CBD3FE83D060D53AA4A584AE6449977AF63D142B9D3EC82E7E3
                      Malicious:true
                      Antivirus:
                      • Antivirus: Joe Sandbox ML, Detection: 100%
                      • Antivirus: ReversingLabs, Detection: 75%
                      • Antivirus: Virustotal, Detection: 57%, Browse
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:U................0..P...........o... ........@.. ....................................@..................................o..O.......,............\...6...........T..p............................................ ............... ..H............text....O... ...P.................. ..`.rsrc...,............R..............@..@.reloc...............Z..............@..B.................o......H........o...W..............@...........................................^..}.....(.......(.....*..*..*..*....0............{....o....,..{....o....,..{....o....+....,...{........(....o......8.....{....o......,5..{....o....(....#.....@.@[..{......(....o......8.....{....o........,3..{....o....(....#...(\%.@[...{......(....o......+B.{....o........,1..{....o....(....#...(\%.@Z...{......(....o......*.0..+.........,..{.......+....,...{....o........(.....*..0............s....}.....s..

                      C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe:Zone.Identifier

                      Download File
                      Process:C:\Users\user\Desktop\PROFORMA FATURA.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):26
                      Entropy (8bit):3.95006375643621
                      Encrypted:false
                      SSDEEP:3:ggPYV:rPYV
                      MD5:187F488E27DB4AF347237FE461A079AD
                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                      Malicious:true
                      Preview:[ZoneTransfer]....ZoneId=0

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                      Entropy (8bit):7.509349012348611
                      TrID:
                      • Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                      • Win32 Executable (generic) a (10002005/4) 49.93%
                      • Windows Screen Saver (13104/52) 0.07%
                      • Generic Win/DOS Executable (2004/3) 0.01%
                      • DOS Executable Generic (2002/1) 0.01%
                      File name:PROFORMA FATURA.exe
                      File size:823'816 bytes
                      MD5:49c53c3c0868699a9cbe2ef3d5bfcb8e
                      SHA1:3113b54138af9199fd97f96a42542541b6a8fdb3
                      SHA256:0ad205b2d883bca56250246f308228379c27f6114d8b740014deeef53b3412bb
                      SHA512:2a3a51767f4409a70e5fff84468a0aebd2eb7ea200f09aebdb2fb70274a4d25fa05c15e1194d4cbd3fe83d060d53aa4a584ae6449977af63d142b9d3ec82e7e3
                      SSDEEP:12288:DrG4eUyzwoF6w7g9vZ7Bw6/992kJ9TaRdxkYv8HrAvTmeXNig8g7N5hkR:WvUClwR7BVvRJ9GOted77Ni
                      TLSH:AC0538BA91215F82DA133FB048142B413F3CBA7F5A75467C8FD20CA4429DDB9C964BAD
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:U................0..P...........o... ........@.. ....................................@................................

                      File Icon

                      Icon Hash:00928e8e8686b000

                      Static PE Info

                      General

                      Entrypoint:0x4c6ff2
                      Entrypoint Section:.text
                      Digitally signed:true
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Time Stamp:0xDEBF553A [Thu Jun 3 06:05:46 2088 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:4
                      OS Version Minor:0
                      File Version Major:4
                      File Version Minor:0
                      Subsystem Version Major:4
                      Subsystem Version Minor:0
                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                      Authenticode Signature

                      Signature Valid:false
                      Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                      Signature Validation Error:The digital signature of the object did not verify
                      Error Number:-2146869232
                      Not Before, Not After
                      • 13/11/2018 01:00:00 09/11/2021 00:59:59
                      Subject Chain
                      • CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
                      Version:3
                      Thumbprint MD5:DABD77E44EF6B3BB91740FA46696B779
                      Thumbprint SHA-1:5B9E273CF11941FD8C6BE3F038C4797BBE884268
                      Thumbprint SHA-256:4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
                      Serial:7C1118CBBADC95DA3752C46E47A27438

                      Entrypoint Preview

                      Instruction
                      jmp dword ptr [00402000h]
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0xc6f9d0x4f.text
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xc80000x62c.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0xc5c000x3608
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xca0000xc.reloc
                      IMAGE_DIRECTORY_ENTRY_DEBUG0xc54f00x70.text
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x20000xc4ff80xc5000e472600217abd52ed7acc77771d295c5False0.7882755492544417data7.502265215302294IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .rsrc0xc80000x62c0x800cefafaace8ee54082ab72ecc814ef45aFalse0.33935546875data3.4701936638851714IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .reloc0xca0000xc0x20013c04688a64c7206bcd3ac338cce7466False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountryZLIB Complexity
                      RT_VERSION0xc80900x39cdata0.4231601731601732
                      RT_MANIFEST0xc843c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                      Imports

                      DLLImport
                      mscoree.dll_CorExeMain

                      Network Behavior

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Oct 4, 2024 11:00:48.998310089 CEST53953587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:49.003185034 CEST5875395378.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:49.003372908 CEST53953587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:49.646071911 CEST5875395378.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:49.646591902 CEST53953587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:49.651648998 CEST5875395378.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:49.817229986 CEST5875395378.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:49.817380905 CEST53953587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:49.822217941 CEST5875395378.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:49.991050959 CEST5875395378.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:50.000725031 CEST53953587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:50.006155968 CEST5875395378.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:50.181807995 CEST5875395378.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:50.181818962 CEST5875395378.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:50.181824923 CEST5875395378.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:50.181910992 CEST53953587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:50.273078918 CEST5875395378.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:50.287060022 CEST53953587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:50.291932106 CEST5875395378.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:50.457946062 CEST5875395378.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:50.481291056 CEST53953587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:50.486089945 CEST5875395378.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:50.651737928 CEST5875395378.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:50.652836084 CEST53953587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:50.658093929 CEST5875395378.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:50.822968006 CEST5875395378.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:50.827410936 CEST53953587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:50.832195997 CEST5875395378.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:51.005261898 CEST5875395378.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:51.014534950 CEST53953587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:51.019371986 CEST5875395378.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:51.184333086 CEST5875395378.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:51.184526920 CEST53953587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:51.189502954 CEST5875395378.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:51.360568047 CEST5875395378.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:51.360753059 CEST53953587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:51.365601063 CEST5875395378.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:51.530467987 CEST5875395378.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:51.531148911 CEST53953587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:51.531306028 CEST53953587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:51.531321049 CEST53953587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:51.531342030 CEST53953587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:51.739020109 CEST53953587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:52.051513910 CEST53953587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:52.074050903 CEST53956587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:52.408710003 CEST5875395378.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:52.408787012 CEST53953587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:52.409064054 CEST5875395378.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:52.409125090 CEST53953587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:52.409845114 CEST5875395378.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:52.409849882 CEST5875395378.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:52.409853935 CEST5875395378.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:52.409857988 CEST5875395378.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:53.082760096 CEST53956587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:53.463020086 CEST5875395378.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:53.463470936 CEST5875395378.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:53.463953972 CEST5875395378.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:53.464024067 CEST53953587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:53.466039896 CEST5875395378.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:53.466064930 CEST53953587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:53.469616890 CEST5875395378.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:53.469631910 CEST5875395678.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:53.469717026 CEST53956587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:53.475009918 CEST5875395678.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:53.475831985 CEST53956587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:53.823395014 CEST53953587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:53.828176975 CEST5875395378.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:53.994853020 CEST5875395378.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:53.998009920 CEST53953587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:53.998816967 CEST53958587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:54.003679037 CEST5875395878.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:54.003968000 CEST53958587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:54.034327984 CEST5875395678.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:54.034657001 CEST53956587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:54.039689064 CEST5875395678.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:54.202110052 CEST5875395678.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:54.207700014 CEST53956587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:54.212616920 CEST5875395678.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:54.381562948 CEST5875395678.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:54.388171911 CEST53956587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:54.393119097 CEST5875395678.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:54.564479113 CEST5875395878.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:54.564750910 CEST53958587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:54.569741964 CEST5875395878.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:54.583894014 CEST5875395678.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:54.583920956 CEST5875395678.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:54.583961010 CEST5875395678.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:54.584096909 CEST53956587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:54.585378885 CEST53956587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:54.590300083 CEST5875395678.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:54.731090069 CEST5875395878.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:54.731358051 CEST53958587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:54.736231089 CEST5875395878.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:54.753608942 CEST5875395678.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:54.770524025 CEST53956587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:54.775429010 CEST5875395678.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:54.900996923 CEST5875395878.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:54.901542902 CEST53958587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:54.906338930 CEST5875395878.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:54.938353062 CEST5875395678.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:54.938719034 CEST53956587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:54.944684982 CEST5875395678.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:55.212137938 CEST5875395878.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:55.212196112 CEST5875395878.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:55.212207079 CEST5875395878.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:55.212218046 CEST5875395678.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:55.212239981 CEST53958587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:55.212542057 CEST5875395878.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:55.212587118 CEST53958587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:55.212888002 CEST5875395878.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:55.213193893 CEST53958587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:55.213892937 CEST53956587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:55.214337111 CEST53958587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:55.220484972 CEST5875395678.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:55.220494986 CEST5875395878.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:55.382169008 CEST5875395878.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:55.383446932 CEST53958587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:55.388554096 CEST5875395878.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:55.390563965 CEST5875395678.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:55.390856028 CEST53956587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:55.397078991 CEST5875395678.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:55.549170017 CEST5875395878.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:55.549380064 CEST53958587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:55.554404974 CEST5875395878.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:55.560337067 CEST5875395678.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:55.560549021 CEST53956587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:55.566237926 CEST5875395678.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:55.715637922 CEST5875395878.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:55.715882063 CEST53958587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:55.720668077 CEST5875395878.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:55.739878893 CEST5875395678.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:55.740052938 CEST53956587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:55.744828939 CEST5875395678.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:55.888104916 CEST5875395878.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:55.888303995 CEST53958587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:55.893613100 CEST5875395878.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:55.907612085 CEST5875395678.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:55.908221006 CEST53956587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:55.908298969 CEST53956587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:55.908324003 CEST53956587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:55.908346891 CEST53956587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:55.912966013 CEST5875395678.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:55.913069963 CEST5875395678.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:55.913151026 CEST5875395678.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:55.913160086 CEST5875395678.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:56.054655075 CEST5875395878.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:56.054853916 CEST53958587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:56.059695005 CEST5875395878.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:56.180310965 CEST5875395678.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:56.223429918 CEST53956587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:56.226670027 CEST5875395878.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:56.226869106 CEST53958587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:56.230647087 CEST53956587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:56.231750965 CEST5875395878.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:56.235635996 CEST5875395678.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:56.398843050 CEST5875395878.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:56.400233984 CEST53958587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:56.400341034 CEST53958587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:56.400382042 CEST53958587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:56.400515079 CEST53958587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:56.400580883 CEST53958587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:56.400619984 CEST53958587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:56.400659084 CEST53958587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:56.400703907 CEST53958587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:56.400718927 CEST53958587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:56.400747061 CEST53958587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:56.402719021 CEST5875395678.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:56.405113935 CEST5875395878.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:56.405132055 CEST5875395878.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:56.405241013 CEST5875395878.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:56.405375004 CEST5875395878.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:56.405411959 CEST5875395878.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:56.405508995 CEST5875395878.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:56.405612946 CEST5875395878.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:56.405616999 CEST5875395878.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:56.407408953 CEST53956587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:56.408097982 CEST53975587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:56.412950993 CEST5875397578.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:56.413804054 CEST53975587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:56.590747118 CEST5875395878.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:56.645319939 CEST53958587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:56.992501974 CEST5875397578.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:56.992652893 CEST53975587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:56.997538090 CEST5875397578.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:57.162902117 CEST5875397578.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:57.163062096 CEST53975587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:57.167877913 CEST5875397578.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:57.336076021 CEST5875397578.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:57.336478949 CEST53975587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:57.341299057 CEST5875397578.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:57.516822100 CEST5875397578.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:57.516843081 CEST5875397578.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:57.516858101 CEST5875397578.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:57.516872883 CEST5875397578.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:57.516922951 CEST53975587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:57.516967058 CEST53975587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:57.518791914 CEST53975587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:57.523592949 CEST5875397578.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:57.688975096 CEST5875397578.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:57.690087080 CEST53975587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:57.694925070 CEST5875397578.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:57.859657049 CEST5875397578.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:57.859929085 CEST53975587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:57.864721060 CEST5875397578.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:58.030277967 CEST5875397578.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:58.030699015 CEST53975587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:58.035547972 CEST5875397578.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:58.207654953 CEST5875397578.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:58.208241940 CEST53975587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:58.213219881 CEST5875397578.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:58.377640963 CEST5875397578.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:58.377918959 CEST53975587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:58.382788897 CEST5875397578.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:58.559283972 CEST5875397578.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:58.559596062 CEST53975587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:58.564415932 CEST5875397578.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:58.728827953 CEST5875397578.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:58.729249954 CEST53975587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:58.729296923 CEST53975587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:58.729321003 CEST53975587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:58.729346037 CEST53975587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:58.729398012 CEST53975587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:58.729444027 CEST53975587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:58.729444027 CEST53975587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:58.729474068 CEST53975587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:58.729474068 CEST53975587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:58.729485989 CEST53975587192.168.2.678.110.166.82
                      Oct 4, 2024 11:00:58.734062910 CEST5875397578.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:58.734080076 CEST5875397578.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:58.734114885 CEST5875397578.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:58.734294891 CEST5875397578.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:58.734301090 CEST5875397578.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:58.734317064 CEST5875397578.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:58.922409058 CEST5875397578.110.166.82192.168.2.6
                      Oct 4, 2024 11:00:58.973431110 CEST53975587192.168.2.678.110.166.82
                      Oct 4, 2024 11:02:28.896100998 CEST53958587192.168.2.678.110.166.82
                      Oct 4, 2024 11:02:28.901037931 CEST5875395878.110.166.82192.168.2.6
                      Oct 4, 2024 11:02:29.063570023 CEST5875395878.110.166.82192.168.2.6
                      Oct 4, 2024 11:02:29.064420938 CEST53958587192.168.2.678.110.166.82
                      Oct 4, 2024 11:02:32.131088018 CEST53975587192.168.2.678.110.166.82
                      Oct 4, 2024 11:02:32.136065960 CEST5875397578.110.166.82192.168.2.6
                      Oct 4, 2024 11:02:32.300879955 CEST5875397578.110.166.82192.168.2.6
                      Oct 4, 2024 11:02:32.349016905 CEST53975587192.168.2.678.110.166.82
                      Oct 4, 2024 11:02:32.374903917 CEST53975587192.168.2.678.110.166.82

                      UDP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Oct 4, 2024 11:00:48.882498980 CEST6294353192.168.2.61.1.1.1
                      Oct 4, 2024 11:00:48.991504908 CEST53629431.1.1.1192.168.2.6

                      DNS Queries

                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                      Oct 4, 2024 11:00:48.882498980 CEST192.168.2.61.1.1.10xd2f6Standard query (0)zqamcx.comA (IP address)IN (0x0001)false

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                      Oct 4, 2024 11:00:48.991504908 CEST1.1.1.1192.168.2.60xd2f6No error (0)zqamcx.com78.110.166.82A (IP address)IN (0x0001)false

                      SMTP Packets

                      TimestampSource PortDest PortSource IPDest IPCommands
                      Oct 4, 2024 11:00:49.646071911 CEST5875395378.110.166.82192.168.2.6220-cphost14.qhoster.net ESMTP Exim 4.96.2 #2 Fri, 04 Oct 2024 10:00:49 +0100
                      220-We do not authorize the use of this system to transport unsolicited,
                      220 and/or bulk e-mail.
                      Oct 4, 2024 11:00:49.646591902 CEST53953587192.168.2.678.110.166.82EHLO 651689
                      Oct 4, 2024 11:00:49.817229986 CEST5875395378.110.166.82192.168.2.6250-cphost14.qhoster.net Hello 651689 [8.46.123.33]
                      250-SIZE 52428800
                      250-8BITMIME
                      250-PIPELINING
                      250-PIPECONNECT
                      250-STARTTLS
                      250 HELP
                      Oct 4, 2024 11:00:49.817380905 CEST53953587192.168.2.678.110.166.82STARTTLS
                      Oct 4, 2024 11:00:49.991050959 CEST5875395378.110.166.82192.168.2.6220 TLS go ahead
                      Oct 4, 2024 11:00:54.034327984 CEST5875395678.110.166.82192.168.2.6220-cphost14.qhoster.net ESMTP Exim 4.96.2 #2 Fri, 04 Oct 2024 10:00:53 +0100
                      220-We do not authorize the use of this system to transport unsolicited,
                      220 and/or bulk e-mail.
                      Oct 4, 2024 11:00:54.034657001 CEST53956587192.168.2.678.110.166.82EHLO 651689
                      Oct 4, 2024 11:00:54.202110052 CEST5875395678.110.166.82192.168.2.6250-cphost14.qhoster.net Hello 651689 [8.46.123.33]
                      250-SIZE 52428800
                      250-8BITMIME
                      250-PIPELINING
                      250-PIPECONNECT
                      250-STARTTLS
                      250 HELP
                      Oct 4, 2024 11:00:54.207700014 CEST53956587192.168.2.678.110.166.82STARTTLS
                      Oct 4, 2024 11:00:54.381562948 CEST5875395678.110.166.82192.168.2.6220 TLS go ahead
                      Oct 4, 2024 11:00:54.564479113 CEST5875395878.110.166.82192.168.2.6220-cphost14.qhoster.net ESMTP Exim 4.96.2 #2 Fri, 04 Oct 2024 10:00:54 +0100
                      220-We do not authorize the use of this system to transport unsolicited,
                      220 and/or bulk e-mail.
                      Oct 4, 2024 11:00:54.564750910 CEST53958587192.168.2.678.110.166.82EHLO 651689
                      Oct 4, 2024 11:00:54.731090069 CEST5875395878.110.166.82192.168.2.6250-cphost14.qhoster.net Hello 651689 [8.46.123.33]
                      250-SIZE 52428800
                      250-8BITMIME
                      250-PIPELINING
                      250-PIPECONNECT
                      250-STARTTLS
                      250 HELP
                      Oct 4, 2024 11:00:54.731358051 CEST53958587192.168.2.678.110.166.82STARTTLS
                      Oct 4, 2024 11:00:54.900996923 CEST5875395878.110.166.82192.168.2.6220 TLS go ahead
                      Oct 4, 2024 11:00:56.992501974 CEST5875397578.110.166.82192.168.2.6220-cphost14.qhoster.net ESMTP Exim 4.96.2 #2 Fri, 04 Oct 2024 10:00:56 +0100
                      220-We do not authorize the use of this system to transport unsolicited,
                      220 and/or bulk e-mail.
                      Oct 4, 2024 11:00:56.992652893 CEST53975587192.168.2.678.110.166.82EHLO 651689
                      Oct 4, 2024 11:00:57.162902117 CEST5875397578.110.166.82192.168.2.6250-cphost14.qhoster.net Hello 651689 [8.46.123.33]
                      250-SIZE 52428800
                      250-8BITMIME
                      250-PIPELINING
                      250-PIPECONNECT
                      250-STARTTLS
                      250 HELP
                      Oct 4, 2024 11:00:57.163062096 CEST53975587192.168.2.678.110.166.82STARTTLS
                      Oct 4, 2024 11:00:57.336076021 CEST5875397578.110.166.82192.168.2.6220 TLS go ahead

                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:05:00:43
                      Start date:04/10/2024
                      Path:C:\Users\user\Desktop\PROFORMA FATURA.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\PROFORMA FATURA.exe"
                      Imagebase:0xa60000
                      File size:823'816 bytes
                      MD5 hash:49C53C3C0868699A9CBE2EF3D5BFCB8E
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2171035964.0000000004A7A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2171035964.0000000004A7A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:low
                      Has exited:true

                      General

                      Target ID:3
                      Start time:05:00:45
                      Start date:04/10/2024
                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PROFORMA FATURA.exe"
                      Imagebase:0x9f0000
                      File size:433'152 bytes
                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:4
                      Start time:05:00:45
                      Start date:04/10/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff66e660000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:5
                      Start time:05:00:45
                      Start date:04/10/2024
                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe"
                      Imagebase:0x9f0000
                      File size:433'152 bytes
                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:6
                      Start time:05:00:45
                      Start date:04/10/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff66e660000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:7
                      Start time:05:00:45
                      Start date:04/10/2024
                      Path:C:\Windows\SysWOW64\schtasks.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GvgUQlbRIXOe" /XML "C:\Users\user\AppData\Local\Temp\tmpAB7A.tmp"
                      Imagebase:0x20000
                      File size:187'904 bytes
                      MD5 hash:48C2FE20575769DE916F48EF0676A965
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:8
                      Start time:05:00:46
                      Start date:04/10/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff66e660000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:9
                      Start time:05:00:46
                      Start date:04/10/2024
                      Path:C:\Users\user\Desktop\PROFORMA FATURA.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\PROFORMA FATURA.exe"
                      Imagebase:0x5a0000
                      File size:823'816 bytes
                      MD5 hash:49C53C3C0868699A9CBE2EF3D5BFCB8E
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.4572408671.00000000028CE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.4572408671.00000000028F8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.4572408671.0000000002881000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.4572408671.0000000002881000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:low
                      Has exited:false

                      General

                      Target ID:10
                      Start time:05:00:48
                      Start date:04/10/2024
                      Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                      Imagebase:0x7ff717f30000
                      File size:496'640 bytes
                      MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                      Has elevated privileges:true
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:11
                      Start time:05:00:48
                      Start date:04/10/2024
                      Path:C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe
                      Imagebase:0xc00000
                      File size:823'816 bytes
                      MD5 hash:49C53C3C0868699A9CBE2EF3D5BFCB8E
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2219115296.0000000004BEB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.2219115296.0000000004BEB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      Antivirus matches:
                      • Detection: 100%, Joe Sandbox ML
                      • Detection: 75%, ReversingLabs
                      • Detection: 57%, Virustotal, Browse
                      Reputation:low
                      Has exited:true

                      General

                      Target ID:12
                      Start time:05:00:49
                      Start date:04/10/2024
                      Path:C:\Windows\SysWOW64\schtasks.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GvgUQlbRIXOe" /XML "C:\Users\user\AppData\Local\Temp\tmpBA20.tmp"
                      Imagebase:0x20000
                      File size:187'904 bytes
                      MD5 hash:48C2FE20575769DE916F48EF0676A965
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:13
                      Start time:05:00:49
                      Start date:04/10/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff66e660000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:14
                      Start time:05:00:50
                      Start date:04/10/2024
                      Path:C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\AppData\Roaming\GvgUQlbRIXOe.exe"
                      Imagebase:0x800000
                      File size:823'816 bytes
                      MD5 hash:49C53C3C0868699A9CBE2EF3D5BFCB8E
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.4572147923.0000000002C1E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.4572147923.0000000002C48000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.4572147923.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.4572147923.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:low
                      Has exited:false

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:11.6%
                        Dynamic/Decrypted Code Coverage:100%
                        Signature Coverage:4.7%
                        Total number of Nodes:318
                        Total number of Limit Nodes:8
                        execution_graph 37636 2ca4668 37637 2ca467a 37636->37637 37640 2ca4686 37637->37640 37642 2ca4779 37637->37642 37639 2ca46a5 37647 2ca3e28 37640->37647 37643 2ca479d 37642->37643 37651 2ca4888 37643->37651 37655 2ca4879 37643->37655 37648 2ca3e33 37647->37648 37663 2ca5c44 37648->37663 37650 2ca7048 37650->37639 37652 2ca48af 37651->37652 37653 2ca498c 37652->37653 37659 2ca44b0 37652->37659 37653->37653 37657 2ca4888 37655->37657 37656 2ca498c 37656->37656 37657->37656 37658 2ca44b0 CreateActCtxA 37657->37658 37658->37656 37660 2ca5918 CreateActCtxA 37659->37660 37662 2ca59cf 37660->37662 37664 2ca5c4f 37663->37664 37667 2ca5c64 37664->37667 37666 2ca70ed 37666->37650 37668 2ca5c6f 37667->37668 37671 2ca5c94 37668->37671 37670 2ca71c2 37670->37666 37672 2ca5c9f 37671->37672 37673 2ca5cc4 GetModuleHandleW 37672->37673 37674 2ca72c5 37673->37674 37674->37670 37317 7478340 37318 74782ee 37317->37318 37319 74782fe 37317->37319 37323 747b2d0 37318->37323 37342 747b33e 37318->37342 37362 747b2e0 37318->37362 37324 747b2fa 37323->37324 37325 747b31e 37324->37325 37381 747b7a5 37324->37381 37386 747baf8 37324->37386 37391 747c098 37324->37391 37395 747b6fa 37324->37395 37400 747bc1e 37324->37400 37405 747b97f 37324->37405 37410 747b810 37324->37410 37415 747be52 37324->37415 37420 747b874 37324->37420 37424 747b937 37324->37424 37429 747bd6a 37324->37429 37434 747b9eb 37324->37434 37439 747b7ed 37324->37439 37444 747b9c3 37324->37444 37448 747b8e3 37324->37448 37454 747ba84 37324->37454 37325->37319 37343 747b2cc 37342->37343 37345 747b341 37342->37345 37344 747b31e 37343->37344 37346 747b7a5 2 API calls 37343->37346 37347 747ba84 2 API calls 37343->37347 37348 747b8e3 2 API calls 37343->37348 37349 747b9c3 2 API calls 37343->37349 37350 747b7ed 2 API calls 37343->37350 37351 747b9eb 2 API calls 37343->37351 37352 747bd6a 2 API calls 37343->37352 37353 747b937 2 API calls 37343->37353 37354 747b874 2 API calls 37343->37354 37355 747be52 2 API calls 37343->37355 37356 747b810 2 API calls 37343->37356 37357 747b97f 2 API calls 37343->37357 37358 747bc1e 2 API calls 37343->37358 37359 747b6fa 2 API calls 37343->37359 37360 747c098 2 API calls 37343->37360 37361 747baf8 2 API calls 37343->37361 37344->37319 37345->37319 37346->37344 37347->37344 37348->37344 37349->37344 37350->37344 37351->37344 37352->37344 37353->37344 37354->37344 37355->37344 37356->37344 37357->37344 37358->37344 37359->37344 37360->37344 37361->37344 37363 747b2fa 37362->37363 37364 747b31e 37363->37364 37365 747b7a5 2 API calls 37363->37365 37366 747ba84 2 API calls 37363->37366 37367 747b8e3 2 API calls 37363->37367 37368 747b9c3 2 API calls 37363->37368 37369 747b7ed 2 API calls 37363->37369 37370 747b9eb 2 API calls 37363->37370 37371 747bd6a 2 API calls 37363->37371 37372 747b937 2 API calls 37363->37372 37373 747b874 2 API calls 37363->37373 37374 747be52 2 API calls 37363->37374 37375 747b810 2 API calls 37363->37375 37376 747b97f 2 API calls 37363->37376 37377 747bc1e 2 API calls 37363->37377 37378 747b6fa 2 API calls 37363->37378 37379 747c098 2 API calls 37363->37379 37380 747baf8 2 API calls 37363->37380 37364->37319 37365->37364 37366->37364 37367->37364 37368->37364 37369->37364 37370->37364 37371->37364 37372->37364 37373->37364 37374->37364 37375->37364 37376->37364 37377->37364 37378->37364 37379->37364 37380->37364 37382 747b6fb 37381->37382 37458 7477e9d 37382->37458 37462 7477ea8 37382->37462 37387 747bb21 37386->37387 37466 7477b60 37387->37466 37470 7477b58 37387->37470 37388 747c0ec 37388->37388 37474 7477650 37391->37474 37478 747764a 37391->37478 37392 747bb72 37392->37325 37396 747b6fb 37395->37396 37398 7477e9d CreateProcessA 37396->37398 37399 7477ea8 CreateProcessA 37396->37399 37397 747b855 37397->37325 37398->37397 37399->37397 37401 747bb21 37400->37401 37403 7477b60 VirtualAllocEx 37401->37403 37404 7477b58 VirtualAllocEx 37401->37404 37402 747c0ec 37403->37402 37404->37402 37406 747b98c 37405->37406 37482 74775a0 37406->37482 37486 747759a 37406->37486 37407 747bd9a 37411 747b827 37410->37411 37412 747b855 37411->37412 37413 7477e9d CreateProcessA 37411->37413 37414 7477ea8 CreateProcessA 37411->37414 37412->37325 37413->37412 37414->37412 37416 747be58 37415->37416 37418 7477b60 VirtualAllocEx 37416->37418 37419 7477b58 VirtualAllocEx 37416->37419 37417 747c0ec 37418->37417 37419->37417 37421 747b880 37420->37421 37490 7477c20 37421->37490 37494 7477c18 37421->37494 37425 747b93d 37424->37425 37498 7477d10 37425->37498 37502 7477d09 37425->37502 37426 747b960 37426->37325 37430 747bd71 37429->37430 37432 74775a0 ResumeThread 37430->37432 37433 747759a ResumeThread 37430->37433 37431 747bd9a 37432->37431 37433->37431 37435 747ba2c 37434->37435 37506 747c4c8 37435->37506 37511 747c4b8 37435->37511 37436 747b992 37440 747b6fb 37439->37440 37442 7477e9d CreateProcessA 37440->37442 37443 7477ea8 CreateProcessA 37440->37443 37441 747b855 37441->37325 37442->37441 37443->37441 37445 747b880 37444->37445 37445->37444 37446 7477c20 WriteProcessMemory 37445->37446 37447 7477c18 WriteProcessMemory 37445->37447 37446->37445 37447->37445 37452 7477c20 WriteProcessMemory 37448->37452 37453 7477c18 WriteProcessMemory 37448->37453 37449 747b880 37450 7477c20 WriteProcessMemory 37449->37450 37451 7477c18 WriteProcessMemory 37449->37451 37450->37449 37451->37449 37452->37449 37453->37449 37456 7477c20 WriteProcessMemory 37454->37456 37457 7477c18 WriteProcessMemory 37454->37457 37455 747b9bc 37456->37455 37457->37455 37459 7477ea8 CreateProcessA 37458->37459 37461 74780f3 37459->37461 37461->37461 37463 7477f31 CreateProcessA 37462->37463 37465 74780f3 37463->37465 37465->37465 37467 7477ba0 VirtualAllocEx 37466->37467 37469 7477bdd 37467->37469 37469->37388 37471 7477ba0 VirtualAllocEx 37470->37471 37473 7477bdd 37471->37473 37473->37388 37475 7477695 Wow64SetThreadContext 37474->37475 37477 74776dd 37475->37477 37477->37392 37479 7477695 Wow64SetThreadContext 37478->37479 37481 74776dd 37479->37481 37481->37392 37483 74775e0 ResumeThread 37482->37483 37485 7477611 37483->37485 37485->37407 37487 74775a0 ResumeThread 37486->37487 37489 7477611 37487->37489 37489->37407 37491 7477c68 WriteProcessMemory 37490->37491 37493 7477cbf 37491->37493 37493->37421 37495 7477c20 WriteProcessMemory 37494->37495 37497 7477cbf 37495->37497 37497->37421 37499 7477d5b ReadProcessMemory 37498->37499 37501 7477d9f 37499->37501 37501->37426 37503 7477d5b ReadProcessMemory 37502->37503 37505 7477d9f 37503->37505 37505->37426 37507 747c4dd 37506->37507 37509 7477650 Wow64SetThreadContext 37507->37509 37510 747764a Wow64SetThreadContext 37507->37510 37508 747c4f3 37508->37436 37509->37508 37510->37508 37512 747c4c8 37511->37512 37514 7477650 Wow64SetThreadContext 37512->37514 37515 747764a Wow64SetThreadContext 37512->37515 37513 747c4f3 37513->37436 37514->37513 37515->37513 37516 747c5c0 37517 747c74b 37516->37517 37519 747c5e6 37516->37519 37519->37517 37520 7478d9c 37519->37520 37521 747c840 PostMessageW 37520->37521 37522 747c8ac 37521->37522 37522->37519 37675 2bbd01c 37676 2bbd034 37675->37676 37677 2bbd08e 37676->37677 37680 53b2818 37676->37680 37685 53b2808 37676->37685 37681 53b2845 37680->37681 37682 53b2877 37681->37682 37690 53b29a0 37681->37690 37695 53b2990 37681->37695 37686 53b280d 37685->37686 37687 53b2877 37686->37687 37688 53b29a0 2 API calls 37686->37688 37689 53b2990 2 API calls 37686->37689 37688->37687 37689->37687 37692 53b29b4 37690->37692 37691 53b2a40 37691->37682 37700 53b2a58 37692->37700 37703 53b2a48 37692->37703 37697 53b29b4 37695->37697 37696 53b2a40 37696->37682 37698 53b2a58 2 API calls 37697->37698 37699 53b2a48 2 API calls 37697->37699 37698->37696 37699->37696 37701 53b2a69 37700->37701 37707 53b4012 37700->37707 37701->37691 37704 53b2a58 37703->37704 37705 53b4012 2 API calls 37704->37705 37706 53b2a69 37704->37706 37705->37706 37706->37691 37711 53b4030 37707->37711 37715 53b4040 37707->37715 37708 53b402a 37708->37701 37712 53b4040 37711->37712 37713 53b40da CallWindowProcW 37712->37713 37714 53b4089 37712->37714 37713->37714 37714->37708 37716 53b4082 37715->37716 37718 53b4089 37715->37718 37717 53b40da CallWindowProcW 37716->37717 37716->37718 37717->37718 37718->37708 37719 53b8f52 37720 53b8f60 37719->37720 37721 53b8b44 GetModuleHandleW 37720->37721 37722 53b8f6f 37721->37722 37523 2cad040 37524 2cad086 37523->37524 37528 2cad618 37524->37528 37532 2cad628 37524->37532 37525 2cad173 37529 2cad628 37528->37529 37535 2cad27c 37529->37535 37533 2cad27c DuplicateHandle 37532->37533 37534 2cad656 37533->37534 37534->37525 37536 2cad690 DuplicateHandle 37535->37536 37537 2cad656 37536->37537 37537->37525 37538 53b6be0 37539 53b6c0d 37538->37539 37556 53b6a30 37539->37556 37541 53b6c4e 37542 53b6a30 GetModuleHandleW 37541->37542 37543 53b6c80 37542->37543 37561 53b6a40 37543->37561 37546 53b6a40 GetModuleHandleW 37547 53b6ce4 37546->37547 37548 53b6a30 GetModuleHandleW 37547->37548 37549 53b6d16 37548->37549 37565 53b6a50 37549->37565 37551 53b6d48 37552 53b6a50 GetModuleHandleW 37551->37552 37553 53b6d7a 37552->37553 37554 53b6a50 GetModuleHandleW 37553->37554 37555 53b6dac 37554->37555 37557 53b6a3b 37556->37557 37569 2ca8308 37557->37569 37577 2ca5cc4 37557->37577 37558 53b7cf3 37558->37541 37562 53b6a4b 37561->37562 37626 53b8b44 37562->37626 37564 53b6cb2 37564->37546 37566 53b6a5b 37565->37566 37631 53be418 37566->37631 37568 53bf871 37568->37551 37571 2ca82cf 37569->37571 37570 2ca82d1 37571->37570 37573 2ca85cb 37571->37573 37585 2caac78 37571->37585 37572 2ca8609 37572->37558 37573->37572 37589 2cacd78 37573->37589 37594 2cacd68 37573->37594 37579 2ca5ccf 37577->37579 37578 2ca82d1 37579->37578 37581 2ca85cb 37579->37581 37582 2caac78 GetModuleHandleW 37579->37582 37580 2ca8609 37580->37558 37581->37580 37583 2cacd68 GetModuleHandleW 37581->37583 37584 2cacd78 GetModuleHandleW 37581->37584 37582->37581 37583->37580 37584->37580 37599 2caaca0 37585->37599 37602 2caacb0 37585->37602 37586 2caac8e 37586->37573 37590 2cacd99 37589->37590 37591 2cacdbd 37590->37591 37610 2cacf28 37590->37610 37614 2cacf19 37590->37614 37591->37572 37595 2cacd99 37594->37595 37596 2cacdbd 37595->37596 37597 2cacf28 GetModuleHandleW 37595->37597 37598 2cacf19 GetModuleHandleW 37595->37598 37596->37572 37597->37596 37598->37596 37605 2caada8 37599->37605 37600 2caacbf 37600->37586 37603 2caacbf 37602->37603 37604 2caada8 GetModuleHandleW 37602->37604 37603->37586 37604->37603 37606 2caaddc 37605->37606 37607 2caadb9 37605->37607 37606->37600 37607->37606 37608 2caafe0 GetModuleHandleW 37607->37608 37609 2cab00d 37608->37609 37609->37600 37611 2cacf35 37610->37611 37612 2cacf6f 37611->37612 37618 2cabae0 37611->37618 37612->37591 37615 2cacf28 37614->37615 37616 2cacf6f 37615->37616 37617 2cabae0 GetModuleHandleW 37615->37617 37616->37591 37617->37616 37619 2cabaeb 37618->37619 37621 2cadc88 37619->37621 37622 2cad2dc 37619->37622 37621->37621 37623 2cad2e7 37622->37623 37624 2ca5cc4 GetModuleHandleW 37623->37624 37625 2cadcf7 37624->37625 37625->37621 37627 53b8b4f 37626->37627 37628 2ca8308 GetModuleHandleW 37627->37628 37629 53b8fa2 37627->37629 37630 2ca5cc4 GetModuleHandleW 37627->37630 37628->37629 37629->37564 37630->37629 37632 53be423 37631->37632 37634 2ca8308 GetModuleHandleW 37632->37634 37635 2ca5cc4 GetModuleHandleW 37632->37635 37633 53bfd6c 37633->37568 37634->37633 37635->37633

                        Executed Functions

                        Function 053B6BD0 Relevance: 1.0, Instructions: 997COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2172895265.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_53b0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3876dfb4ef557d3ccf8c4f478b9a75ab6f7bae651377c8d6c2aa7d9b332f822e
                        • Instruction ID: 12348c19e6fc20755fa2d4052b57537e29d30e881518c5024549bd095bdaa6c1
                        • Opcode Fuzzy Hash: 3876dfb4ef557d3ccf8c4f478b9a75ab6f7bae651377c8d6c2aa7d9b332f822e
                        • Instruction Fuzzy Hash: 3CB2C274A00219CFDB14DB68C994BD9B7B2FF8A300F1185E9D509AB362DB71AE85CF41
                        Function 053B6BE0 Relevance: 1.0, Instructions: 993COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2172895265.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_53b0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f95a28fc8952a2c7da3e4c64e218750f5592418ebbc0afc82e1dbf04bae116fc
                        • Instruction ID: 4e9f3d0070313342774e4d49536d2b05c350fdc2983ce547796fbd971a040133
                        • Opcode Fuzzy Hash: f95a28fc8952a2c7da3e4c64e218750f5592418ebbc0afc82e1dbf04bae116fc
                        • Instruction Fuzzy Hash: 83B2C274A00219CFDB14DB68C994BD9B7B2FF8A300F1185E9D509AB362DB71AE85CF41
                        Function 0747B899 Relevance: .0, Instructions: 16COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2174574607.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7470000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: cfdcbad78878980160d703118a2bf07a246d2928d1a5647071c919c46dd0efa9
                        • Instruction ID: 3dee43bea031c0c00baaf9b7f1c0a14e9c78792173d8a441bc8c4e9bb290dfa7
                        • Opcode Fuzzy Hash: cfdcbad78878980160d703118a2bf07a246d2928d1a5647071c919c46dd0efa9
                        • Instruction Fuzzy Hash: BAD067B8818204CBC714DF64E4995F8BBFCEB0F351F006466D40AE7215D7749981CF15
                        Function 07477E9D Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 0 7477e9d-7477f3d 3 7477f76-7477f96 0->3 4 7477f3f-7477f49 0->4 11 7477fcf-7477ffe 3->11 12 7477f98-7477fa2 3->12 4->3 5 7477f4b-7477f4d 4->5 6 7477f70-7477f73 5->6 7 7477f4f-7477f59 5->7 6->3 9 7477f5d-7477f6c 7->9 10 7477f5b 7->10 9->9 13 7477f6e 9->13 10->9 18 7478037-74780f1 CreateProcessA 11->18 19 7478000-747800a 11->19 12->11 14 7477fa4-7477fa6 12->14 13->6 16 7477fc9-7477fcc 14->16 17 7477fa8-7477fb2 14->17 16->11 20 7477fb6-7477fc5 17->20 21 7477fb4 17->21 32 74780f3-74780f9 18->32 33 74780fa-7478180 18->33 19->18 22 747800c-747800e 19->22 20->20 23 7477fc7 20->23 21->20 24 7478031-7478034 22->24 25 7478010-747801a 22->25 23->16 24->18 27 747801e-747802d 25->27 28 747801c 25->28 27->27 29 747802f 27->29 28->27 29->24 32->33 43 7478182-7478186 33->43 44 7478190-7478194 33->44 43->44 45 7478188 43->45 46 7478196-747819a 44->46 47 74781a4-74781a8 44->47 45->44 46->47 50 747819c 46->50 48 74781aa-74781ae 47->48 49 74781b8-74781bc 47->49 48->49 51 74781b0 48->51 52 74781ce-74781d5 49->52 53 74781be-74781c4 49->53 50->47 51->49 54 74781d7-74781e6 52->54 55 74781ec 52->55 53->52 54->55 57 74781ed 55->57 57->57
                        APIs
                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 074780DE
                        Memory Dump Source
                        • Source File: 00000000.00000002.2174574607.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7470000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID: CreateProcess
                        • String ID:
                        • API String ID: 963392458-0
                        • Opcode ID: 5aad411f9080b512f23b9cf07536be1364ba21c938e7672fcd9a0dfaca7a92da
                        • Instruction ID: 16d7ada9aebca3e1b2a8bc96128c85314d86a1ccdc867e8bd0102dad025a6577
                        • Opcode Fuzzy Hash: 5aad411f9080b512f23b9cf07536be1364ba21c938e7672fcd9a0dfaca7a92da
                        • Instruction Fuzzy Hash: 4DA15CB1D0025ADFEB24CF68C9457DEBBB6FF48314F14856AE808A7240DB749985CF91
                        Function 07477EA8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 58 7477ea8-7477f3d 60 7477f76-7477f96 58->60 61 7477f3f-7477f49 58->61 68 7477fcf-7477ffe 60->68 69 7477f98-7477fa2 60->69 61->60 62 7477f4b-7477f4d 61->62 63 7477f70-7477f73 62->63 64 7477f4f-7477f59 62->64 63->60 66 7477f5d-7477f6c 64->66 67 7477f5b 64->67 66->66 70 7477f6e 66->70 67->66 75 7478037-74780f1 CreateProcessA 68->75 76 7478000-747800a 68->76 69->68 71 7477fa4-7477fa6 69->71 70->63 73 7477fc9-7477fcc 71->73 74 7477fa8-7477fb2 71->74 73->68 77 7477fb6-7477fc5 74->77 78 7477fb4 74->78 89 74780f3-74780f9 75->89 90 74780fa-7478180 75->90 76->75 79 747800c-747800e 76->79 77->77 80 7477fc7 77->80 78->77 81 7478031-7478034 79->81 82 7478010-747801a 79->82 80->73 81->75 84 747801e-747802d 82->84 85 747801c 82->85 84->84 86 747802f 84->86 85->84 86->81 89->90 100 7478182-7478186 90->100 101 7478190-7478194 90->101 100->101 102 7478188 100->102 103 7478196-747819a 101->103 104 74781a4-74781a8 101->104 102->101 103->104 107 747819c 103->107 105 74781aa-74781ae 104->105 106 74781b8-74781bc 104->106 105->106 108 74781b0 105->108 109 74781ce-74781d5 106->109 110 74781be-74781c4 106->110 107->104 108->106 111 74781d7-74781e6 109->111 112 74781ec 109->112 110->109 111->112 114 74781ed 112->114 114->114
                        APIs
                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 074780DE
                        Memory Dump Source
                        • Source File: 00000000.00000002.2174574607.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7470000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID: CreateProcess
                        • String ID:
                        • API String ID: 963392458-0
                        • Opcode ID: e46aadb8c13464a144a9c83a13bb32cf73750f2ea525ef14e0b2cd0c5abea835
                        • Instruction ID: 8f29a58920a3015c5c70050613d9b41df57cff1e375bc7f7929e8b8aa178ebe1
                        • Opcode Fuzzy Hash: e46aadb8c13464a144a9c83a13bb32cf73750f2ea525ef14e0b2cd0c5abea835
                        • Instruction Fuzzy Hash: CA915BB1D0025ADFEB24CF68C945BDEBBB6FF48314F14856AE808A7240DB749985CF91
                        Function 02CAADA8 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 115 2caada8-2caadb7 116 2caadb9-2caadc6 call 2caa0cc 115->116 117 2caade3-2caade7 115->117 122 2caadc8 116->122 123 2caaddc 116->123 118 2caadfb-2caae3c 117->118 119 2caade9-2caadf3 117->119 126 2caae49-2caae57 118->126 127 2caae3e-2caae46 118->127 119->118 171 2caadce call 2cab040 122->171 172 2caadce call 2cab030 122->172 123->117 129 2caae7b-2caae7d 126->129 130 2caae59-2caae5e 126->130 127->126 128 2caadd4-2caadd6 128->123 131 2caaf18-2caafd8 128->131 132 2caae80-2caae87 129->132 133 2caae69 130->133 134 2caae60-2caae67 call 2caa0d8 130->134 166 2caafda-2caafdd 131->166 167 2caafe0-2cab00b GetModuleHandleW 131->167 137 2caae89-2caae91 132->137 138 2caae94-2caae9b 132->138 136 2caae6b-2caae79 133->136 134->136 136->132 137->138 140 2caaea8-2caaeaa call 2caa0e8 138->140 141 2caae9d-2caaea5 138->141 144 2caaeaf-2caaeb1 140->144 141->140 146 2caaebe-2caaec3 144->146 147 2caaeb3-2caaebb 144->147 148 2caaee1-2caaeee 146->148 149 2caaec5-2caaecc 146->149 147->146 156 2caaef0-2caaf0e 148->156 157 2caaf11-2caaf17 148->157 149->148 151 2caaece-2caaede call 2caa0f8 call 2caa108 149->151 151->148 156->157 166->167 168 2cab00d-2cab013 167->168 169 2cab014-2cab028 167->169 168->169 171->128 172->128
                        APIs
                        • GetModuleHandleW.KERNELBASE(00000000), ref: 02CAAFFE
                        Memory Dump Source
                        • Source File: 00000000.00000002.2170319326.0000000002CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2ca0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID: HandleModule
                        • String ID:
                        • API String ID: 4139908857-0
                        • Opcode ID: b270592e441135280c8eb540d705992c7002025a02be1478c659239d855d71be
                        • Instruction ID: 32221cdff19e710cc4770b77a6ed67e535cab1f303a499b1e9585ce42601fd7c
                        • Opcode Fuzzy Hash: b270592e441135280c8eb540d705992c7002025a02be1478c659239d855d71be
                        • Instruction Fuzzy Hash: 16713670A00B469FD764DF2AD45175ABBF1FF88308F008A2DD48AD7A50DB75E945CB90
                        Function 02CA44B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 173 2ca44b0-2ca59d9 CreateActCtxA 176 2ca59db-2ca59e1 173->176 177 2ca59e2-2ca5a3c 173->177 176->177 184 2ca5a4b-2ca5a4f 177->184 185 2ca5a3e-2ca5a41 177->185 186 2ca5a60-2ca5a90 184->186 187 2ca5a51-2ca5a5d 184->187 185->184 191 2ca5a42-2ca5a4a 186->191 192 2ca5a92-2ca5b14 186->192 187->186 191->184 195 2ca59cf-2ca59d9 191->195 195->176 195->177
                        APIs
                        • CreateActCtxA.KERNEL32(?), ref: 02CA59C9
                        Memory Dump Source
                        • Source File: 00000000.00000002.2170319326.0000000002CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2ca0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID: Create
                        • String ID:
                        • API String ID: 2289755597-0
                        • Opcode ID: 3fa91d100c20b5164ce69438b91b85892e2f1fac98426fa0fe6a1d133e74e758
                        • Instruction ID: 5fdd16e3641f4f29f04ea89289b108592c57ebd8b7aa4aead64c2a25e3ea8575
                        • Opcode Fuzzy Hash: 3fa91d100c20b5164ce69438b91b85892e2f1fac98426fa0fe6a1d133e74e758
                        • Instruction Fuzzy Hash: 1F41E370D0071DCFDB24CFA9C98579EBBB5BF48704F60806AD409AB251DB756945CF90
                        Function 02CA590C Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 196 2ca590c-2ca59d9 CreateActCtxA 198 2ca59db-2ca59e1 196->198 199 2ca59e2-2ca5a3c 196->199 198->199 206 2ca5a4b-2ca5a4f 199->206 207 2ca5a3e-2ca5a41 199->207 208 2ca5a60-2ca5a90 206->208 209 2ca5a51-2ca5a5d 206->209 207->206 213 2ca5a42-2ca5a4a 208->213 214 2ca5a92-2ca5b14 208->214 209->208 213->206 217 2ca59cf-2ca59d9 213->217 217->198 217->199
                        APIs
                        • CreateActCtxA.KERNEL32(?), ref: 02CA59C9
                        Memory Dump Source
                        • Source File: 00000000.00000002.2170319326.0000000002CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2ca0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID: Create
                        • String ID:
                        • API String ID: 2289755597-0
                        • Opcode ID: f50211bee19f3249a72a5a400d0dba6a94b7ca271749bfaa0de1b3f7351f6309
                        • Instruction ID: 7acf0159a5b25093b202ad5508e637eea973fd51a1c42dff8595f532d8428c04
                        • Opcode Fuzzy Hash: f50211bee19f3249a72a5a400d0dba6a94b7ca271749bfaa0de1b3f7351f6309
                        • Instruction Fuzzy Hash: 564100B1C00719CFDB24CFA9C9857DEBBB1BF48308F60806AD408AB251DB71694ACF50
                        Function 053B4040 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 218 53b4040-53b407c 219 53b412c-53b414c 218->219 220 53b4082-53b4087 218->220 226 53b414f-53b415c 219->226 221 53b40da-53b4112 CallWindowProcW 220->221 222 53b4089-53b40c0 220->222 223 53b411b-53b412a 221->223 224 53b4114-53b411a 221->224 229 53b40c9-53b40d8 222->229 230 53b40c2-53b40c8 222->230 223->226 224->223 229->226 230->229
                        APIs
                        • CallWindowProcW.USER32(?,?,?,?,?), ref: 053B4101
                        Memory Dump Source
                        • Source File: 00000000.00000002.2172895265.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_53b0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID: CallProcWindow
                        • String ID:
                        • API String ID: 2714655100-0
                        • Opcode ID: 344ef963c3127a3a4d5aa5a8f913adb59bdfdb2c8294e556d65d3c8d2a45c12b
                        • Instruction ID: af1b6a54883830f1f83caef2333faab669c3b44a3529dc69a58427790248dc0c
                        • Opcode Fuzzy Hash: 344ef963c3127a3a4d5aa5a8f913adb59bdfdb2c8294e556d65d3c8d2a45c12b
                        • Instruction Fuzzy Hash: 0C4119B99003098FDB14CF99C448AAAFBF6FB88314F24C459D519AB721D7B5A841CFA4
                        Function 07477C18 Relevance: 1.6, APIs: 1, Instructions: 76injectionCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 232 7477c18-7477c6e 235 7477c70-7477c7c 232->235 236 7477c7e-7477cbd WriteProcessMemory 232->236 235->236 238 7477cc6-7477cf6 236->238 239 7477cbf-7477cc5 236->239 239->238
                        APIs
                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07477CB0
                        Memory Dump Source
                        • Source File: 00000000.00000002.2174574607.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7470000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID: MemoryProcessWrite
                        • String ID:
                        • API String ID: 3559483778-0
                        • Opcode ID: 2118d29d466ff25a511492a6f8a0e8e531f668eb46722e3d93624ef9ad0d2f84
                        • Instruction ID: 594e516b5796a91942979babf6ef548462486c8922345ee661bd8a0143e2a297
                        • Opcode Fuzzy Hash: 2118d29d466ff25a511492a6f8a0e8e531f668eb46722e3d93624ef9ad0d2f84
                        • Instruction Fuzzy Hash: 642148B69003499FDF10CFA9C881BEEBBF4FF48320F50842AE918A7250C7789550CBA5
                        Function 07477C20 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 243 7477c20-7477c6e 245 7477c70-7477c7c 243->245 246 7477c7e-7477cbd WriteProcessMemory 243->246 245->246 248 7477cc6-7477cf6 246->248 249 7477cbf-7477cc5 246->249 249->248
                        APIs
                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07477CB0
                        Memory Dump Source
                        • Source File: 00000000.00000002.2174574607.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7470000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID: MemoryProcessWrite
                        • String ID:
                        • API String ID: 3559483778-0
                        • Opcode ID: 2b8c10eeb48460fe2258a697abf6cc1d36b0836f27d4f8bf807096adf01b3f70
                        • Instruction ID: 0b34236a97ff093aa787e167a25611ac3dbb80dfc250b8c64582befb5a385622
                        • Opcode Fuzzy Hash: 2b8c10eeb48460fe2258a697abf6cc1d36b0836f27d4f8bf807096adf01b3f70
                        • Instruction Fuzzy Hash: FA2128B19003499FDB10CFA9C881BDEBBF5FF48320F50842AE518A7250D7789554CBA4
                        Function 0747764A Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 259 747764a-747769b 261 747769d-74776a9 259->261 262 74776ab-74776db Wow64SetThreadContext 259->262 261->262 264 74776e4-7477714 262->264 265 74776dd-74776e3 262->265 265->264
                        APIs
                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 074776CE
                        Memory Dump Source
                        • Source File: 00000000.00000002.2174574607.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7470000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID: ContextThreadWow64
                        • String ID:
                        • API String ID: 983334009-0
                        • Opcode ID: 53c2a89a5898183c55d6bdd3291a19888cd88e3836b1ffcdbd8cadd4dbad5d20
                        • Instruction ID: 98b2a2c0624701f158998ee7f626db9b62aa07b24340325e51751d06ff37962e
                        • Opcode Fuzzy Hash: 53c2a89a5898183c55d6bdd3291a19888cd88e3836b1ffcdbd8cadd4dbad5d20
                        • Instruction Fuzzy Hash: C2213AB19043098FDB10CFAAC4857EEBBF0AF88324F14842ED559A7240C7789544CFA5
                        Function 07477D09 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 269 7477d09-7477d9d ReadProcessMemory 272 7477da6-7477dd6 269->272 273 7477d9f-7477da5 269->273 273->272
                        APIs
                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07477D90
                        Memory Dump Source
                        • Source File: 00000000.00000002.2174574607.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7470000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID: MemoryProcessRead
                        • String ID:
                        • API String ID: 1726664587-0
                        • Opcode ID: 8e42ab8ceae69ce74558d8bac783f767af35cc8d1dc9d6abecc66cf1fdb14b91
                        • Instruction ID: 3aecf99ffa17bddd9bef061b73747312b04ede31d9ca9aa248e97f7695e174ae
                        • Opcode Fuzzy Hash: 8e42ab8ceae69ce74558d8bac783f767af35cc8d1dc9d6abecc66cf1fdb14b91
                        • Instruction Fuzzy Hash: 882139B190035A9FDF10CFA9C880BEEBBF1FF48310F50842AE558A7240D7789500CBA4
                        Function 02CAD27C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 253 2cad27c-2cad724 DuplicateHandle 255 2cad72d-2cad74a 253->255 256 2cad726-2cad72c 253->256 256->255
                        APIs
                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02CAD656,?,?,?,?,?), ref: 02CAD717
                        Memory Dump Source
                        • Source File: 00000000.00000002.2170319326.0000000002CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2ca0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID: DuplicateHandle
                        • String ID:
                        • API String ID: 3793708945-0
                        • Opcode ID: e62a9293a683673e3e5899622ac0045cadb07fc2d3d994241a556865055855a0
                        • Instruction ID: dd3703d688dc37cb6979a6bc09f248705963bcfc4a1f83f4086a421c0ca8e3eb
                        • Opcode Fuzzy Hash: e62a9293a683673e3e5899622ac0045cadb07fc2d3d994241a556865055855a0
                        • Instruction Fuzzy Hash: 3221E4B5900349DFDB10CF9AD984ADEBBF4FB48324F14841AE919A3310D378A950CFA5
                        Function 07477650 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 277 7477650-747769b 279 747769d-74776a9 277->279 280 74776ab-74776db Wow64SetThreadContext 277->280 279->280 282 74776e4-7477714 280->282 283 74776dd-74776e3 280->283 283->282
                        APIs
                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 074776CE
                        Memory Dump Source
                        • Source File: 00000000.00000002.2174574607.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7470000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID: ContextThreadWow64
                        • String ID:
                        • API String ID: 983334009-0
                        • Opcode ID: 45b175dd4a7f08721610de9aad270a55ffd2e6bd5bf651bccb52207f6a396a43
                        • Instruction ID: d56e9f686ef66a1bc3116c85970a2747df31b07b428c35ba8c7c615cb0197f66
                        • Opcode Fuzzy Hash: 45b175dd4a7f08721610de9aad270a55ffd2e6bd5bf651bccb52207f6a396a43
                        • Instruction Fuzzy Hash: 432129B19003099FDB10DFAAC4857EEBBF4EF88324F54842AD519A7240DB789944CFA5
                        Function 07477D10 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 287 7477d10-7477d9d ReadProcessMemory 290 7477da6-7477dd6 287->290 291 7477d9f-7477da5 287->291 291->290
                        APIs
                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07477D90
                        Memory Dump Source
                        • Source File: 00000000.00000002.2174574607.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7470000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID: MemoryProcessRead
                        • String ID:
                        • API String ID: 1726664587-0
                        • Opcode ID: db6f02a8492ea8e69180066584227b479c96dd8addc6b9a0439edd3a37f7d3f0
                        • Instruction ID: e521b6fa776b9c0499fd664d23266ed8f71968d49cd66041aa1f4909f70408da
                        • Opcode Fuzzy Hash: db6f02a8492ea8e69180066584227b479c96dd8addc6b9a0439edd3a37f7d3f0
                        • Instruction Fuzzy Hash: E12128B18003599FDB10CFAAC881BEEBBF5FF48310F50842AE518A7250D7789910CBA5
                        Function 02CAD689 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 295 2cad689-2cad724 DuplicateHandle 296 2cad72d-2cad74a 295->296 297 2cad726-2cad72c 295->297 297->296
                        APIs
                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02CAD656,?,?,?,?,?), ref: 02CAD717
                        Memory Dump Source
                        • Source File: 00000000.00000002.2170319326.0000000002CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2ca0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID: DuplicateHandle
                        • String ID:
                        • API String ID: 3793708945-0
                        • Opcode ID: 125ee4d72c62938d994c36ade64c1909f84dda0912528e222ba5cfe16e254e67
                        • Instruction ID: cc58046bdf12acc47b438d2494c8a10520d4c76b20b97b2464ddd14f8eddf111
                        • Opcode Fuzzy Hash: 125ee4d72c62938d994c36ade64c1909f84dda0912528e222ba5cfe16e254e67
                        • Instruction Fuzzy Hash: 9A21C2B5900249DFDB10CFAAD984ADEBBF5FB48324F14841AE919B3350D378AA54CF64
                        Function 07477B58 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 300 7477b58-7477bdb VirtualAllocEx 303 7477be4-7477c09 300->303 304 7477bdd-7477be3 300->304 304->303
                        APIs
                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07477BCE
                        Memory Dump Source
                        • Source File: 00000000.00000002.2174574607.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7470000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID: AllocVirtual
                        • String ID:
                        • API String ID: 4275171209-0
                        • Opcode ID: cae1b85537046e7663d802a61d488946116af51a2ac45e4166e090173e5dcc7c
                        • Instruction ID: 77841298e00dce81ba110c9270843d0cf0a6cb0fe8c06fced75655a1e7277116
                        • Opcode Fuzzy Hash: cae1b85537046e7663d802a61d488946116af51a2ac45e4166e090173e5dcc7c
                        • Instruction Fuzzy Hash: AD1144729002499FDB10CFAAC844BEFBBF5AF88324F24841AE519A7250C7799950CBA4
                        Function 0747759A Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.2174574607.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7470000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID: ResumeThread
                        • String ID:
                        • API String ID: 947044025-0
                        • Opcode ID: d52e97cf49259569e20a436f979f83e216da141df80a0c92238588588216463d
                        • Instruction ID: 218113ec7209a20b323d66511fe19c4498b1ad7a8013737ad2acdfa1be3b8a4f
                        • Opcode Fuzzy Hash: d52e97cf49259569e20a436f979f83e216da141df80a0c92238588588216463d
                        • Instruction Fuzzy Hash: 18113AB190034A8FDB20DFAAD4457DFFBF4EF88724F24881AD559A7240CB75A940CBA5
                        Function 07477B60 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07477BCE
                        Memory Dump Source
                        • Source File: 00000000.00000002.2174574607.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7470000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID: AllocVirtual
                        • String ID:
                        • API String ID: 4275171209-0
                        • Opcode ID: 4afe5e5d62d55c261b81701631b5b6ef4f4f9c96a6f22736dfffa4e4ed0b8424
                        • Instruction ID: 13141b78d363ffe40024b4e642744d0b8cf18f85a574a6e224e951590fa5bfab
                        • Opcode Fuzzy Hash: 4afe5e5d62d55c261b81701631b5b6ef4f4f9c96a6f22736dfffa4e4ed0b8424
                        • Instruction Fuzzy Hash: 391156728003499FDB10CFAAC845BEFBBF5AF88324F10841AE519A7250C775A510CBA0
                        Function 074775A0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.2174574607.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7470000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID: ResumeThread
                        • String ID:
                        • API String ID: 947044025-0
                        • Opcode ID: f3c1ff5e72dcdc48b9b9b5ddaca42fe19eeca64c0053561d399e683f91b2d9a8
                        • Instruction ID: 1c71bfda13e9a471dfe8466b66ebf1d1f92ce72f07014c364d017690650b19dc
                        • Opcode Fuzzy Hash: f3c1ff5e72dcdc48b9b9b5ddaca42fe19eeca64c0053561d399e683f91b2d9a8
                        • Instruction Fuzzy Hash: 1B113AB19003498FDB20DFAAC4457DFFBF4AF88724F24881AD519A7240CB75A540CBA5
                        Function 0747C838 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
                        Download Yara Rule
                        APIs
                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 0747C89D
                        Memory Dump Source
                        • Source File: 00000000.00000002.2174574607.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7470000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID: MessagePost
                        • String ID:
                        • API String ID: 410705778-0
                        • Opcode ID: 624d342d570859e4c2315bccf7363cbe1b1d44483c36566de3e00729a09b7e95
                        • Instruction ID: 04c1c3ddcdeddbacc3cd901850f0c9cc9c9ab5844e21154ef563167d3405ad59
                        • Opcode Fuzzy Hash: 624d342d570859e4c2315bccf7363cbe1b1d44483c36566de3e00729a09b7e95
                        • Instruction Fuzzy Hash: E311DFB58003499FDB10DF9AD985BDEBBF8EB48320F20881AE958A7650C375A544CFA5
                        Function 07478D9C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                        Download Yara Rule
                        APIs
                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 0747C89D
                        Memory Dump Source
                        • Source File: 00000000.00000002.2174574607.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7470000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID: MessagePost
                        • String ID:
                        • API String ID: 410705778-0
                        • Opcode ID: 9df77d529e926a8011512afba6e7f9b626fc61215fc7e0200f82cb58b7628c0c
                        • Instruction ID: 56afaf71cb437502c18833b475f82c8c2ca2d10e982fa640e368b248dceb32ac
                        • Opcode Fuzzy Hash: 9df77d529e926a8011512afba6e7f9b626fc61215fc7e0200f82cb58b7628c0c
                        • Instruction Fuzzy Hash: C91103B5804349DFDB10DF9AC585BDEBBF8FB48320F10881AE918A7210D3B5A954CFA5
                        Function 02CAAF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleW.KERNELBASE(00000000), ref: 02CAAFFE
                        Memory Dump Source
                        • Source File: 00000000.00000002.2170319326.0000000002CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2ca0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID: HandleModule
                        • String ID:
                        • API String ID: 4139908857-0
                        • Opcode ID: 7733a49ba918985fdf07389b46f2da4513c79140de3886d0622103daea203996
                        • Instruction ID: bebbd5ae81f229be436981d24609201309e49e8f6c3065d7df118e67c824f42d
                        • Opcode Fuzzy Hash: 7733a49ba918985fdf07389b46f2da4513c79140de3886d0622103daea203996
                        • Instruction Fuzzy Hash: AF1113B6C0074A8FCB10CF9AC444BDEFBF4AF88228F10841AD429A7210D375A545CFA1
                        Function 02BAD3D8 Relevance: .1, Instructions: 75COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2169892482.0000000002BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BAD000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2bad000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1ff451b43f2d2216401c08bc71361c993a64e20dd6dfcb9caecec1fdd4f3d2b5
                        • Instruction ID: 897aa2a4772fc6ac27f3837acf5257ebee206f1874bdf9ff68f517b1254e2696
                        • Opcode Fuzzy Hash: 1ff451b43f2d2216401c08bc71361c993a64e20dd6dfcb9caecec1fdd4f3d2b5
                        • Instruction Fuzzy Hash: 74213D75508305DFDB08DF14D5C0B16BF65FB84314F24C5ADD9090B656C736E456CBA1
                        Function 02BAD4C4 Relevance: .1, Instructions: 75COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2169892482.0000000002BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BAD000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2bad000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6130024bb53c88d81d35792c4cb32939c49eacfee5c9fbd0315d971074a22a31
                        • Instruction ID: 83c05fd3cc8b2d61b5264271de851f16239422b368eabbd54db35317684bedd8
                        • Opcode Fuzzy Hash: 6130024bb53c88d81d35792c4cb32939c49eacfee5c9fbd0315d971074a22a31
                        • Instruction Fuzzy Hash: 332125B2508241EFDB05DF14D9D0B2ABF65FB88318F24C5A9E9090B657C336D456CBA1
                        Function 02BBD01C Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2170018325.0000000002BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BBD000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2bbd000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6ecb9af4bb51234f931c5d7e9b978c2dfa1a7a08a14518c15b9ddd3150916562
                        • Instruction ID: 09e50975e0c2ff2f4fdcd79464510abc0169c4c7d3adcc65038d6f5ab073557f
                        • Opcode Fuzzy Hash: 6ecb9af4bb51234f931c5d7e9b978c2dfa1a7a08a14518c15b9ddd3150916562
                        • Instruction Fuzzy Hash: 10212275604201EFDB16DF14D9D0B66BB61FF88314F60C5ADE90A4B252C3BAD407CA61
                        Function 02BBD1D4 Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2170018325.0000000002BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BBD000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2bbd000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 96cd42c9cd9dc0206666b70e366d0829271baf2df57d4bef8148831a4ce188ef
                        • Instruction ID: 2bc1a8019a98e547c4e2c8d564b58d1640449442a8d9f1db29aff96773f5389d
                        • Opcode Fuzzy Hash: 96cd42c9cd9dc0206666b70e366d0829271baf2df57d4bef8148831a4ce188ef
                        • Instruction Fuzzy Hash: 8C213775A04281EFDB06DF10D5C0B75BB61FF84314F20C5ADE9494B252C3BAD446CB61
                        Function 02BBD006 Relevance: .1, Instructions: 60COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2170018325.0000000002BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BBD000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2bbd000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6f2f5f8f59f83aa1e7f7af1c91002b01ae76a6ba9df7d98ac4853576d73317e8
                        • Instruction ID: 0cc7d4fd484c34675f85698a157afb6ecfffbfa6fe7ba2fea0b08aa7bfd47107
                        • Opcode Fuzzy Hash: 6f2f5f8f59f83aa1e7f7af1c91002b01ae76a6ba9df7d98ac4853576d73317e8
                        • Instruction Fuzzy Hash: 792181755093808FCB17CF20D9A4B55BF71EF45214F28C5EAD8498B6A7C37AD80ACB62
                        Function 02BAD4BF Relevance: .1, Instructions: 56COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2169892482.0000000002BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BAD000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2bad000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                        • Instruction ID: 1f4e5c3767ff93a81372e965f5b367807da8e216a5035ea154e2f897f2f16c77
                        • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                        • Instruction Fuzzy Hash: 3F11D376504280CFCB15CF10D5C4B1ABF71FB84318F24C6A9D8490B657C33AD456CBA1
                        Function 02BAD3D3 Relevance: .1, Instructions: 56COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2169892482.0000000002BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BAD000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2bad000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                        • Instruction ID: 6e3df09e4f8c88de6d5bcbcf755d8a9d420bd6262dd9d8915367172bbfbaaeb9
                        • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                        • Instruction Fuzzy Hash: 1411E6B6504281DFDB15CF10D5C4B1ABF71FB84324F28C6E9D8090B666C33AE456CBA1
                        Function 02BBD1CF Relevance: .1, Instructions: 53COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2170018325.0000000002BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BBD000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2bbd000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                        • Instruction ID: 8d3c94f5c71ad8aa08637fb7e9f94ec3376685ca30595d0c63301605e09a3714
                        • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                        • Instruction Fuzzy Hash: 63118B75904284DFCB16CF10D5C4B65BBA1FF84218F24C6A9D8894B6A6C37AD44ACB61
                        Function 02BAD745 Relevance: .0, Instructions: 45COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2169892482.0000000002BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BAD000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2bad000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5251536e9f4ff854ce7f218f9f4b0d34e92012288d86e9a958aa46659d2da546
                        • Instruction ID: d0592408776066ef789b53e7b32a684ededb18f053fdce23a83e6c209c11a763
                        • Opcode Fuzzy Hash: 5251536e9f4ff854ce7f218f9f4b0d34e92012288d86e9a958aa46659d2da546
                        • Instruction Fuzzy Hash: BB01267200C3459BE7184F25CD94B26BF98DF41324F08C59AEE094A696DBB99840CBB1
                        Function 02BAD744 Relevance: .0, Instructions: 36COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2169892482.0000000002BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BAD000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2bad000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5569e543090bf6713666df743db7e80f3c1ed8316ec59695e81c2a5063e00b10
                        • Instruction ID: 4496bb8e5f3ea2cd70a22eec1f8be386281e309110dd5597f60050f99afbd4ea
                        • Opcode Fuzzy Hash: 5569e543090bf6713666df743db7e80f3c1ed8316ec59695e81c2a5063e00b10
                        • Instruction Fuzzy Hash: 1FF096724093449EE7148F16DDC4B62FF98EB81634F18C55AED084B696C779A844CBB1

                        Non-executed Functions

                        Function 053B0040 Relevance: .3, Instructions: 315COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2172895265.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_53b0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4de50f1c41efc7c52c33d3e1265e82a948d5af9b3c3c30fc5f8e67d78dccad61
                        • Instruction ID: f81670515bcee687cd6cba12160828fca6605d8f393485ae6d6419efc69c56ee
                        • Opcode Fuzzy Hash: 4de50f1c41efc7c52c33d3e1265e82a948d5af9b3c3c30fc5f8e67d78dccad61
                        • Instruction Fuzzy Hash: 561274B0C817458AE710CF65F94C2893BA1B785318FD04A09DA616F3E5EBBC196ECF46
                        Function 07477728 Relevance: .3, Instructions: 312COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2174574607.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7470000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c0d5b3f62632a17595b806e4f1e77d4573f8034465abb5d3a7735f62ed46e472
                        • Instruction ID: 19d976264d3a81def7c055e3a1168367d6b28d8d533e8d68a04138569ee0ad31
                        • Opcode Fuzzy Hash: c0d5b3f62632a17595b806e4f1e77d4573f8034465abb5d3a7735f62ed46e472
                        • Instruction Fuzzy Hash: 00E10DB4E102598FDB15DFA9C580AEEFBB2FF49304F64825AD414AB355D730A942CFA0
                        Function 074756D0 Relevance: .3, Instructions: 312COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2174574607.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7470000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 579a562d4df9fc80a47d5e57557c9c700d6fd3252c44d559701603726bc4d022
                        • Instruction ID: 022cca8e61741ac787bc6c74ef9b6d06bc990759011748e04d13dda93556f962
                        • Opcode Fuzzy Hash: 579a562d4df9fc80a47d5e57557c9c700d6fd3252c44d559701603726bc4d022
                        • Instruction Fuzzy Hash: 1AE1FCB4E102598FDB14DFA9C590AEEFBB2FF49304F24826AD414AB355D730A942CF61
                        Function 07475298 Relevance: .3, Instructions: 312COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2174574607.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7470000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 486f745d0e58958ff2e823c9d1e06c2edb043b9459f158b18891ce7c2dd1174f
                        • Instruction ID: 4a266df72fb3d3387ab0754fc3ee45e17dd9cccde0172e97f7eb578e50b47d4f
                        • Opcode Fuzzy Hash: 486f745d0e58958ff2e823c9d1e06c2edb043b9459f158b18891ce7c2dd1174f
                        • Instruction Fuzzy Hash: 51E1EBB4E102598FDB14DFA9C590AEEFBB2FF89304F24825AD414AB355D730A942CF60
                        Function 07474E60 Relevance: .3, Instructions: 312COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2174574607.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7470000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: fb80834cbdd19b2a9a90d48863ea64bc27786cabe38e9b22753b2b48dc470f43
                        • Instruction ID: 8255a69ccddd926a4e48eafca793b7bcac149f2eec1f092cc2fcbc3cde0be71d
                        • Opcode Fuzzy Hash: fb80834cbdd19b2a9a90d48863ea64bc27786cabe38e9b22753b2b48dc470f43
                        • Instruction Fuzzy Hash: 85E1FBB4E102598FDB14DFA9C580AEEFBB2FF49305F24826AD414AB355D731A942CF60
                        Function 07476D78 Relevance: .3, Instructions: 312COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2174574607.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7470000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0426739b622c0917a84bcdf4d65baf493a44becac581f2060532affd6eb14656
                        • Instruction ID: 89f32d46a790a9b811769deb47f03fbae8c69beebec8862632c86e3159ec90ad
                        • Opcode Fuzzy Hash: 0426739b622c0917a84bcdf4d65baf493a44becac581f2060532affd6eb14656
                        • Instruction Fuzzy Hash: DBE1EAB4E102598FDB14DFA9C580AEEFBB2FF89304F24826AD414A7355D731A942CF61
                        Function 02CAD5BC Relevance: .3, Instructions: 264COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2170319326.0000000002CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2ca0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6cca66aecff3e67bb99705fdbba6bf9226adf555751b4f645e2680cb709d0567
                        • Instruction ID: 8dcb61e3178a2ba6914d2526e30a7c452f86347dcabfde4dd2fbd2139e7401f4
                        • Opcode Fuzzy Hash: 6cca66aecff3e67bb99705fdbba6bf9226adf555751b4f645e2680cb709d0567
                        • Instruction Fuzzy Hash: 22A17F32E0020A8FCF15DFB5C8545AEB7B2FF85308B15856EE905AB265DB32E915CF80
                        Function 053B0011 Relevance: .2, Instructions: 233COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2172895265.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_53b0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 82a647b7bdc727b0d3a15f5f90d4633e1af1c997e88364f1ef17c258479a2d27
                        • Instruction ID: 87e9a10fde2c016a32fd1f7115be0b936c99b64becd2f02305dac4c1f714d2cd
                        • Opcode Fuzzy Hash: 82a647b7bdc727b0d3a15f5f90d4633e1af1c997e88364f1ef17c258479a2d27
                        • Instruction Fuzzy Hash: 15C1F8B0C817468AE710CF25F9482897BB1BB85324F954B09D9616F3D1EBBC186ECF46
                        Function 074756C0 Relevance: .1, Instructions: 139COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2174574607.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7470000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a5459423b5302865de6f6b207af07fbb68a2b6ee629fb8aebfb5d3ce8a7ea01f
                        • Instruction ID: 7a8d9aa079c5c6658bd3b747b1cbcc78ee9693b9fb1eecdae0dc882975fb5fb0
                        • Opcode Fuzzy Hash: a5459423b5302865de6f6b207af07fbb68a2b6ee629fb8aebfb5d3ce8a7ea01f
                        • Instruction Fuzzy Hash: 6051FDB4E102598FDB15DFA9C5805EEFBF2FF89204F24816AD418AB355D7309A42CFA1

                        Execution Graph

                        Execution Coverage:11.9%
                        Dynamic/Decrypted Code Coverage:100%
                        Signature Coverage:0%
                        Total number of Nodes:106
                        Total number of Limit Nodes:9
                        execution_graph 41010 da099b 41012 da084e 41010->41012 41011 da091b 41012->41010 41012->41011 41015 da1478 41012->41015 41022 da1370 41012->41022 41016 da1386 41015->41016 41017 da1474 41015->41017 41016->41017 41018 da1478 GlobalMemoryStatusEx 41016->41018 41029 da6f68 41016->41029 41033 da6ec7 41016->41033 41037 da7080 41016->41037 41017->41012 41018->41016 41024 da1386 41022->41024 41023 da1474 41023->41012 41024->41023 41025 da6f68 GlobalMemoryStatusEx 41024->41025 41026 da7080 GlobalMemoryStatusEx 41024->41026 41027 da6ec7 GlobalMemoryStatusEx 41024->41027 41028 da1478 GlobalMemoryStatusEx 41024->41028 41025->41024 41026->41024 41027->41024 41028->41024 41030 da6f7e 41029->41030 41031 da70ea 41030->41031 41045 5d6ef0f 41030->41045 41031->41016 41034 da6eeb 41033->41034 41035 da6f34 41034->41035 41036 5d6ef0f GlobalMemoryStatusEx 41034->41036 41035->41016 41036->41035 41038 da708a 41037->41038 41039 da70a4 41038->41039 41040 5d6d428 GlobalMemoryStatusEx 41038->41040 41053 5d6d668 41038->41053 41062 5d6d419 41038->41062 41043 da70ea 41039->41043 41044 5d6ef0f GlobalMemoryStatusEx 41039->41044 41040->41039 41043->41016 41044->41043 41046 5d6ef1a 41045->41046 41049 5d6d428 41046->41049 41048 5d6ef21 41048->41031 41051 5d6d43d 41049->41051 41050 5d6d652 41050->41048 41051->41050 41052 5d6d668 GlobalMemoryStatusEx 41051->41052 41052->41051 41056 5d6d676 41053->41056 41057 5d6d43d 41053->41057 41054 5d6d652 41054->41039 41055 5d6d69e 41055->41039 41056->41055 41066 5d6e1f0 41056->41066 41069 5d6e200 41056->41069 41057->41054 41061 5d6d668 GlobalMemoryStatusEx 41057->41061 41058 5d6d7ab 41058->41039 41061->41057 41064 5d6d428 41062->41064 41063 5d6d652 41063->41039 41064->41063 41065 5d6d668 GlobalMemoryStatusEx 41064->41065 41065->41064 41072 5d6e228 41066->41072 41067 5d6e20e 41067->41058 41070 5d6e20e 41069->41070 41071 5d6e228 GlobalMemoryStatusEx 41069->41071 41070->41058 41071->41070 41073 5d6e245 41072->41073 41074 5d6e26d 41072->41074 41073->41067 41075 5d6e28e 41074->41075 41076 5d6e356 GlobalMemoryStatusEx 41074->41076 41075->41067 41077 5d6e386 41076->41077 41077->41067 41080 5516ce0 41081 5516d1e 41080->41081 41084 5516264 41081->41084 41083 5516d3e 41083->41083 41085 551626f 41084->41085 41086 5517464 41085->41086 41088 55190e8 41085->41088 41086->41083 41089 5519109 41088->41089 41090 551912d 41089->41090 41093 5519298 41089->41093 41097 5519288 41089->41097 41090->41086 41094 55192a5 41093->41094 41096 55192de 41094->41096 41101 5517224 41094->41101 41096->41090 41098 5519299 41097->41098 41099 55192de 41098->41099 41100 5517224 2 API calls 41098->41100 41099->41090 41100->41099 41102 551722f 41101->41102 41104 5519350 41102->41104 41105 5517234 41102->41105 41104->41104 41106 551723f 41105->41106 41108 55193bf 41106->41108 41111 551846c 41106->41111 41115 551e6d8 41108->41115 41109 55193f9 41109->41104 41114 5518477 41111->41114 41112 551a648 41112->41108 41113 55190e8 2 API calls 41113->41112 41114->41112 41114->41113 41117 551e709 41115->41117 41118 551e755 41115->41118 41116 551e715 41116->41109 41117->41116 41121 551e940 41117->41121 41124 551e950 41117->41124 41118->41109 41122 551e95a 41121->41122 41127 551e9a0 41121->41127 41122->41118 41125 551e95a 41124->41125 41126 551e9a0 2 API calls 41124->41126 41125->41118 41126->41125 41128 551e9b1 41127->41128 41132 551e9d4 41127->41132 41136 551de84 41128->41136 41131 551e9cc 41131->41132 41133 551ebd8 GetModuleHandleW 41131->41133 41132->41122 41134 551ec05 41133->41134 41134->41122 41137 551eb90 GetModuleHandleW 41136->41137 41139 551e9bc 41137->41139 41139->41132 41140 551ec28 41139->41140 41141 551de84 GetModuleHandleW 41140->41141 41142 551ec4c 41141->41142 41142->41131 41078 55166d8 DuplicateHandle 41079 551676e 41078->41079

                        Executed Functions

                        Function 00DA9B40 Relevance: 2.8, Instructions: 2822COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.4571433690.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_da0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1042c1cd388f4454eb502f22edd6fd294e0fb6b45f5421ecb982c3ddc49fdcf5
                        • Instruction ID: b613c9c2e43271de98f0009dd84c3ee908642b320a4e6aa59e5df6a9b3405b25
                        • Opcode Fuzzy Hash: 1042c1cd388f4454eb502f22edd6fd294e0fb6b45f5421ecb982c3ddc49fdcf5
                        • Instruction Fuzzy Hash: 4253F931D10B1A8ACB51EF68C8805A9F7B1FF9A310F15D79AE45877121FB70AAC5CB81
                        Function 00DACDC0 Relevance: 2.3, Instructions: 2311COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.4571433690.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_da0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c6591f6c7b04ad0f4d3c1c46d2de0a4842a1dbec1f7b9b162bf873032a3ae415
                        • Instruction ID: 8d3bd05751f3525b84f37eecff511e5e3a78e70cf2fbd36d92ba0117d30bc52d
                        • Opcode Fuzzy Hash: c6591f6c7b04ad0f4d3c1c46d2de0a4842a1dbec1f7b9b162bf873032a3ae415
                        • Instruction Fuzzy Hash: 5E332D31D10B198EDB11EF68C8806ADF7B1FF99300F15C79AE459A7211EB70AAC5CB91
                        Function 00DAF4A8 Relevance: .7, Instructions: 682COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.4571433690.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_da0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4c47aad33428992a4976fb45fdff604572e3c169595fa390a27b08f864860538
                        • Instruction ID: 8f5fe9216d61a568825588ac9ee2aa41541622b3e10366950028510c907042d2
                        • Opcode Fuzzy Hash: 4c47aad33428992a4976fb45fdff604572e3c169595fa390a27b08f864860538
                        • Instruction Fuzzy Hash: 87523D34A002058FDB24DFA8C584B9DB7F2EF4A314F5985AAD409EB355DB74EC81CBA1
                        Function 00DA4A88 Relevance: .3, Instructions: 266COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.4571433690.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_da0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c85825ac8a3410a2dc1f1ec52961293be9f57affed2a1df9d6161b774f26b78d
                        • Instruction ID: 18b58b491e74e036e57880c5b4402372b60b218c7d3b9a2e93acc321ad749006
                        • Opcode Fuzzy Hash: c85825ac8a3410a2dc1f1ec52961293be9f57affed2a1df9d6161b774f26b78d
                        • Instruction Fuzzy Hash: 26B16E70E00209CFDF14CFA9C99179DBBF2AF89714F188529D815E7294EBB4D845CBA1
                        Function 00DA3E70 Relevance: .2, Instructions: 238COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.4571433690.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_da0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 917aec06e4e0fe5c5e5b4ee946da1c41f834f1723b0e3fbfeb6556f99720039b
                        • Instruction ID: f7e22b979af2a3c9bc6015036629499c9d87ee543bff55ea9510c974e1bb4902
                        • Opcode Fuzzy Hash: 917aec06e4e0fe5c5e5b4ee946da1c41f834f1723b0e3fbfeb6556f99720039b
                        • Instruction Fuzzy Hash: 80917C70E00309CFDF10CFA9D9917DEBBF2AF89314F188529E405A7294EB749985CBA1
                        Function 0551E9A0 Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1135 551e9a0-551e9af 1136 551e9b1-551e9be call 551de84 1135->1136 1137 551e9db-551e9df 1135->1137 1144 551e9c0-551e9ce call 551ec28 1136->1144 1145 551e9d4 1136->1145 1138 551e9e1-551e9eb 1137->1138 1139 551e9f3-551ea34 1137->1139 1138->1139 1146 551ea41-551ea4f 1139->1146 1147 551ea36-551ea3e 1139->1147 1144->1145 1154 551eb10-551ebd0 1144->1154 1145->1137 1148 551ea51-551ea56 1146->1148 1149 551ea73-551ea75 1146->1149 1147->1146 1152 551ea61 1148->1152 1153 551ea58-551ea5f call 551de90 1148->1153 1151 551ea78-551ea7f 1149->1151 1156 551ea81-551ea89 1151->1156 1157 551ea8c-551ea93 1151->1157 1158 551ea63-551ea71 1152->1158 1153->1158 1186 551ebd2-551ebd5 1154->1186 1187 551ebd8-551ec03 GetModuleHandleW 1154->1187 1156->1157 1161 551eaa0-551eaa9 call 5516fd8 1157->1161 1162 551ea95-551ea9d 1157->1162 1158->1151 1166 551eab6-551eabb 1161->1166 1167 551eaab-551eab3 1161->1167 1162->1161 1169 551ead9-551eadd 1166->1169 1170 551eabd-551eac4 1166->1170 1167->1166 1191 551eae0 call 551eee9 1169->1191 1192 551eae0 call 551eef8 1169->1192 1170->1169 1171 551eac6-551ead6 call 551c890 call 551dea0 1170->1171 1171->1169 1172 551eae3-551eae6 1175 551eb09-551eb0f 1172->1175 1176 551eae8-551eb06 1172->1176 1176->1175 1186->1187 1188 551ec05-551ec0b 1187->1188 1189 551ec0c-551ec20 1187->1189 1188->1189 1191->1172 1192->1172
                        Memory Dump Source
                        • Source File: 00000009.00000002.4582288814.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_5510000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID: HandleModule
                        • String ID:
                        • API String ID: 4139908857-0
                        • Opcode ID: 1b96f654e490d3959ecf4702ab0b40b132c674af004bf0a1f67d22be98ce3c1a
                        • Instruction ID: 05c7f8304f265bf5e0fe21735d9d045ae3847635f1dca454236225cde37b36fc
                        • Opcode Fuzzy Hash: 1b96f654e490d3959ecf4702ab0b40b132c674af004bf0a1f67d22be98ce3c1a
                        • Instruction Fuzzy Hash: AA713470A00B058FE724DF6AD445B6ABBF6FF88300F04892DD88AD7A40DB75E845CB95
                        Function 05D6E228 Relevance: 1.6, APIs: 1, Instructions: 133COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1194 5d6e228-5d6e243 1195 5d6e245-5d6e26c call 5d6d3e8 1194->1195 1196 5d6e26d-5d6e28c call 5d6d3f4 1194->1196 1202 5d6e292-5d6e2f1 1196->1202 1203 5d6e28e-5d6e291 1196->1203 1210 5d6e2f7-5d6e384 GlobalMemoryStatusEx 1202->1210 1211 5d6e2f3-5d6e2f6 1202->1211 1214 5d6e386-5d6e38c 1210->1214 1215 5d6e38d-5d6e3b5 1210->1215 1214->1215
                        Memory Dump Source
                        • Source File: 00000009.00000002.4582492092.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_5d60000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6c2ecc551a997271ddd76b0d68e7f192ca2799724bd6f73d70ab87f05dadccbd
                        • Instruction ID: ff7f50c5dda5686d10131c0b3a8f6eff9f2edb69c976dea69474293e4e750c48
                        • Opcode Fuzzy Hash: 6c2ecc551a997271ddd76b0d68e7f192ca2799724bd6f73d70ab87f05dadccbd
                        • Instruction Fuzzy Hash: AF41F372E047558FDB04DFA9D80079EBBF5EFC9220F14866BD504A7391DB749845CBA0
                        Function 055166D8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1218 55166d8-551676c DuplicateHandle 1219 5516775-5516792 1218->1219 1220 551676e-5516774 1218->1220 1220->1219
                        APIs
                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0551675F
                        Memory Dump Source
                        • Source File: 00000009.00000002.4582288814.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_5510000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID: DuplicateHandle
                        • String ID:
                        • API String ID: 3793708945-0
                        • Opcode ID: 8b7661a425368f8fd63a2998db005cd111516c98f9fe835746f0d72ffe7d942b
                        • Instruction ID: 0e6139ac60172bf49d2d9997488d5fc07a3f8e5f79a8ed6e9e09ddb21be520c7
                        • Opcode Fuzzy Hash: 8b7661a425368f8fd63a2998db005cd111516c98f9fe835746f0d72ffe7d942b
                        • Instruction Fuzzy Hash: A821C4B59002499FDB10CFAAD984ADEBFF4FB48320F14841AE914A3350D774A954CFA5
                        Function 05D6E310 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1224 5d6e310-5d6e34e 1225 5d6e356-5d6e384 GlobalMemoryStatusEx 1224->1225 1226 5d6e386-5d6e38c 1225->1226 1227 5d6e38d-5d6e3b5 1225->1227 1226->1227
                        APIs
                        • GlobalMemoryStatusEx.KERNELBASE(8B5504F4), ref: 05D6E377
                        Memory Dump Source
                        • Source File: 00000009.00000002.4582492092.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_5d60000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID: GlobalMemoryStatus
                        • String ID:
                        • API String ID: 1890195054-0
                        • Opcode ID: b90e7e3ff4e195c625c183213b017672b423f9ecb66a028941078d3056b93380
                        • Instruction ID: 8f9d27c6a9b577244c898f5b28e6c8076228ce1c10a6eb5fe3e48665aeae39ab
                        • Opcode Fuzzy Hash: b90e7e3ff4e195c625c183213b017672b423f9ecb66a028941078d3056b93380
                        • Instruction Fuzzy Hash: 091114B1C0065A9FCB10CF9AC544B9EFBF4BF48320F11816AD518A7240D378A950CFA5
                        Function 0551DE84 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1230 551de84-551ebd0 1232 551ebd2-551ebd5 1230->1232 1233 551ebd8-551ec03 GetModuleHandleW 1230->1233 1232->1233 1234 551ec05-551ec0b 1233->1234 1235 551ec0c-551ec20 1233->1235 1234->1235
                        APIs
                        • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,0551E9BC), ref: 0551EBF6
                        Memory Dump Source
                        • Source File: 00000009.00000002.4582288814.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_5510000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID: HandleModule
                        • String ID:
                        • API String ID: 4139908857-0
                        • Opcode ID: c241f67563c9cfbc28c59c7e33da9ebb8cfbb56535e3376a3f77382a57c2939c
                        • Instruction ID: 96c2167857e8af314a3ddd74df086d6ce129a09aeaf5dde14683bf38cac30cdd
                        • Opcode Fuzzy Hash: c241f67563c9cfbc28c59c7e33da9ebb8cfbb56535e3376a3f77382a57c2939c
                        • Instruction Fuzzy Hash: E61123B5C043498FDB10CF9AC544B9EFFF8BB88214F10841AD919B7200C378A505CFA4
                        Function 00DA7910 Relevance: .6, Instructions: 557COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2812 da7910-da7927 2813 da7929-da792c 2812->2813 2814 da7959-da795c 2813->2814 2815 da792e-da7954 2813->2815 2816 da7989-da798c 2814->2816 2817 da795e-da7984 2814->2817 2815->2814 2818 da79b9-da79bc 2816->2818 2819 da798e-da79b4 2816->2819 2817->2816 2821 da79e9-da79ec 2818->2821 2822 da79be-da79e4 2818->2822 2819->2818 2824 da79ee-da79f0 2821->2824 2825 da79fd-da7a00 2821->2825 2822->2821 3026 da79f2 call da920b 2824->3026 3027 da79f2 call da9168 2824->3027 3028 da79f2 call da9159 2824->3028 2830 da7a1d-da7a20 2825->2830 2831 da7a02-da7a18 2825->2831 2832 da7a4d-da7a50 2830->2832 2833 da7a22-da7a48 2830->2833 2831->2830 2839 da7a7d-da7a80 2832->2839 2840 da7a52-da7a78 2832->2840 2833->2832 2834 da79f8 2834->2825 2842 da7aad-da7ab0 2839->2842 2843 da7a82-da7aa8 2839->2843 2840->2839 2848 da7add-da7ae0 2842->2848 2849 da7ab2-da7ad8 2842->2849 2843->2842 2851 da7b0d-da7b10 2848->2851 2852 da7ae2-da7b08 2848->2852 2849->2848 2855 da7b3d-da7b40 2851->2855 2856 da7b12-da7b38 2851->2856 2852->2851 2859 da7b6d-da7b70 2855->2859 2860 da7b42-da7b68 2855->2860 2856->2855 2865 da7b9d-da7ba0 2859->2865 2866 da7b72-da7b98 2859->2866 2860->2859 2869 da7bcd-da7bd0 2865->2869 2870 da7ba2-da7bc8 2865->2870 2866->2865 2875 da7bfd-da7c00 2869->2875 2876 da7bd2-da7bf8 2869->2876 2870->2869 2879 da7c2d-da7c30 2875->2879 2880 da7c02-da7c28 2875->2880 2876->2875 2885 da7c5d-da7c60 2879->2885 2886 da7c32-da7c58 2879->2886 2880->2879 2889 da7c8d-da7c90 2885->2889 2890 da7c62-da7c88 2885->2890 2886->2885 2895 da7cbd-da7cc0 2889->2895 2896 da7c92-da7cb8 2889->2896 2890->2889 2899 da7ced-da7cf0 2895->2899 2900 da7cc2-da7ce8 2895->2900 2896->2895 2905 da7d1d-da7d20 2899->2905 2906 da7cf2-da7d18 2899->2906 2900->2899 2909 da7d4d-da7d50 2905->2909 2910 da7d22-da7d48 2905->2910 2906->2905 2915 da7d7d-da7d80 2909->2915 2916 da7d52-da7d78 2909->2916 2910->2909 2919 da7dad-da7db0 2915->2919 2920 da7d82-da7da8 2915->2920 2916->2915 2925 da7ddd-da7de0 2919->2925 2926 da7db2-da7dd8 2919->2926 2920->2919 2929 da7ded-da7df0 2925->2929 2930 da7de2 2925->2930 2926->2925 2935 da7e1d-da7e20 2929->2935 2936 da7df2-da7e18 2929->2936 2939 da7de8 2930->2939 2942 da7e4d-da7e50 2935->2942 2943 da7e22-da7e48 2935->2943 2936->2935 2939->2929 2945 da7e7d-da7e80 2942->2945 2946 da7e52-da7e78 2942->2946 2943->2942 2951 da7ead-da7eb0 2945->2951 2952 da7e82-da7ea8 2945->2952 2946->2945 2954 da7edd-da7ee0 2951->2954 2955 da7eb2-da7ed8 2951->2955 2952->2951 2960 da7f0d-da7f10 2954->2960 2961 da7ee2-da7f08 2954->2961 2955->2954 2962 da7f3d-da7f40 2960->2962 2963 da7f12-da7f38 2960->2963 2961->2960 2970 da7f5b-da7f5e 2962->2970 2971 da7f42-da7f56 2962->2971 2963->2962 2972 da7f8b-da7f8e 2970->2972 2973 da7f60-da7f86 2970->2973 2971->2970 2980 da7fbb-da7fbe 2972->2980 2981 da7f90-da7fb6 2972->2981 2973->2972 2982 da7feb-da7fee 2980->2982 2983 da7fc0-da7fe6 2980->2983 2981->2980 2989 da801b-da801e 2982->2989 2990 da7ff0-da8016 2982->2990 2983->2982 2992 da804b-da804e 2989->2992 2993 da8020-da8046 2989->2993 2990->2989 2998 da807b-da807e 2992->2998 2999 da8050-da8076 2992->2999 2993->2992 3001 da80ab-da80ae 2998->3001 3002 da8080-da80a6 2998->3002 2999->2998 3008 da80db-da80dd 3001->3008 3009 da80b0-da80d6 3001->3009 3002->3001 3011 da80df 3008->3011 3012 da80e4-da80e7 3008->3012 3009->3008 3011->3012 3012->2813 3018 da80ed-da80f3 3012->3018 3026->2834 3027->2834 3028->2834
                        Memory Dump Source
                        • Source File: 00000009.00000002.4571433690.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_da0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f8e6d5d26fb400094ed9e8ec58f54711d9fc25e2184f96f02e9f8a0c5574ce21
                        • Instruction ID: 3d272d8042d01094ac06b06875fad9ee9ea8d2c69f7b7aecf7be277087f36cbc
                        • Opcode Fuzzy Hash: f8e6d5d26fb400094ed9e8ec58f54711d9fc25e2184f96f02e9f8a0c5574ce21
                        • Instruction Fuzzy Hash: 76128134701202DFDB19AB3CE45422D37A6FBD6314B14592DE206DB3A6CF75ED868BA0
                        Function 00DA96E8 Relevance: .4, Instructions: 378COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 3613 da96e8-da9702 3614 da9704-da9707 3613->3614 3615 da9719-da971c 3614->3615 3616 da9709 3614->3616 3617 da971e-da9721 3615->3617 3618 da9726-da9729 3615->3618 3619 da9711-da9714 3616->3619 3617->3618 3620 da972b-da9747 3618->3620 3621 da9748-da974b 3618->3621 3619->3615 3622 da974d-da9765 3621->3622 3623 da9770-da9773 3621->3623 3631 da976b 3622->3631 3632 da981f-da9822 3622->3632 3624 da977a-da9783 3623->3624 3625 da9775-da9778 3623->3625 3629 da97f0-da97f9 3624->3629 3630 da9785 3624->3630 3625->3624 3628 da978a-da978d 3625->3628 3633 da978f-da97a7 3628->3633 3634 da97ac-da97af 3628->3634 3635 da97ff-da9803 3629->3635 3636 da9885-da9903 3629->3636 3630->3628 3631->3623 3640 da9827-da982a 3632->3640 3633->3634 3638 da97c9-da97cc 3634->3638 3639 da97b1-da97c4 3634->3639 3641 da9808-da980b 3635->3641 3670 da9a1a-da9a21 3636->3670 3671 da9909-da990b 3636->3671 3645 da97eb-da97ee 3638->3645 3646 da97ce-da97d4 3638->3646 3639->3638 3642 da982c-da983a 3640->3642 3643 da9845-da9848 3640->3643 3648 da980d-da9812 3641->3648 3649 da9815-da9818 3641->3649 3642->3620 3662 da9840 3642->3662 3653 da984a-da9863 3643->3653 3654 da9868-da986a 3643->3654 3645->3629 3645->3641 3657 da97db-da97e6 3646->3657 3648->3649 3650 da987a-da9884 3649->3650 3651 da981a-da981d 3649->3651 3651->3632 3651->3640 3653->3654 3659 da986c 3654->3659 3660 da9871-da9874 3654->3660 3657->3645 3659->3660 3660->3614 3660->3650 3662->3643 3716 da990e call da9498 3671->3716 3717 da990e call da96e8 3671->3717 3718 da990e call da936c 3671->3718 3719 da990e call da9890 3671->3719 3720 da990e call da9696 3671->3720 3672 da9914-da9920 3674 da992b-da9932 3672->3674 3675 da9922-da9929 3672->3675 3675->3674 3676 da9933-da995a 3675->3676 3680 da995c-da9963 3676->3680 3681 da9964-da996b 3676->3681 3682 da9a22-da9a30 3681->3682 3683 da9971-da9975 3681->3683 3688 da99f2-da99fb 3682->3688 3689 da9a32-da9a53 3682->3689 3684 da997f-da9981 3683->3684 3685 da9977-da997e 3683->3685 3687 da9982-da99f1 3684->3687 3687->3688 3688->3687 3697 da99fc-da99fe 3688->3697 3690 da9a55-da9a57 3689->3690 3692 da9a59 3690->3692 3693 da9a5e-da9a61 3690->3693 3692->3693 3693->3690 3695 da9a63-da9a9f call da0368 3693->3695 3704 da9aa1-da9aa3 3695->3704 3705 da9aa7-da9aaa 3695->3705 3698 da9a0e-da9a12 3697->3698 3699 da9a00-da9a0d 3697->3699 3721 da9a14 call da9b2f 3698->3721 3722 da9a14 call da9b40 3698->3722 3699->3698 3707 da9af1 3704->3707 3708 da9aa5 3704->3708 3706 da9aac-da9ad6 3705->3706 3705->3707 3715 da9adc-da9aef 3706->3715 3710 da9af6-da9afa 3707->3710 3708->3706 3711 da9afc 3710->3711 3712 da9b05 3710->3712 3711->3712 3715->3710 3716->3672 3717->3672 3718->3672 3719->3672 3720->3672 3721->3670 3722->3670
                        Memory Dump Source
                        • Source File: 00000009.00000002.4571433690.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_da0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 511ee248a52e4202f737f9d59318d02640cc7e727ef748e1b4ac43a1ebad3007
                        • Instruction ID: 0e47074b2ca712839c6c1300a36b6b721c325373d82527e7adf3669ed9a234f9
                        • Opcode Fuzzy Hash: 511ee248a52e4202f737f9d59318d02640cc7e727ef748e1b4ac43a1ebad3007
                        • Instruction Fuzzy Hash: 10D19D34A002058FDB14DF68D8907AEFBB6EF8A310F28856AE509DB295D774DC45CBA1
                        Function 00DA936C Relevance: .3, Instructions: 311COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.4571433690.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_da0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1716b410bcad8e0d682f53ab91adeefb1149f9a59b0dbf88dc81ef5c1c2d0094
                        • Instruction ID: ae9afc8e483936b36a164ca5bc1c6e8ad1c275ca360e17c1382b967247b513f7
                        • Opcode Fuzzy Hash: 1716b410bcad8e0d682f53ab91adeefb1149f9a59b0dbf88dc81ef5c1c2d0094
                        • Instruction Fuzzy Hash: 9AB17134A002048FDB14DFA8E594AADBBF2FF89310F258469E506EB395DB35DD46CB60
                        Function 00DA4A7C Relevance: .3, Instructions: 265COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.4571433690.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_da0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2a250dab0cb6f98b7d3c1d587d21ea024bb9257d6f0df45b5b577b342ebeb3fc
                        • Instruction ID: cb867ce3678a7cc4f7fd1b7c0c3fe156913d0e3042eeda328cd0c8f23c17d84d
                        • Opcode Fuzzy Hash: 2a250dab0cb6f98b7d3c1d587d21ea024bb9257d6f0df45b5b577b342ebeb3fc
                        • Instruction Fuzzy Hash: 97B15D70E00219CFDF10CFA8C99579DBBF1AF89714F288529D815E7294EBB4D845CBA1
                        Function 00DA3E64 Relevance: .2, Instructions: 235COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.4571433690.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_da0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 707dd0852d4b7fb3c961c41b502bdc0438a58ca8f1055a7da5722fbcbd61176c
                        • Instruction ID: 8fbb74cffcd4b7a02456de901a0f5c814b2711a0609c2599e20d28031198e20c
                        • Opcode Fuzzy Hash: 707dd0852d4b7fb3c961c41b502bdc0438a58ca8f1055a7da5722fbcbd61176c
                        • Instruction Fuzzy Hash: 6C916C70E00309CFDF10CFA8D9857DEBBF2AF89314F188129E415A7294EB749985CBA1
                        Function 00DAFC38 Relevance: .2, Instructions: 213COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.4571433690.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_da0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5c7287c62368361589a959a565ad012331ffbea1c0bce51fcfe761fd4a8da474
                        • Instruction ID: ebcffef58fb216e10faaed48a8dbb9151338d1db12079f94138cde8b01317690
                        • Opcode Fuzzy Hash: 5c7287c62368361589a959a565ad012331ffbea1c0bce51fcfe761fd4a8da474
                        • Instruction Fuzzy Hash: 6E719031F002199BDB15EFB8D8506AEBBB6AFC5710F148529E405AB380DF349D42C7A5
                        Function 00DA47F4 Relevance: .2, Instructions: 183COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.4571433690.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_da0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9395900b5c1f2f092befe467469616bbff3160f3f15eabd3f0374eb2b7bb5769
                        • Instruction ID: 15fa700af24d3026e5509ece9ddafcb952a18051a36ea3c40c86c584fc75e4bc
                        • Opcode Fuzzy Hash: 9395900b5c1f2f092befe467469616bbff3160f3f15eabd3f0374eb2b7bb5769
                        • Instruction Fuzzy Hash: EA716971E002498FDF10CFA9D8817DEBBF1AF89714F188129E415AB254EBB49842CFA1
                        Function 00DA4800 Relevance: .2, Instructions: 180COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.4571433690.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_da0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d64b58b870501575c883a45356bd0d509968b68690b5109ba70d135d9162acca
                        • Instruction ID: 0543581334dad37d76589b29d64d11ad1da828b18f98acc7fe5d4e17c926d82c
                        • Opcode Fuzzy Hash: d64b58b870501575c883a45356bd0d509968b68690b5109ba70d135d9162acca
                        • Instruction Fuzzy Hash: 1E715A71E00249DFDF10CFA9D88179EBBF2BF89714F188129E415A7254EBB89841CFA5
                        Function 00DA6EC7 Relevance: .1, Instructions: 146COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.4571433690.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_da0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6fea469dd2edb0dbd3b5d286e3fd514417ff90fcd55884bf91eef008d06440ba
                        • Instruction ID: c7b479c4e87fe7bdb50f85bf60c1c8baed1b2f4f1abc9369d30bfab4aa0a798d
                        • Opcode Fuzzy Hash: 6fea469dd2edb0dbd3b5d286e3fd514417ff90fcd55884bf91eef008d06440ba
                        • Instruction Fuzzy Hash: 8351D131B002598FDB15DF78D8547AEB7B2EF86300F14856AE506EB281EB71DC46CBA0
                        Function 00DA6CCD Relevance: .1, Instructions: 137COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.4571433690.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_da0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c89cfdd34f6a05e0664eda8e86ddd3acb6b79160d4b1e04f59934d50caa48a7f
                        • Instruction ID: 7b796eaa3ae1bdf57a67504395fe2d5f296987ee2b4c3ffdbb4cca517120f418
                        • Opcode Fuzzy Hash: c89cfdd34f6a05e0664eda8e86ddd3acb6b79160d4b1e04f59934d50caa48a7f
                        • Instruction Fuzzy Hash: E4512375E00258CFDB14CFA9C885B9DBBF1BF49310F188529E815BB351D774A844CBA5
                        Function 00DA6CD8 Relevance: .1, Instructions: 132COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.4571433690.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_da0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e9b99e28a6d98de6013967b04056bcd182baff907ba7b6010a21553ecb947709
                        • Instruction ID: 052018735d9fd3ae2d2cadc32f99b3dafa96cdfbc4d99fc6ba5dd77df65abc6c
                        • Opcode Fuzzy Hash: e9b99e28a6d98de6013967b04056bcd182baff907ba7b6010a21553ecb947709
                        • Instruction Fuzzy Hash: E8510375E00258CFDB14CFA9C885B9EBBB1BF49310F188529E815BB391DB74A844CBA5
                        Function 00DAF31D Relevance: .1, Instructions: 115COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.4571433690.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_da0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 96b7435de256441e78aa7f15bfb9bbe23509dec5a38f9766878e279a4d32b096
                        • Instruction ID: b0a426212249adad56d363af683f6cf57aeb708e2865a7321f90d03818bfd6a3
                        • Opcode Fuzzy Hash: 96b7435de256441e78aa7f15bfb9bbe23509dec5a38f9766878e279a4d32b096
                        • Instruction Fuzzy Hash: D131C0307002458FDB19AB78D55466E7BA6EB8A740F2444B8C406DB396EF75CC468BE1
                        Function 00DA112A Relevance: .1, Instructions: 114COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.4571433690.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_da0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 96e6e6d24b9c139e31e9e9eba74f9d1b9f59ba971f03032dc0cb5b4782507244
                        • Instruction ID: f287ed46d2a938ffe42966b8ebedb6e25f11f475af4af8801556ba44b5bfccb6
                        • Opcode Fuzzy Hash: 96e6e6d24b9c139e31e9e9eba74f9d1b9f59ba971f03032dc0cb5b4782507244
                        • Instruction Fuzzy Hash: 1B51DB74246A82DFD70AEF2CF9A09553FB1EBD130570499EDD1009B27ADAA46906CF50
                        Function 00DA1138 Relevance: .1, Instructions: 109COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.4571433690.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_da0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 255b9afa10b8d4693b5804edc27816a80f1d9ecfdea188dba071f0f02ce26305
                        • Instruction ID: 226a82b082edab89f5151790db939e17174d0666098567a5c31b002b4100a21a
                        • Opcode Fuzzy Hash: 255b9afa10b8d4693b5804edc27816a80f1d9ecfdea188dba071f0f02ce26305
                        • Instruction Fuzzy Hash: BA51C874246A42DFC70AFF2CF9A09453FA1FBE1705704A9EDD1009B27ADEA06906CF90
                        Function 00DAF1E0 Relevance: .1, Instructions: 100COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.4571433690.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_da0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: eaffb92fbff6eb462f611666d387ed6b6f319d0b7bf8cc1eaa00db7fa72dd48a
                        • Instruction ID: 2249f0ec9220f396f907202f8dc45884fc972a65cc7956d8a0cf488a27c634f2
                        • Opcode Fuzzy Hash: eaffb92fbff6eb462f611666d387ed6b6f319d0b7bf8cc1eaa00db7fa72dd48a
                        • Instruction Fuzzy Hash: CD318138E0024A9FDB19CFA5D45469EB7B6FF89300F148569E806E7350DF70AC46CB50
                        Function 00DA6F68 Relevance: .1, Instructions: 99COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.4571433690.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_da0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: df1c02ed2f2cb716e3e44a9bac474c2f8007705b740be4883f7e91ce8061ed58
                        • Instruction ID: b230ae4766b093a440064db8671aeabafce13c610075041820c8005d37281a53
                        • Opcode Fuzzy Hash: df1c02ed2f2cb716e3e44a9bac474c2f8007705b740be4883f7e91ce8061ed58
                        • Instruction Fuzzy Hash: 27315C34E00219DFDB14CBA4D8547AEB7B2EF96310F248569E506EB280DB71ED85CB61
                        Function 00DA26CD Relevance: .1, Instructions: 94COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.4571433690.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_da0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5481bba8ac17804e44470f96d4f5a09ab5447659f7856eea10cf4319588b5393
                        • Instruction ID: 372090244663eac617af39685d8184d854ab80ac625954c805a483f17239a1d3
                        • Opcode Fuzzy Hash: 5481bba8ac17804e44470f96d4f5a09ab5447659f7856eea10cf4319588b5393
                        • Instruction Fuzzy Hash: 9B41E0B1D01349DFDB10DFAAC984A9EBFB5FF48310F248429E809AB254DB75A945CB90
                        Function 00DA5087 Relevance: .1, Instructions: 92COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.4571433690.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_da0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5720b14f9076a0f997c0b3b3e66f0ee93cfda4cefcf718a89c0d5a68af634629
                        • Instruction ID: 0755d593852c9be48ec5aaf1a6efd808dda3edfc4709575f422613bc2ef0b608
                        • Opcode Fuzzy Hash: 5720b14f9076a0f997c0b3b3e66f0ee93cfda4cefcf718a89c0d5a68af634629
                        • Instruction Fuzzy Hash: B03162346007118FDB25EB34D5957AE77F2AF9A344F5005A9D402AB3A4DB35DC42CBB4
                        Function 00DAF1F0 Relevance: .1, Instructions: 91COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.4571433690.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_da0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c7c238d4d93555ca469bb380168245b805014b6cd67ccba92a96243a36a79e9e
                        • Instruction ID: 5895848b8bde863146e7e2f587b287eae230bf92f7ec6e692bcad34bb3cb95b8
                        • Opcode Fuzzy Hash: c7c238d4d93555ca469bb380168245b805014b6cd67ccba92a96243a36a79e9e
                        • Instruction Fuzzy Hash: C2314D38E1060A9BDB19DFA9D45469EB7B6FF8A310F148569E806E7350DF70EC42CB60
                        Function 00DA26D8 Relevance: .1, Instructions: 90COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.4571433690.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_da0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: df47fe5f13338cbceb09e956fe1a73517daf66f91f911e554414cd1078dcfb4f
                        • Instruction ID: b0d744caba5fd300102df1ed69b0b52bfa4cc44457df20e90e62ae109f103fa9
                        • Opcode Fuzzy Hash: df47fe5f13338cbceb09e956fe1a73517daf66f91f911e554414cd1078dcfb4f
                        • Instruction Fuzzy Hash: 1741DEB0D00349DFDB10DFAAC984A9EBBF5FF48310F248429E809AB254DB75A945CB90
                        Function 00DA5098 Relevance: .1, Instructions: 89COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.4571433690.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_da0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d3ed2ca4125fa4571466cb4f901f177cac3ca88bc237a665c06e1dc2ae480fb1
                        • Instruction ID: 3e9c5f9f7dc224c2e2c8601f3aed40bb8fd3452cfcc2dbb582de8b69dbc9af5f
                        • Opcode Fuzzy Hash: d3ed2ca4125fa4571466cb4f901f177cac3ca88bc237a665c06e1dc2ae480fb1
                        • Instruction Fuzzy Hash: 07312D34600B158FDB24EB74D9557AE77F2AF8A344F1005A9D401AB3A8DF36DC41CBA5
                        Function 00DA9257 Relevance: .1, Instructions: 87COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.4571433690.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_da0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 22e5d1069b8123946f0e0397ef7a918432e349542aee19065cb1da424a4a1c6b
                        • Instruction ID: 142717ab446b20afb4fec2b191bf7573441f41672ecbfd0bc63212ae48a8b78a
                        • Opcode Fuzzy Hash: 22e5d1069b8123946f0e0397ef7a918432e349542aee19065cb1da424a4a1c6b
                        • Instruction Fuzzy Hash: 43318235E0024A9BDB05CF65D49469EFBB6EF86300F14C559E805AB341DB70AD46CB91
                        Function 00DA168F Relevance: .1, Instructions: 81COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.4571433690.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_da0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b80d0ddc5c0743d080b62589f17a6db6ea7e3eecdfa9cb24d6c09760ef9412fd
                        • Instruction ID: 2884d76574ac659e42e1cdeb6a2a4e826d6388869a1e16289d4eff85467fe7d7
                        • Opcode Fuzzy Hash: b80d0ddc5c0743d080b62589f17a6db6ea7e3eecdfa9cb24d6c09760ef9412fd
                        • Instruction Fuzzy Hash: 47212B3CA01141DFEF22E72CF8487293B65E792314F086DA9D406CB256DBB8DC49CBA1
                        Function 00DA9268 Relevance: .1, Instructions: 78COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.4571433690.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_da0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: bd03524785660c632d2f5928c1b78175f9ac80843cfd5859d5b33b41d85e4fb3
                        • Instruction ID: 1c68b15a872b0ecc88de36b5fbec989bac44841ddb5649139fd2fbe57c682526
                        • Opcode Fuzzy Hash: bd03524785660c632d2f5928c1b78175f9ac80843cfd5859d5b33b41d85e4fb3
                        • Instruction Fuzzy Hash: C4216035E0020A9BDB15CFA9D59469EFBB6FF86300F14C619E805BB244DB70ED46CBA0
                        Function 00DA9159 Relevance: .1, Instructions: 74COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.4571433690.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_da0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d9192c2000d25bfedc610a0e499752b60a103585aa347a721c5c63b591162e27
                        • Instruction ID: 69a59a6264d926106a2902b5461436d8db61e9d85f5cc6c0e58326b463967974
                        • Opcode Fuzzy Hash: d9192c2000d25bfedc610a0e499752b60a103585aa347a721c5c63b591162e27
                        • Instruction Fuzzy Hash: 69217171E002069BDB19CFA4C9546DEF7B2EF8A340F14851AE815BB381DB70A946CB60
                        Function 00DA1868 Relevance: .1, Instructions: 74COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.4571433690.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_da0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ccc1d37e7964e5370996e0b99484ec67a787e0accd711b00cb85120b7334a921
                        • Instruction ID: 9e031de91dd1892a38a78334e51c57376df97a7607b55406da2a8934de6b6b78
                        • Opcode Fuzzy Hash: ccc1d37e7964e5370996e0b99484ec67a787e0accd711b00cb85120b7334a921
                        • Instruction Fuzzy Hash: 73214C346002158FDB28EB78C5657AE77F6AF8A341F1004A9D506EB2A0DB35DD41CBB5
                        Function 00DA1370 Relevance: .1, Instructions: 73COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.4571433690.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_da0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1b3e3859d94984da4dda544bf70879031e0fb0656d7f274c729fcacc776ac9f4
                        • Instruction ID: 3d73fb570c0acd180cc00a85f7f928c73973c0d9340f8881f56d10a63d949053
                        • Opcode Fuzzy Hash: 1b3e3859d94984da4dda544bf70879031e0fb0656d7f274c729fcacc776ac9f4
                        • Instruction Fuzzy Hash: E121D53C6002509BEF325B6CD44C3293B56E717714F08186AE10ACB3D2DAA9CC9587A2
                        Function 00DA4F79 Relevance: .1, Instructions: 73COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.4571433690.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_da0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9c3589d8e3e9861c274f8e05e4a52da59d00c57ea48e89c26d3ffa82cc61ac5a
                        • Instruction ID: a412245a186463dab5248ee5f4e8a1ebcfddbbacb15e148438a026c6cb59d910
                        • Opcode Fuzzy Hash: 9c3589d8e3e9861c274f8e05e4a52da59d00c57ea48e89c26d3ffa82cc61ac5a
                        • Instruction Fuzzy Hash: 57216B34700214CFDB64EB78D559A9E7BF1EF8A301F1004A9E406EB3A5DB719D06CBA5
                        Function 00D1D124 Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.4571149599.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_d1d000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8ecfd65879787bfb79cc134119e6e3380df6e7ad44b1eb18a9c30e927dd68a20
                        • Instruction ID: 8333ee0409e0b413682c24ad3b91b1e07bfa239df416196a2f9cdc8b0e31f7c1
                        • Opcode Fuzzy Hash: 8ecfd65879787bfb79cc134119e6e3380df6e7ad44b1eb18a9c30e927dd68a20
                        • Instruction Fuzzy Hash: 1C210375604340FFDB04DF14E9C0B65BB62FB84314F24C66DE94A4A252CB76D8C6CA71
                        Function 00DA9168 Relevance: .1, Instructions: 70COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.4571433690.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_da0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: bc78a785f42fdf20b2c2dba19afbd1dd43f5960b258010fec83aa75cd859e220
                        • Instruction ID: e0ed29f731e57b734e8bb1e25627e92525bd660c088450972f5f6a2a1bfebd81
                        • Opcode Fuzzy Hash: bc78a785f42fdf20b2c2dba19afbd1dd43f5960b258010fec83aa75cd859e220
                        • Instruction Fuzzy Hash: 7C215030E0031A9BDB19CFA4C85469EF7B6AF8A300F64851AE815FB340DB70AD46CB60
                        Function 00DA1878 Relevance: .1, Instructions: 70COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.4571433690.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_da0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 809450beb279a1a94bd04d2b3d3d6a5acac7ea71f2a04186bf26e7d161a8ef7e
                        • Instruction ID: 6ec1fe1b06d193ba14589c076852cd876327fecc98ba18cb8ba512e40d028970
                        • Opcode Fuzzy Hash: 809450beb279a1a94bd04d2b3d3d6a5acac7ea71f2a04186bf26e7d161a8ef7e
                        • Instruction Fuzzy Hash: 89211938B002198BDB24EB78D5657AE77F6AB8A345F200469D406EB2A0DF35DC41CBB1
                        Function 00DAFE18 Relevance: .1, Instructions: 70COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.4571433690.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_da0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3508228d71e1dc8570deb47ccba280fbc0cc1d3e20d8fd42a58bb269f48675b1
                        • Instruction ID: 194d9ced6d0cae32a6f817e5d7aa0de710ee16bd28225a4609bbbd66a9c54c54
                        • Opcode Fuzzy Hash: 3508228d71e1dc8570deb47ccba280fbc0cc1d3e20d8fd42a58bb269f48675b1
                        • Instruction Fuzzy Hash: 651104317083581FEB0A6F78582056E3FA7EFC6260705446AE505DB3E2DE399E02C7B6
                        Function 00DA16A0 Relevance: .1, Instructions: 69COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.4571433690.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_da0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 10654294588829f3b5018de70cea533beb935220e39a7122fe29e753eb78256f
                        • Instruction ID: cb2d362824f96f021bba43a14ed4f2193821b0fd82f3049d7090453fb3cb4f26
                        • Opcode Fuzzy Hash: 10654294588829f3b5018de70cea533beb935220e39a7122fe29e753eb78256f
                        • Instruction Fuzzy Hash: F321B73C601101DBEF25E72CF884B193766E786714F146D69D40ACB255DFB8DC458BE1
                        Function 00DA4F88 Relevance: .1, Instructions: 68COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.4571433690.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_da0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 434eb9bcd1acaddcca32fb865771988b407bc4a9fd411f0b5d379975db390591
                        • Instruction ID: 1b391279589eff71930135e4f8c435de437d778a82b89de5c48b5c470d004866
                        • Opcode Fuzzy Hash: 434eb9bcd1acaddcca32fb865771988b407bc4a9fd411f0b5d379975db390591
                        • Instruction Fuzzy Hash: 11214834700604CFDB24EB78D958AAE7BF2AF8A301F1004A8E406EB3A5DB75DC01CB64
                        Function 00DA1478 Relevance: .1, Instructions: 66COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.4571433690.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_da0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e823d81e15b4a723a26994fb12776b77206eb54f810fd0e44079863dad0e3208
                        • Instruction ID: feed371738ddb8eac16c6346c0e2b7bc0553ef23a21611b5bf600bcc0884c4f5
                        • Opcode Fuzzy Hash: e823d81e15b4a723a26994fb12776b77206eb54f810fd0e44079863dad0e3208
                        • Instruction Fuzzy Hash: 8D119439E012568FCF21EFB894411AD7BF5EF4B350F2404BAD809E7242D675D8428BB0
                        Function 00DA0838 Relevance: .1, Instructions: 63COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.4571433690.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_da0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4968563f60e41508dba698b36074ea5e67936a3fe7905381d684a65fcf4d89c1
                        • Instruction ID: 78b5f0fc5224ba1bb69db8cae454e173a21f244fa529bbce443ae5f4a2af6c31
                        • Opcode Fuzzy Hash: 4968563f60e41508dba698b36074ea5e67936a3fe7905381d684a65fcf4d89c1
                        • Instruction Fuzzy Hash: 61110A30B013045BEF156B79C41036A3E15E757314F284879D406CF286DA69CC458FF5
                        Function 00DA0848 Relevance: .1, Instructions: 62COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.4571433690.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_da0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f5630ffa5d05bf3523077210b229908992cb3bd26901da1e507ce50c34fd0860
                        • Instruction ID: 40feb9aaf0e9b891812e3d704387ca6656fd558b1d28b4df5e60274e786a1326
                        • Opcode Fuzzy Hash: f5630ffa5d05bf3523077210b229908992cb3bd26901da1e507ce50c34fd0860
                        • Instruction Fuzzy Hash: FB11A335B012099BEF14BB79C41476A3A55FB87714F288879D106CF385DE69CC818FE5
                        Function 00DA6B91 Relevance: .1, Instructions: 58COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.4571433690.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_da0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a107384b070cad87eb9c7de91b76a03191385859aab6b46f3014b4f79a24b9fc
                        • Instruction ID: 33aaef7fadb6c86adf985ebb849cad242da0667030a6124dab966fc26c7812dd
                        • Opcode Fuzzy Hash: a107384b070cad87eb9c7de91b76a03191385859aab6b46f3014b4f79a24b9fc
                        • Instruction Fuzzy Hash: 1F110C3170A2918FD717A778546126E7FB1EF8B300B0444EBD089CB2D2DA755C8A87A2
                        Function 00DA17B6 Relevance: .1, Instructions: 57COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.4571433690.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_da0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6eb93dfccf61559bb130c2f102e319784c9ee3585649a937810ce1a2bb1ffe3d
                        • Instruction ID: 68313ccda258cbb079033b1d1e843ba388551407df749c7ea8b71f222210e9c4
                        • Opcode Fuzzy Hash: 6eb93dfccf61559bb130c2f102e319784c9ee3585649a937810ce1a2bb1ffe3d
                        • Instruction Fuzzy Hash: C811D679F402529FDB11ABB8980C66E7FF6FB88250F144879E94AD7341EB34C8558B90
                        Function 00DA1488 Relevance: .1, Instructions: 53COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.4571433690.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_da0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: bc2db2bd6b4bbdbe63a5bf0d5397219853a9752d0db393452375e9586c61ec89
                        • Instruction ID: b4cda6dce36fda4ec4ffc4e6068a8490a2d0fe6ecd2217df3c04f4900e72038f
                        • Opcode Fuzzy Hash: bc2db2bd6b4bbdbe63a5bf0d5397219853a9752d0db393452375e9586c61ec89
                        • Instruction Fuzzy Hash: F6014035E002158FCB61EFB884511AD7BF5EF8A360F2504BAD805E7241E635D942CBB1
                        Function 00D1D11F Relevance: .1, Instructions: 53COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.4571149599.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_d1d000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                        • Instruction ID: 3296bfb34b8862c4768b232a2afaf285f19445d540b919a9c61d53e1da255d8d
                        • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                        • Instruction Fuzzy Hash: 9811DD75504380EFCB01CF14E9C4B55BBB2FB84314F28C6A9D8494B652C33AD88ACF61
                        Function 00DA9890 Relevance: .1, Instructions: 52COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.4571433690.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_da0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b11aa1b1bb8490067b4b1e947373f978e8bb881976193801441530b1a8b30cda
                        • Instruction ID: 55b4689193dc73a3fdd1df1c3828cd057add4ae53a7261148ff609f314523139
                        • Opcode Fuzzy Hash: b11aa1b1bb8490067b4b1e947373f978e8bb881976193801441530b1a8b30cda
                        • Instruction Fuzzy Hash: 7611C230A002458FDB14DF64D88478EBF65EF82310F288269C9486B296DB749D06CBB1
                        Function 00DA80F8 Relevance: .0, Instructions: 41COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.4571433690.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_da0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: cb76cc5cfb232cd63c36bbfe8d0b0cb71fad64979a0f85b28e6bef8d487cf3c0
                        • Instruction ID: a313c9e13518989b4d939aa7305e4ea10f67f12ee2f7752609027472e87eff2d
                        • Opcode Fuzzy Hash: cb76cc5cfb232cd63c36bbfe8d0b0cb71fad64979a0f85b28e6bef8d487cf3c0
                        • Instruction Fuzzy Hash: C0018F3851218ADFEB06FFB8F95159D7F71EB81700F0042EDC004AB195EE756E468BA1
                        Function 00DA7080 Relevance: .0, Instructions: 38COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.4571433690.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_da0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8abc27f3affcdb0490f8e920c67a28325dcd9b8861cdd211ed5e75faf227b0e6
                        • Instruction ID: 02f8ac89f801749e5b35ba40e4cd95c53d1fb8603bbb32a548da4bef4abfa830
                        • Opcode Fuzzy Hash: 8abc27f3affcdb0490f8e920c67a28325dcd9b8861cdd211ed5e75faf227b0e6
                        • Instruction Fuzzy Hash: A2012438B402048FCB14DB74E9ACB6C37B2EF89315F1454A8E506DB3A0CB31AD82CB40
                        Function 00DA1514 Relevance: .0, Instructions: 36COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.4571433690.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_da0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7abaec642ab885184ae99381c152917c3fef9347a7a6b0e4fc0776a1312999a2
                        • Instruction ID: 1432c840e54eaadae5182a3f73ffb25e2847feb65f24c7d9ba714c0848ef2c38
                        • Opcode Fuzzy Hash: 7abaec642ab885184ae99381c152917c3fef9347a7a6b0e4fc0776a1312999a2
                        • Instruction Fuzzy Hash: 30F0C23BA042508FDB218BA894511AC7BB1EE9B311B1800D7D846DB252D265D842C771
                        Function 00DA8108 Relevance: .0, Instructions: 33COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.4571433690.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_da0000_PROFORMA FATURA.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: cb28c8f751840fd59e0b38c7a0db34ce59d216456771d852056a00c739564601
                        • Instruction ID: 54ad5a85285dc9b7da854c8997f47b2ffff543d76eecca7f9b7c15a85b91763c
                        • Opcode Fuzzy Hash: cb28c8f751840fd59e0b38c7a0db34ce59d216456771d852056a00c739564601
                        • Instruction Fuzzy Hash: 2FF0AF3891214ADFEB05FFBCF95169D7BB1EB80700F0042ACC104A7294EEB06F458BA0

                        Execution Graph

                        Execution Coverage:10.9%
                        Dynamic/Decrypted Code Coverage:100%
                        Signature Coverage:0%
                        Total number of Nodes:336
                        Total number of Limit Nodes:12
                        execution_graph 38157 721b820 38158 721b9ab 38157->38158 38160 721b846 38157->38160 38160->38158 38161 7218dfc 38160->38161 38162 721baa0 PostMessageW 38161->38162 38163 721bb0c 38162->38163 38163->38160 38346 7218340 38347 72182fe 38346->38347 38348 72182ee 38346->38348 38352 721a540 38348->38352 38370 721a59e 38348->38370 38389 721a532 38348->38389 38353 721a55a 38352->38353 38364 721a57e 38353->38364 38407 721abdf 38353->38407 38412 721a95a 38353->38412 38417 721ad58 38353->38417 38422 721b2f8 38353->38422 38426 721ab97 38353->38426 38431 721aad4 38353->38431 38435 721b0b2 38353->38435 38440 721aa4d 38353->38440 38445 721afca 38353->38445 38450 721ac4b 38353->38450 38455 721ace4 38353->38455 38459 721aa05 38353->38459 38464 721ac23 38353->38464 38468 721ab43 38353->38468 38474 721ae7e 38353->38474 38364->38347 38371 721a52c 38370->38371 38373 721a5a1 38370->38373 38372 721a57e 38371->38372 38374 721ab43 2 API calls 38371->38374 38375 721ac23 2 API calls 38371->38375 38376 721aa05 2 API calls 38371->38376 38377 721ace4 2 API calls 38371->38377 38378 721ac4b 2 API calls 38371->38378 38379 721afca 2 API calls 38371->38379 38380 721aa4d 2 API calls 38371->38380 38381 721b0b2 2 API calls 38371->38381 38382 721aad4 2 API calls 38371->38382 38383 721ab97 2 API calls 38371->38383 38384 721b2f8 2 API calls 38371->38384 38385 721ad58 2 API calls 38371->38385 38386 721a95a 2 API calls 38371->38386 38387 721abdf 2 API calls 38371->38387 38388 721ae7e 2 API calls 38371->38388 38372->38347 38373->38347 38374->38372 38375->38372 38376->38372 38377->38372 38378->38372 38379->38372 38380->38372 38381->38372 38382->38372 38383->38372 38384->38372 38385->38372 38386->38372 38387->38372 38388->38372 38390 721a55a 38389->38390 38391 721ab43 2 API calls 38390->38391 38392 721ac23 2 API calls 38390->38392 38393 721aa05 2 API calls 38390->38393 38394 721ace4 2 API calls 38390->38394 38395 721ac4b 2 API calls 38390->38395 38396 721afca 2 API calls 38390->38396 38397 721aa4d 2 API calls 38390->38397 38398 721b0b2 2 API calls 38390->38398 38399 721aad4 2 API calls 38390->38399 38400 721ab97 2 API calls 38390->38400 38401 721a57e 38390->38401 38402 721b2f8 2 API calls 38390->38402 38403 721ad58 2 API calls 38390->38403 38404 721a95a 2 API calls 38390->38404 38405 721abdf 2 API calls 38390->38405 38406 721ae7e 2 API calls 38390->38406 38391->38401 38392->38401 38393->38401 38394->38401 38395->38401 38396->38401 38397->38401 38398->38401 38399->38401 38400->38401 38401->38347 38402->38401 38403->38401 38404->38401 38405->38401 38406->38401 38408 721abec 38407->38408 38479 72175a0 38408->38479 38483 721759a 38408->38483 38409 721affa 38413 721a95b 38412->38413 38487 7217e9d 38413->38487 38491 7217ea8 38413->38491 38418 721ad81 38417->38418 38495 7217b60 38418->38495 38499 7217b58 38418->38499 38419 721b34c 38503 7217650 38422->38503 38507 721764a 38422->38507 38423 721add2 38423->38364 38427 721ab9d 38426->38427 38511 7217d10 38427->38511 38515 7217d09 38427->38515 38428 721abc0 38428->38364 38432 721aae0 38431->38432 38519 7217c20 38432->38519 38523 7217c18 38432->38523 38436 721b0b8 38435->38436 38438 7217b60 VirtualAllocEx 38436->38438 38439 7217b58 VirtualAllocEx 38436->38439 38437 721b34c 38438->38437 38439->38437 38442 721a95b 38440->38442 38441 721aab5 38441->38364 38443 7217ea8 CreateProcessA 38442->38443 38444 7217e9d CreateProcessA 38442->38444 38443->38441 38444->38441 38446 721afd1 38445->38446 38448 72175a0 ResumeThread 38446->38448 38449 721759a ResumeThread 38446->38449 38447 721affa 38448->38447 38449->38447 38451 721ac8c 38450->38451 38527 721b728 38451->38527 38532 721b718 38451->38532 38452 721abf2 38457 7217c20 WriteProcessMemory 38455->38457 38458 7217c18 WriteProcessMemory 38455->38458 38456 721ac1c 38457->38456 38458->38456 38460 721a95b 38459->38460 38462 7217ea8 CreateProcessA 38460->38462 38463 7217e9d CreateProcessA 38460->38463 38461 721aab5 38461->38364 38462->38461 38463->38461 38465 721aae0 38464->38465 38465->38464 38466 7217c20 WriteProcessMemory 38465->38466 38467 7217c18 WriteProcessMemory 38465->38467 38466->38465 38467->38465 38472 7217c20 WriteProcessMemory 38468->38472 38473 7217c18 WriteProcessMemory 38468->38473 38469 721aae0 38470 7217c20 WriteProcessMemory 38469->38470 38471 7217c18 WriteProcessMemory 38469->38471 38470->38469 38471->38469 38472->38469 38473->38469 38475 721ad81 38474->38475 38477 7217b60 VirtualAllocEx 38475->38477 38478 7217b58 VirtualAllocEx 38475->38478 38476 721b34c 38477->38476 38478->38476 38480 72175e0 ResumeThread 38479->38480 38482 7217611 38480->38482 38482->38409 38484 72175a0 ResumeThread 38483->38484 38486 7217611 38484->38486 38486->38409 38488 7217ea8 CreateProcessA 38487->38488 38490 72180f3 38488->38490 38490->38490 38492 7217f31 CreateProcessA 38491->38492 38494 72180f3 38492->38494 38494->38494 38496 7217ba0 VirtualAllocEx 38495->38496 38498 7217bdd 38496->38498 38498->38419 38500 7217ba0 VirtualAllocEx 38499->38500 38502 7217bdd 38500->38502 38502->38419 38504 7217695 Wow64SetThreadContext 38503->38504 38506 72176dd 38504->38506 38506->38423 38508 7217695 Wow64SetThreadContext 38507->38508 38510 72176dd 38508->38510 38510->38423 38512 7217d5b ReadProcessMemory 38511->38512 38514 7217d9f 38512->38514 38514->38428 38516 7217d5b ReadProcessMemory 38515->38516 38518 7217d9f 38516->38518 38518->38428 38520 7217c68 WriteProcessMemory 38519->38520 38522 7217cbf 38520->38522 38522->38432 38524 7217c20 WriteProcessMemory 38523->38524 38526 7217cbf 38524->38526 38526->38432 38528 721b73d 38527->38528 38530 7217650 Wow64SetThreadContext 38528->38530 38531 721764a Wow64SetThreadContext 38528->38531 38529 721b753 38529->38452 38530->38529 38531->38529 38533 721b6f0 38532->38533 38534 721b722 38532->38534 38533->38452 38536 7217650 Wow64SetThreadContext 38534->38536 38537 721764a Wow64SetThreadContext 38534->38537 38535 721b753 38535->38452 38536->38535 38537->38535 38332 163acb0 38333 163acbf 38332->38333 38336 163ad97 38332->38336 38341 163ada8 38332->38341 38337 163adaa 38336->38337 38338 163addc 38337->38338 38339 163afe0 GetModuleHandleW 38337->38339 38338->38333 38340 163b00d 38339->38340 38340->38333 38342 163addc 38341->38342 38343 163adb9 38341->38343 38342->38333 38343->38342 38344 163afe0 GetModuleHandleW 38343->38344 38345 163b00d 38344->38345 38345->38333 38538 163d040 38539 163d086 GetCurrentProcess 38538->38539 38541 163d0d1 38539->38541 38542 163d0d8 GetCurrentThread 38539->38542 38541->38542 38543 163d115 GetCurrentProcess 38542->38543 38544 163d10e 38542->38544 38545 163d14b 38543->38545 38544->38543 38546 163d173 GetCurrentThreadId 38545->38546 38547 163d1a4 38546->38547 38548 163d690 DuplicateHandle 38549 163d726 38548->38549 38550 5556be0 38551 5556c0d 38550->38551 38568 5556a30 38551->38568 38553 5556c4e 38554 5556a30 2 API calls 38553->38554 38555 5556c80 38554->38555 38573 5556a40 38555->38573 38558 5556a40 2 API calls 38559 5556ce4 38558->38559 38560 5556a30 2 API calls 38559->38560 38561 5556d16 38560->38561 38577 5556a50 38561->38577 38563 5556d48 38564 5556a50 2 API calls 38563->38564 38565 5556d7a 38564->38565 38566 5556a50 2 API calls 38565->38566 38567 5556dac 38566->38567 38569 5556a3b 38568->38569 38571 1635cc4 2 API calls 38569->38571 38572 1638308 2 API calls 38569->38572 38570 5557cf3 38570->38553 38571->38570 38572->38570 38574 5556a4b 38573->38574 38575 5558b44 2 API calls 38574->38575 38576 5556cb2 38575->38576 38576->38558 38578 5556a5b 38577->38578 38581 555e418 38578->38581 38580 555f871 38580->38563 38582 555e423 38581->38582 38584 1635cc4 2 API calls 38582->38584 38585 1638308 2 API calls 38582->38585 38583 555fd6c 38583->38580 38584->38583 38585->38583 38164 15ad01c 38165 15ad034 38164->38165 38166 15ad08e 38165->38166 38171 5551a97 38165->38171 38176 5551aa8 38165->38176 38181 5552808 38165->38181 38186 5552818 38165->38186 38172 5551ace 38171->38172 38174 5552818 2 API calls 38172->38174 38175 5552808 2 API calls 38172->38175 38173 5551aef 38173->38166 38174->38173 38175->38173 38177 5551ace 38176->38177 38179 5552818 2 API calls 38177->38179 38180 5552808 2 API calls 38177->38180 38178 5551aef 38178->38166 38179->38178 38180->38178 38182 555280d 38181->38182 38183 5552877 38182->38183 38191 5552990 38182->38191 38196 55529a0 38182->38196 38187 5552845 38186->38187 38188 5552877 38187->38188 38189 5552990 2 API calls 38187->38189 38190 55529a0 2 API calls 38187->38190 38189->38188 38190->38188 38193 55529b4 38191->38193 38192 5552a40 38192->38183 38201 5552a58 38193->38201 38204 5552a48 38193->38204 38197 55529b4 38196->38197 38199 5552a58 2 API calls 38197->38199 38200 5552a48 2 API calls 38197->38200 38198 5552a40 38198->38183 38199->38198 38200->38198 38202 5552a69 38201->38202 38207 5554012 38201->38207 38202->38192 38205 5552a69 38204->38205 38206 5554012 2 API calls 38204->38206 38205->38192 38206->38205 38211 5554040 38207->38211 38215 5554030 38207->38215 38208 555402a 38208->38202 38212 5554082 38211->38212 38214 5554089 38211->38214 38213 55540da CallWindowProcW 38212->38213 38212->38214 38213->38214 38214->38208 38216 5554040 38215->38216 38217 55540da CallWindowProcW 38216->38217 38218 5554089 38216->38218 38217->38218 38218->38208 38219 5558f52 38220 5558f60 38219->38220 38223 5558b44 38220->38223 38222 5558f6f 38224 5558b4f 38223->38224 38225 5558fa2 38224->38225 38228 1635cc4 38224->38228 38232 1638308 38224->38232 38225->38222 38230 1635ccf 38228->38230 38229 1638609 38229->38225 38230->38229 38236 163cd77 38230->38236 38233 16382f8 38232->38233 38233->38232 38234 1638609 38233->38234 38235 163cd77 2 API calls 38233->38235 38234->38225 38235->38234 38237 163cd99 38236->38237 38238 163cdbd 38237->38238 38241 163cf28 38237->38241 38245 163cf19 38237->38245 38238->38229 38242 163cf35 38241->38242 38243 163cf6f 38242->38243 38249 163bae0 38242->38249 38243->38238 38246 163cf35 38245->38246 38247 163bae0 2 API calls 38246->38247 38248 163cf6f 38246->38248 38247->38248 38248->38238 38250 163bae5 38249->38250 38252 163dc88 38250->38252 38253 163d2dc 38250->38253 38252->38252 38254 163d2e7 38253->38254 38255 1635cc4 2 API calls 38254->38255 38256 163dcf7 38255->38256 38260 163fa70 38256->38260 38266 163fa88 38256->38266 38257 163dd31 38257->38252 38262 163fbb9 38260->38262 38263 163fab9 38260->38263 38261 163fac5 38261->38257 38262->38257 38263->38261 38272 55509c0 38263->38272 38276 55509b0 38263->38276 38268 163fbb9 38266->38268 38269 163fab9 38266->38269 38267 163fac5 38267->38257 38268->38257 38269->38267 38270 55509c0 2 API calls 38269->38270 38271 55509b0 2 API calls 38269->38271 38270->38268 38271->38268 38273 55509eb 38272->38273 38274 5550a9a 38273->38274 38280 5551790 38273->38280 38277 55509eb 38276->38277 38278 5550a9a 38277->38278 38279 5551790 2 API calls 38277->38279 38279->38278 38281 55517a0 38280->38281 38281->38274 38285 55518e4 38281->38285 38289 55518f0 38281->38289 38286 5551958 CreateWindowExW 38285->38286 38288 5551a14 38286->38288 38290 5551958 CreateWindowExW 38289->38290 38292 5551a14 38290->38292 38292->38292 38293 1634668 38294 163467a 38293->38294 38295 1634686 38294->38295 38299 1634779 38294->38299 38304 1633e28 38295->38304 38297 16346a5 38300 163479d 38299->38300 38308 1634879 38300->38308 38312 1634888 38300->38312 38305 1633e33 38304->38305 38320 1635c44 38305->38320 38307 1637048 38307->38297 38310 16348af 38308->38310 38309 163498c 38309->38309 38310->38309 38316 16344b0 38310->38316 38313 16348af 38312->38313 38314 163498c 38313->38314 38315 16344b0 CreateActCtxA 38313->38315 38314->38314 38315->38314 38317 1635918 CreateActCtxA 38316->38317 38319 16359db 38317->38319 38321 1635c4f 38320->38321 38324 1635c64 38321->38324 38323 16370ed 38323->38307 38325 1635c6f 38324->38325 38328 1635c94 38325->38328 38327 16371c2 38327->38323 38329 1635c9f 38328->38329 38330 1635cc4 2 API calls 38329->38330 38331 16372c5 38330->38331 38331->38327

                        Executed Functions

                        Function 0163D031 Relevance: 6.1, APIs: 4, Instructions: 131threadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • GetCurrentProcess.KERNEL32 ref: 0163D0BE
                        • GetCurrentThread.KERNEL32 ref: 0163D0FB
                        • GetCurrentProcess.KERNEL32 ref: 0163D138
                        • GetCurrentThreadId.KERNEL32 ref: 0163D191
                        Memory Dump Source
                        • Source File: 0000000B.00000002.2215753142.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_11_2_1630000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID: Current$ProcessThread
                        • String ID:
                        • API String ID: 2063062207-0
                        • Opcode ID: 3ee6e6d37e0bf197fd47f9b0bb805b78a93d47425b34709823d5bbdc773c8fa2
                        • Instruction ID: 4cff09d740201fcf5be7259e46942aadf2f93203e97ff14a84d34eb78f95090d
                        • Opcode Fuzzy Hash: 3ee6e6d37e0bf197fd47f9b0bb805b78a93d47425b34709823d5bbdc773c8fa2
                        • Instruction Fuzzy Hash: FF5156B1900349CFEB14CFA9D9487DEBBF1BF88314F208459E119A7360DB745984CB65
                        Function 0163D040 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • GetCurrentProcess.KERNEL32 ref: 0163D0BE
                        • GetCurrentThread.KERNEL32 ref: 0163D0FB
                        • GetCurrentProcess.KERNEL32 ref: 0163D138
                        • GetCurrentThreadId.KERNEL32 ref: 0163D191
                        Memory Dump Source
                        • Source File: 0000000B.00000002.2215753142.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_11_2_1630000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID: Current$ProcessThread
                        • String ID:
                        • API String ID: 2063062207-0
                        • Opcode ID: b003cd8f09444e8f421698cdb9cfed33defb0e5e830aeb0f9a2f23206d858c53
                        • Instruction ID: 5526ccf6e6ba525ba9539721519834f233e0206d4f1edc6049d4f5cffa95025c
                        • Opcode Fuzzy Hash: b003cd8f09444e8f421698cdb9cfed33defb0e5e830aeb0f9a2f23206d858c53
                        • Instruction Fuzzy Hash: 445144B0900349CFEB54CFAAD948B9EBBF1AF88314F208459E119A7360DB745984CB65
                        Function 07217E9D Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 44 7217e9d-7217f3d 47 7217f76-7217f96 44->47 48 7217f3f-7217f49 44->48 53 7217f98-7217fa2 47->53 54 7217fcf-7217ffe 47->54 48->47 49 7217f4b-7217f4d 48->49 51 7217f70-7217f73 49->51 52 7217f4f-7217f59 49->52 51->47 55 7217f5b 52->55 56 7217f5d-7217f6c 52->56 53->54 58 7217fa4-7217fa6 53->58 62 7218000-721800a 54->62 63 7218037-72180f1 CreateProcessA 54->63 55->56 56->56 57 7217f6e 56->57 57->51 59 7217fc9-7217fcc 58->59 60 7217fa8-7217fb2 58->60 59->54 64 7217fb4 60->64 65 7217fb6-7217fc5 60->65 62->63 66 721800c-721800e 62->66 76 72180f3-72180f9 63->76 77 72180fa-7218180 63->77 64->65 65->65 67 7217fc7 65->67 68 7218031-7218034 66->68 69 7218010-721801a 66->69 67->59 68->63 71 721801c 69->71 72 721801e-721802d 69->72 71->72 72->72 73 721802f 72->73 73->68 76->77 87 7218190-7218194 77->87 88 7218182-7218186 77->88 90 72181a4-72181a8 87->90 91 7218196-721819a 87->91 88->87 89 7218188 88->89 89->87 93 72181b8-72181bc 90->93 94 72181aa-72181ae 90->94 91->90 92 721819c 91->92 92->90 96 72181ce-72181d5 93->96 97 72181be-72181c4 93->97 94->93 95 72181b0 94->95 95->93 98 72181d7-72181e6 96->98 99 72181ec 96->99 97->96 98->99 101 72181ed 99->101 101->101
                        APIs
                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 072180DE
                        Memory Dump Source
                        • Source File: 0000000B.00000002.2221695574.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_11_2_7210000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID: CreateProcess
                        • String ID:
                        • API String ID: 963392458-0
                        • Opcode ID: be3b7c9e5b940088d9419d52d8985e7f996d2a63dd926762946b0439161b2a99
                        • Instruction ID: 0933f4d7fda3c06a5ec8e0e8baafdcf2be61f4078c6563c01d69e64d6d8f3362
                        • Opcode Fuzzy Hash: be3b7c9e5b940088d9419d52d8985e7f996d2a63dd926762946b0439161b2a99
                        • Instruction Fuzzy Hash: 50A13AB1D1025ADFEB24CF68C881B9EBBF2BF58310F148569E809A7240DB749985CF91
                        Function 07217EA8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 102 7217ea8-7217f3d 104 7217f76-7217f96 102->104 105 7217f3f-7217f49 102->105 110 7217f98-7217fa2 104->110 111 7217fcf-7217ffe 104->111 105->104 106 7217f4b-7217f4d 105->106 108 7217f70-7217f73 106->108 109 7217f4f-7217f59 106->109 108->104 112 7217f5b 109->112 113 7217f5d-7217f6c 109->113 110->111 115 7217fa4-7217fa6 110->115 119 7218000-721800a 111->119 120 7218037-72180f1 CreateProcessA 111->120 112->113 113->113 114 7217f6e 113->114 114->108 116 7217fc9-7217fcc 115->116 117 7217fa8-7217fb2 115->117 116->111 121 7217fb4 117->121 122 7217fb6-7217fc5 117->122 119->120 123 721800c-721800e 119->123 133 72180f3-72180f9 120->133 134 72180fa-7218180 120->134 121->122 122->122 124 7217fc7 122->124 125 7218031-7218034 123->125 126 7218010-721801a 123->126 124->116 125->120 128 721801c 126->128 129 721801e-721802d 126->129 128->129 129->129 130 721802f 129->130 130->125 133->134 144 7218190-7218194 134->144 145 7218182-7218186 134->145 147 72181a4-72181a8 144->147 148 7218196-721819a 144->148 145->144 146 7218188 145->146 146->144 150 72181b8-72181bc 147->150 151 72181aa-72181ae 147->151 148->147 149 721819c 148->149 149->147 153 72181ce-72181d5 150->153 154 72181be-72181c4 150->154 151->150 152 72181b0 151->152 152->150 155 72181d7-72181e6 153->155 156 72181ec 153->156 154->153 155->156 158 72181ed 156->158 158->158
                        APIs
                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 072180DE
                        Memory Dump Source
                        • Source File: 0000000B.00000002.2221695574.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_11_2_7210000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID: CreateProcess
                        • String ID:
                        • API String ID: 963392458-0
                        • Opcode ID: 776202d54f67d6e7ad9f7f78d5f22cd3e80e56f42ca951daa7ef465aeb2da8f9
                        • Instruction ID: e0ee1480d49ea74a6c0ee8c874fe1c962e9b613e2b0a3d602eca9a873a325cb5
                        • Opcode Fuzzy Hash: 776202d54f67d6e7ad9f7f78d5f22cd3e80e56f42ca951daa7ef465aeb2da8f9
                        • Instruction Fuzzy Hash: 7A913AB1D1021ADFEB24CF68C881B9EBBF2FF58310F148569E809A7240DB749985CF91
                        Function 0163ADA8 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 159 163ada8-163adb7 160 163ade3-163ade7 159->160 161 163adb9-163adc6 call 163a0cc 159->161 163 163adfb-163ae3c 160->163 164 163ade9-163adf3 160->164 168 163adc8 161->168 169 163addc 161->169 170 163ae49-163ae57 163->170 171 163ae3e-163ae46 163->171 164->163 214 163adce call 163b040 168->214 215 163adce call 163b030 168->215 169->160 172 163ae7b-163ae7d 170->172 173 163ae59-163ae5e 170->173 171->170 178 163ae80-163ae87 172->178 175 163ae60-163ae67 call 163a0d8 173->175 176 163ae69 173->176 174 163add4-163add6 174->169 177 163af18-163afd8 174->177 182 163ae6b-163ae79 175->182 176->182 209 163afe0-163b00b GetModuleHandleW 177->209 210 163afda-163afdd 177->210 179 163ae94-163ae9b 178->179 180 163ae89-163ae91 178->180 183 163aea8-163aeaa call 163a0e8 179->183 184 163ae9d-163aea5 179->184 180->179 182->178 188 163aeaf-163aeb1 183->188 184->183 190 163aeb3-163aebb 188->190 191 163aebe-163aec3 188->191 190->191 192 163aee1-163aeee 191->192 193 163aec5-163aecc 191->193 199 163af11-163af17 192->199 200 163aef0-163af0e 192->200 193->192 195 163aece-163aede call 163a0f8 call 163a108 193->195 195->192 200->199 211 163b014-163b028 209->211 212 163b00d-163b013 209->212 210->209 212->211 214->174 215->174
                        APIs
                        • GetModuleHandleW.KERNELBASE(00000000), ref: 0163AFFE
                        Memory Dump Source
                        • Source File: 0000000B.00000002.2215753142.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_11_2_1630000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID: HandleModule
                        • String ID:
                        • API String ID: 4139908857-0
                        • Opcode ID: af948f8d635a036c18f82d538871377a025d81ef2175cc50e52155eba3a7e587
                        • Instruction ID: d9fe084bd3f8d563da19dcc7e014fd202666656ef91bc14ed9a4e84f4f6a61f6
                        • Opcode Fuzzy Hash: af948f8d635a036c18f82d538871377a025d81ef2175cc50e52155eba3a7e587
                        • Instruction Fuzzy Hash: 54713570A00B058FE724DF6AC84475ABBF1FF88604F008A2DD58AD7B50D775E849DB91
                        Function 055518E4 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 216 55518e4-5551956 217 5551961-5551968 216->217 218 5551958-555195e 216->218 219 5551973-5551a12 CreateWindowExW 217->219 220 555196a-5551970 217->220 218->217 222 5551a14-5551a1a 219->222 223 5551a1b-5551a53 219->223 220->219 222->223 227 5551a55-5551a58 223->227 228 5551a60 223->228 227->228 229 5551a61 228->229 229->229
                        APIs
                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05551A02
                        Memory Dump Source
                        • Source File: 0000000B.00000002.2220685487.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_11_2_5550000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID: CreateWindow
                        • String ID:
                        • API String ID: 716092398-0
                        • Opcode ID: 0e715f7ac02dc1c9aa79cd1f1f1dac7dd633b60c777e2d5fb6ed557584d0acb2
                        • Instruction ID: 225fb45cf60b23d86b647f1d0b7fb068bbff55d6701a5fbe7fd1729281689743
                        • Opcode Fuzzy Hash: 0e715f7ac02dc1c9aa79cd1f1f1dac7dd633b60c777e2d5fb6ed557584d0acb2
                        • Instruction Fuzzy Hash: 2251D0B1D10709DFDB14CF99C994ADEBFB1BF48310F24822AE819AB250D775A985CF90
                        Function 055518F0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 230 55518f0-5551956 231 5551961-5551968 230->231 232 5551958-555195e 230->232 233 5551973-5551a12 CreateWindowExW 231->233 234 555196a-5551970 231->234 232->231 236 5551a14-5551a1a 233->236 237 5551a1b-5551a53 233->237 234->233 236->237 241 5551a55-5551a58 237->241 242 5551a60 237->242 241->242 243 5551a61 242->243 243->243
                        APIs
                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05551A02
                        Memory Dump Source
                        • Source File: 0000000B.00000002.2220685487.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_11_2_5550000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID: CreateWindow
                        • String ID:
                        • API String ID: 716092398-0
                        • Opcode ID: 0f3ed1c962b518647c43a6b02da66e30e99ddd9d000a6e9f8f8125ee4e3311b4
                        • Instruction ID: 474f480ee78cc4c7657b9db5bcf0b19c5d72ef631715d8e846985ee7da1b3904
                        • Opcode Fuzzy Hash: 0f3ed1c962b518647c43a6b02da66e30e99ddd9d000a6e9f8f8125ee4e3311b4
                        • Instruction Fuzzy Hash: 4E41C0B1D107499FDB14CF99C894ADEBFB5BF88310F24812AE819AB210D774A985CF90
                        Function 0163590C Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 244 163590c-16359d9 CreateActCtxA 246 16359e2-1635a3c 244->246 247 16359db-16359e1 244->247 254 1635a4b-1635a4f 246->254 255 1635a3e-1635a41 246->255 247->246 256 1635a51-1635a5d 254->256 257 1635a60 254->257 255->254 256->257 259 1635a61 257->259 259->259
                        APIs
                        • CreateActCtxA.KERNEL32(?), ref: 016359C9
                        Memory Dump Source
                        • Source File: 0000000B.00000002.2215753142.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_11_2_1630000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID: Create
                        • String ID:
                        • API String ID: 2289755597-0
                        • Opcode ID: 4f37c00dd779b4b3bbfd05e3782b4a349ad120b286359ea0a6bae68143627379
                        • Instruction ID: defd9150d6f18677883f059803a797de13e975ac202987c572d5a642e161f31e
                        • Opcode Fuzzy Hash: 4f37c00dd779b4b3bbfd05e3782b4a349ad120b286359ea0a6bae68143627379
                        • Instruction Fuzzy Hash: 2941EFB0C00719CBEB25CFAAC884BDEBBB5BF89314F60816AD409AB251DB755946CF50
                        Function 016344B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 260 16344b0-16359d9 CreateActCtxA 263 16359e2-1635a3c 260->263 264 16359db-16359e1 260->264 271 1635a4b-1635a4f 263->271 272 1635a3e-1635a41 263->272 264->263 273 1635a51-1635a5d 271->273 274 1635a60 271->274 272->271 273->274 276 1635a61 274->276 276->276
                        APIs
                        • CreateActCtxA.KERNEL32(?), ref: 016359C9
                        Memory Dump Source
                        • Source File: 0000000B.00000002.2215753142.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_11_2_1630000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID: Create
                        • String ID:
                        • API String ID: 2289755597-0
                        • Opcode ID: a834dac332386ab428a74683dff0aecfcc91da05afc7323a2d2e367021a33fbf
                        • Instruction ID: 7d4a6c66392682d07501a296aa646ce7c864f182e00b3dfd5d30fb00e1951b66
                        • Opcode Fuzzy Hash: a834dac332386ab428a74683dff0aecfcc91da05afc7323a2d2e367021a33fbf
                        • Instruction Fuzzy Hash: B941D270C0071DCBEB24DFAAC98479EBBB5BF89704F20815AD409AB251DB756946CF90
                        Function 05554040 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 277 5554040-555407c 278 5554082-5554087 277->278 279 555412c-555414c 277->279 280 5554089-55540c0 278->280 281 55540da-5554112 CallWindowProcW 278->281 285 555414f-555415c 279->285 288 55540c2-55540c8 280->288 289 55540c9-55540d8 280->289 283 5554114-555411a 281->283 284 555411b-555412a 281->284 283->284 284->285 288->289 289->285
                        APIs
                        • CallWindowProcW.USER32(?,?,?,?,?), ref: 05554101
                        Memory Dump Source
                        • Source File: 0000000B.00000002.2220685487.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_11_2_5550000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID: CallProcWindow
                        • String ID:
                        • API String ID: 2714655100-0
                        • Opcode ID: 6dcf0364a3fbf90fae44d85d85356774f51f51aee92bca149f35cc63855403b6
                        • Instruction ID: a50f87c5238fa55ebd4edc729eb3a361ec26ff20ccb0ec4f6165bb273052df5e
                        • Opcode Fuzzy Hash: 6dcf0364a3fbf90fae44d85d85356774f51f51aee92bca149f35cc63855403b6
                        • Instruction Fuzzy Hash: DA41F7B5A00709CFDB14CF99C848AAABBF5FB88324F24C459D519AB321D775A841CFA0
                        Function 07217C18 Relevance: 1.6, APIs: 1, Instructions: 74injectionCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 291 7217c18-7217c6e 294 7217c70-7217c7c 291->294 295 7217c7e-7217cbd WriteProcessMemory 291->295 294->295 297 7217cc6-7217cf6 295->297 298 7217cbf-7217cc5 295->298 298->297
                        APIs
                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07217CB0
                        Memory Dump Source
                        • Source File: 0000000B.00000002.2221695574.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_11_2_7210000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID: MemoryProcessWrite
                        • String ID:
                        • API String ID: 3559483778-0
                        • Opcode ID: a7c6266723d36d9a1e4bb3836c5d381395fae6ea14684cf5e8ef996fc2222031
                        • Instruction ID: 29b65bffc0ea12103ced4f0d849f0e1651f427f65bfe09529190c9f831fcbad2
                        • Opcode Fuzzy Hash: a7c6266723d36d9a1e4bb3836c5d381395fae6ea14684cf5e8ef996fc2222031
                        • Instruction Fuzzy Hash: C92139B291034A9FDB10CFA9C881BDEBBF5FF88320F10842AE558A7341C7789550CBA1
                        Function 07217C20 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 302 7217c20-7217c6e 304 7217c70-7217c7c 302->304 305 7217c7e-7217cbd WriteProcessMemory 302->305 304->305 307 7217cc6-7217cf6 305->307 308 7217cbf-7217cc5 305->308 308->307
                        APIs
                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07217CB0
                        Memory Dump Source
                        • Source File: 0000000B.00000002.2221695574.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_11_2_7210000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID: MemoryProcessWrite
                        • String ID:
                        • API String ID: 3559483778-0
                        • Opcode ID: cecce563719e612df2c4a080e8624b22689aaa84b2a492c54badc639f09645ba
                        • Instruction ID: 98d4b142cb9cb78a5e8a52959c044d88347de4743365be384e828d19a79c0ac5
                        • Opcode Fuzzy Hash: cecce563719e612df2c4a080e8624b22689aaa84b2a492c54badc639f09645ba
                        • Instruction Fuzzy Hash: 4D2128B191034A9FDB10CFA9C885BDEBBF5FF88320F108429E519A7340C7789550CBA4
                        Function 07217D09 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 312 7217d09-7217d9d ReadProcessMemory 315 7217da6-7217dd6 312->315 316 7217d9f-7217da5 312->316 316->315
                        APIs
                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07217D90
                        Memory Dump Source
                        • Source File: 0000000B.00000002.2221695574.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_11_2_7210000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID: MemoryProcessRead
                        • String ID:
                        • API String ID: 1726664587-0
                        • Opcode ID: 2fa0e91725e77bd272457c4bc1484fb3fc8a0e2027a6ff694115b9947bd4ed8e
                        • Instruction ID: cf48f8e81cfcf5b6a98cd13a265b46a8e60201d85cefbbfef6651d900ed00197
                        • Opcode Fuzzy Hash: 2fa0e91725e77bd272457c4bc1484fb3fc8a0e2027a6ff694115b9947bd4ed8e
                        • Instruction Fuzzy Hash: 9E2119B190035A9FDF10CFA9C884BEEBBF1FF88310F14852AE559A7240C7789551CBA1
                        Function 0721764A Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 320 721764a-721769b 322 72176ab-72176db Wow64SetThreadContext 320->322 323 721769d-72176a9 320->323 325 72176e4-7217714 322->325 326 72176dd-72176e3 322->326 323->322 326->325
                        APIs
                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 072176CE
                        Memory Dump Source
                        • Source File: 0000000B.00000002.2221695574.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_11_2_7210000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID: ContextThreadWow64
                        • String ID:
                        • API String ID: 983334009-0
                        • Opcode ID: 907e17ba497d8fc11da0e85245afbe62a0ffc8c436387d4d0b367c4a158b60f9
                        • Instruction ID: c9fee28c1427f46ab7d2384cf674ab658c84b6084a77341715322ca3418d2187
                        • Opcode Fuzzy Hash: 907e17ba497d8fc11da0e85245afbe62a0ffc8c436387d4d0b367c4a158b60f9
                        • Instruction Fuzzy Hash: AE2137B191034A8FDB10CFAAC4857EEBBF0BF98314F24842ED559A7240CB789945CBA5
                        Function 07217650 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 330 7217650-721769b 332 72176ab-72176db Wow64SetThreadContext 330->332 333 721769d-72176a9 330->333 335 72176e4-7217714 332->335 336 72176dd-72176e3 332->336 333->332 336->335
                        APIs
                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 072176CE
                        Memory Dump Source
                        • Source File: 0000000B.00000002.2221695574.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_11_2_7210000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID: ContextThreadWow64
                        • String ID:
                        • API String ID: 983334009-0
                        • Opcode ID: 24005d54ce0a550582a2108edca8b9265fef7f2bc6c9de6a708d99bfa1c100c8
                        • Instruction ID: effa2aa5ecb9e10749157ca1a541c198a39cad9b6302e7396558562ec10441e0
                        • Opcode Fuzzy Hash: 24005d54ce0a550582a2108edca8b9265fef7f2bc6c9de6a708d99bfa1c100c8
                        • Instruction Fuzzy Hash: D62138B191030A8FDB10CFAAC4857AEBBF4BF98324F14842ED559A7340CB789945CFA5
                        Function 07217D10 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                        Download Yara Rule
                        APIs
                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07217D90
                        Memory Dump Source
                        • Source File: 0000000B.00000002.2221695574.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_11_2_7210000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID: MemoryProcessRead
                        • String ID:
                        • API String ID: 1726664587-0
                        • Opcode ID: 1c85d460407ad88328b74ccbc2e9d2426f81015c8609ab8c12c66bdb96942c2f
                        • Instruction ID: ec131a531c9e5e8d94f5ffe9cd83342a1fe467711bc414f53058dff5f23994f6
                        • Opcode Fuzzy Hash: 1c85d460407ad88328b74ccbc2e9d2426f81015c8609ab8c12c66bdb96942c2f
                        • Instruction Fuzzy Hash: BE2128B180035A9FDB10CFAAC881BEEBBF5FF88310F108429E519A7240D7789550CBA5
                        Function 0163D689 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                        Download Yara Rule
                        APIs
                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0163D717
                        Memory Dump Source
                        • Source File: 0000000B.00000002.2215753142.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_11_2_1630000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID: DuplicateHandle
                        • String ID:
                        • API String ID: 3793708945-0
                        • Opcode ID: f21c4e5ba5bc124bd2f74e73109b9e9cfc7881485cfa85fb36168ffed7fe8499
                        • Instruction ID: 74f8bb70dc0b7e8a15e72408516a8da6a12ab9958f5bc8de432d1e8778b92284
                        • Opcode Fuzzy Hash: f21c4e5ba5bc124bd2f74e73109b9e9cfc7881485cfa85fb36168ffed7fe8499
                        • Instruction Fuzzy Hash: 7421E0B5900249DFDB10CFAAD984AEEBBF4FB48324F14841AE918A3350D378A950CF60
                        Function 0163D690 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                        Download Yara Rule
                        APIs
                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0163D717
                        Memory Dump Source
                        • Source File: 0000000B.00000002.2215753142.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_11_2_1630000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID: DuplicateHandle
                        • String ID:
                        • API String ID: 3793708945-0
                        • Opcode ID: 1e457b2b6a2b564dec34df8c6f8660324287869937ad540761fe0357682d6f4c
                        • Instruction ID: 37bca2bf9484f31236e021e77cbc3063106e685cdfed75fd1ddc6e2b5d7a1db3
                        • Opcode Fuzzy Hash: 1e457b2b6a2b564dec34df8c6f8660324287869937ad540761fe0357682d6f4c
                        • Instruction Fuzzy Hash: 3821C4B5900249DFDB10CF9AD984ADEBFF4FB48324F14841AE918A3350D378A954CFA5
                        Function 07217B58 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07217BCE
                        Memory Dump Source
                        • Source File: 0000000B.00000002.2221695574.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_11_2_7210000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID: AllocVirtual
                        • String ID:
                        • API String ID: 4275171209-0
                        • Opcode ID: 2e5ce1f2c57dda9de11476c8c2c90dc0d4868002f44acd8419cdf66d7baa4db8
                        • Instruction ID: f140b5575492581706f659199d6296932ddfc97747835c9876bb4b03cc969aa3
                        • Opcode Fuzzy Hash: 2e5ce1f2c57dda9de11476c8c2c90dc0d4868002f44acd8419cdf66d7baa4db8
                        • Instruction Fuzzy Hash: 5511597290024ADFDB10CFA9C844BEEBFF5BF98320F248819E559A7250C7799550CFA0
                        Function 0721759A Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000000B.00000002.2221695574.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_11_2_7210000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID: ResumeThread
                        • String ID:
                        • API String ID: 947044025-0
                        • Opcode ID: 0b8e9d6bc581145c0e576f369c2b259cf022aee9b7ed801d23a443fa90e16180
                        • Instruction ID: cd93ac75601f635fc43ff3c6020c229f7128f8dc9df6c61f2018bdcc534d3281
                        • Opcode Fuzzy Hash: 0b8e9d6bc581145c0e576f369c2b259cf022aee9b7ed801d23a443fa90e16180
                        • Instruction Fuzzy Hash: 19115BB190034A8FDB20DFAAC4457DEFFF4EF98624F24841DD559A7240CB756940CBA5
                        Function 07217B60 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07217BCE
                        Memory Dump Source
                        • Source File: 0000000B.00000002.2221695574.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_11_2_7210000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID: AllocVirtual
                        • String ID:
                        • API String ID: 4275171209-0
                        • Opcode ID: d95c11dc56f45b9d3fd15080b0a9a01e5bde9d791de9dacaedf13a914aa85e07
                        • Instruction ID: 273b6e99933d10028b5af2902af89bf68f83f28c32dc1dceef5dd8c057b4797d
                        • Opcode Fuzzy Hash: d95c11dc56f45b9d3fd15080b0a9a01e5bde9d791de9dacaedf13a914aa85e07
                        • Instruction Fuzzy Hash: 1611567280034A9FDB10CFAAC844BDEBBF5AF98320F208419E519A7250CB79A550CBA0
                        Function 072175A0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000000B.00000002.2221695574.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_11_2_7210000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID: ResumeThread
                        • String ID:
                        • API String ID: 947044025-0
                        • Opcode ID: c0d4b0fa305136a9de06ce21a98e1d05b24f2e1893c8f6f81e059e08d0067a0e
                        • Instruction ID: 0457014815f6c6bb87e69f38f6755ae9593c0421aac3a06ee67a911974379702
                        • Opcode Fuzzy Hash: c0d4b0fa305136a9de06ce21a98e1d05b24f2e1893c8f6f81e059e08d0067a0e
                        • Instruction Fuzzy Hash: 431136B1D0034A8FDB20DFAAC44579EFBF4AF98724F248819D519A7340CB79A940CBA5
                        Function 0721BA98 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
                        Download Yara Rule
                        APIs
                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 0721BAFD
                        Memory Dump Source
                        • Source File: 0000000B.00000002.2221695574.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_11_2_7210000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID: MessagePost
                        • String ID:
                        • API String ID: 410705778-0
                        • Opcode ID: 4a6326e663409bbda6ecb4e156eeb39d86f4da73b6fc65c7b5c08331171afa5d
                        • Instruction ID: f0f899bcce70ef94f51c0455252fddc0ccdb9ac40a586cd830f8999eb69b1fe2
                        • Opcode Fuzzy Hash: 4a6326e663409bbda6ecb4e156eeb39d86f4da73b6fc65c7b5c08331171afa5d
                        • Instruction Fuzzy Hash: A81116B58007499FDB10DF99D484BDEFFF8EB49320F14844AE554A3241C3756554CFA1
                        Function 07218DFC Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                        Download Yara Rule
                        APIs
                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 0721BAFD
                        Memory Dump Source
                        • Source File: 0000000B.00000002.2221695574.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_11_2_7210000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID: MessagePost
                        • String ID:
                        • API String ID: 410705778-0
                        • Opcode ID: 98c3fcbbf29a1e2745e0dccaeb9c0bb4f1482f2a4a897002dc5fd3b68df64ce3
                        • Instruction ID: b218c36851ea1b9b1b74c355129e5b688af25b746496c4630ad9b87b22deaaff
                        • Opcode Fuzzy Hash: 98c3fcbbf29a1e2745e0dccaeb9c0bb4f1482f2a4a897002dc5fd3b68df64ce3
                        • Instruction Fuzzy Hash: 891133B5810349DFCB20DF9AC488BDEBBF8FB58320F108419E919A3200C3B5A940CFA0
                        Function 0163AF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleW.KERNELBASE(00000000), ref: 0163AFFE
                        Memory Dump Source
                        • Source File: 0000000B.00000002.2215753142.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_11_2_1630000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID: HandleModule
                        • String ID:
                        • API String ID: 4139908857-0
                        • Opcode ID: dc8df1b97f5ba3bba280b99eb2fd9d58b97d31e6697f6ec9ce6cbe359f27aed5
                        • Instruction ID: 1b953d6073cdf89f91a9a18dd4f532a19b8aba43eca99ec542a5803e104b0556
                        • Opcode Fuzzy Hash: dc8df1b97f5ba3bba280b99eb2fd9d58b97d31e6697f6ec9ce6cbe359f27aed5
                        • Instruction Fuzzy Hash: 67110FB6C007498FDB20CF9AC844B9EFBF4AB88324F10841AD529A7210D379A545CFA1
                        Function 0144D1FC Relevance: .1, Instructions: 76COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000B.00000002.2215077988.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_11_2_144d000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c725199229182ff0056d6846cc39ea6adf1770b388791d78b1ab270ecbba0090
                        • Instruction ID: 1e2ec1bf3ebb77dd9bf7764734021f961696e54bff95b2b4301d2b38e013129a
                        • Opcode Fuzzy Hash: c725199229182ff0056d6846cc39ea6adf1770b388791d78b1ab270ecbba0090
                        • Instruction Fuzzy Hash: 99210672904240DFEB05DF94D9C0B2BBF65FB98320F20C56AED090B266C376D416CBA1
                        Function 0144D4C4 Relevance: .1, Instructions: 75COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000B.00000002.2215077988.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_11_2_144d000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8469cfa9859a5ca4db482e231af91197ca722cad3a25e3fe83346a3f1e8c4d94
                        • Instruction ID: 483f7f21a4c7a0a8af303d9943402da247d394484af63c685774030a9d741776
                        • Opcode Fuzzy Hash: 8469cfa9859a5ca4db482e231af91197ca722cad3a25e3fe83346a3f1e8c4d94
                        • Instruction Fuzzy Hash: C6210372A04240EFEB05DF54D9C0B2BBF65FB98318F20C56EE9090B266C736D456CAA1
                        Function 015AD01C Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000B.00000002.2215437749.00000000015AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015AD000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_11_2_15ad000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9cbbba000c96975392d839103631d6e52d850b89f0a7349d032e8b3a043b14e5
                        • Instruction ID: 9103e02ea0c9c46bcd5fca2a7609d9c52b828e2ae64008c38c701caa95de5a49
                        • Opcode Fuzzy Hash: 9cbbba000c96975392d839103631d6e52d850b89f0a7349d032e8b3a043b14e5
                        • Instruction Fuzzy Hash: 90214275284200EFCB14EF64D9C0B2ABBB1FB88314F60C96DD90A0F652D37AC407CA61
                        Function 015AD1D4 Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000B.00000002.2215437749.00000000015AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015AD000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_11_2_15ad000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 21ff4255b5b4a34570adf825defaacfc02c6db79eceba6df5b7834e267bb4b9b
                        • Instruction ID: 85552eb275243c0e4e7a369fe86dc1fab6a27c46149d88f056b337b971b28f3f
                        • Opcode Fuzzy Hash: 21ff4255b5b4a34570adf825defaacfc02c6db79eceba6df5b7834e267bb4b9b
                        • Instruction Fuzzy Hash: 3F21FF75544200EFDB05EF94D980B2EBBB1FF84324F60C96DE90A4F652C77AD806CA61
                        Function 015AD006 Relevance: .1, Instructions: 62COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000B.00000002.2215437749.00000000015AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015AD000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_11_2_15ad000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 21269b2dfd2092d8a02b3a8619f90aff09ff7d08dbcece3e62f3dc54e8597901
                        • Instruction ID: 3415e90344ba16a715a0950643b617849ae5e188de88a335523eb6c5f031a084
                        • Opcode Fuzzy Hash: 21269b2dfd2092d8a02b3a8619f90aff09ff7d08dbcece3e62f3dc54e8597901
                        • Instruction Fuzzy Hash: 36218E755493808FCB02DF24D990719BF71FB46214F28C5EAD8498F6A7C33A980ACB62
                        Function 0144D1F7 Relevance: .1, Instructions: 57COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000B.00000002.2215077988.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_11_2_144d000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 45d2786e60e1e4201bb004dcd9f59ae96814e242b2a6b2dda49e09682ea99c03
                        • Instruction ID: d8f1a64d6ea33a47a37d1b66f84caccd1625d1f1e9386a17d5c1fa5d9cded651
                        • Opcode Fuzzy Hash: 45d2786e60e1e4201bb004dcd9f59ae96814e242b2a6b2dda49e09682ea99c03
                        • Instruction Fuzzy Hash: AE21AF76904284DFDB06CF54D9C4B56BF72FB84324F24C5AADD090B666C33AD426CBA1
                        Function 0144D4BF Relevance: .1, Instructions: 56COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000B.00000002.2215077988.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_11_2_144d000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                        • Instruction ID: 7e6134405b1cab38e43fba5fb77e8d6fc6bfcee3076092fd1c5fb276ffb9aa9e
                        • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                        • Instruction Fuzzy Hash: FB11DF76904280CFDB02CF54D9C0B16BF71FB94318F24C6AAD8090B266C33AD456CBA1
                        Function 015AD1CF Relevance: .1, Instructions: 53COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000B.00000002.2215437749.00000000015AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015AD000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_11_2_15ad000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                        • Instruction ID: 3b90b425ff2cf24610fa90e9cda43146caafc462c33295911524e7ed5c96154c
                        • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                        • Instruction Fuzzy Hash: 9411BB75544280DFCB02DF54D5C4B19BFB1FF84224F24C6A9D8494F6A6C33AD40ACB61
                        Function 0144D745 Relevance: .0, Instructions: 45COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000B.00000002.2215077988.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_11_2_144d000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4bed310192fe9eca21445ca2f901db19a743487915befa6e667216a129a849d8
                        • Instruction ID: e78a4b6de21bdf1dcfdf4891cffcf66b3c135afc60f15ebf2d9f7e91cb8ac9f2
                        • Opcode Fuzzy Hash: 4bed310192fe9eca21445ca2f901db19a743487915befa6e667216a129a849d8
                        • Instruction Fuzzy Hash: 3401F7758043809BF7109FA9CD84B27BF98DF51264F18C51BEE080A3A6C6799441C671
                        Function 0144D744 Relevance: .0, Instructions: 36COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000B.00000002.2215077988.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_11_2_144d000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: aa88f89e20d95630505ad09f34eb105003a37bf95208d2cdcc0a2d1fa844b320
                        • Instruction ID: d7a50becffd986aece6a625b559ae7b587832e5b035e2dfbe33f35116b232ecc
                        • Opcode Fuzzy Hash: aa88f89e20d95630505ad09f34eb105003a37bf95208d2cdcc0a2d1fa844b320
                        • Instruction Fuzzy Hash: C1F0C2764043849BFB108E19C888B63FF98EB91634F18C05BED080A396C2799840CBB1

                        Execution Graph

                        Execution Coverage:15.1%
                        Dynamic/Decrypted Code Coverage:100%
                        Signature Coverage:0%
                        Total number of Nodes:45
                        Total number of Limit Nodes:6
                        execution_graph 26381 10e0848 26383 10e084e 26381->26383 26382 10e091b 26383->26382 26385 10e1370 26383->26385 26386 10e1386 26385->26386 26387 10e1474 26386->26387 26391 10e6f68 26386->26391 26395 10e7080 26386->26395 26403 10e6ec7 26386->26403 26387->26383 26393 10e6f7e 26391->26393 26392 10e70ea 26392->26386 26393->26392 26407 5fcef0f 26393->26407 26396 10e708a 26395->26396 26399 10e70a4 26396->26399 26400 5fcd428 GlobalMemoryStatusEx 26396->26400 26415 5fcd668 26396->26415 26424 5fcd419 26396->26424 26397 10e70ea 26397->26386 26398 5fcef0f GlobalMemoryStatusEx 26398->26397 26399->26397 26399->26398 26400->26399 26404 10e6ef0 26403->26404 26405 10e6f34 26404->26405 26406 5fcef0f GlobalMemoryStatusEx 26404->26406 26405->26386 26406->26405 26408 5fcef1a 26407->26408 26411 5fcd428 26408->26411 26410 5fcef21 26410->26392 26413 5fcd43d 26411->26413 26412 5fcd652 26412->26410 26413->26412 26414 5fcd668 GlobalMemoryStatusEx 26413->26414 26414->26413 26416 5fcd66c 26415->26416 26419 5fcd676 26416->26419 26420 5fcd43d 26416->26420 26417 5fcd69e 26417->26399 26418 5fcd652 26418->26399 26419->26417 26428 5fce200 26419->26428 26420->26418 26422 5fcd668 GlobalMemoryStatusEx 26420->26422 26422->26420 26426 5fcd428 26424->26426 26425 5fcd652 26425->26399 26426->26425 26427 5fcd668 GlobalMemoryStatusEx 26426->26427 26427->26426 26431 5fce228 26428->26431 26429 5fcd7ab 26429->26399 26432 5fce245 26431->26432 26434 5fce26d 26431->26434 26432->26429 26433 5fce28e 26433->26429 26434->26433 26435 5fce356 GlobalMemoryStatusEx 26434->26435 26436 5fce386 26435->26436 26436->26429

                        Executed Functions

                        Function 010E9B40 Relevance: 2.8, Instructions: 2810COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.4571541369.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_10e0000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 19900f44ca214318ef038616ac031390d001b6c842ecac8c0165e4ce6b20c129
                        • Instruction ID: a2299e8c686859675de63a00489ee895d6e676eae5efd570a90a158020c05eed
                        • Opcode Fuzzy Hash: 19900f44ca214318ef038616ac031390d001b6c842ecac8c0165e4ce6b20c129
                        • Instruction Fuzzy Hash: 3B53F731D10B1A8ADB51EF69C884599F7B1FF99300F15C79AE4987B121FB70AAC4CB81
                        Function 010ECDC0 Relevance: 2.3, Instructions: 2295COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.4571541369.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_10e0000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 66e0b216293fbe73efb90f2429b4a19e8ad96073b2b1d1aca7fe5facc79030bd
                        • Instruction ID: 5a4cf55f72fa4968a4877d55d470808602a189cada288677f5f069ba4d37e769
                        • Opcode Fuzzy Hash: 66e0b216293fbe73efb90f2429b4a19e8ad96073b2b1d1aca7fe5facc79030bd
                        • Instruction Fuzzy Hash: DA332C31D1071A8EDB11EF69C8946ADF7B1FF99300F14C79AE458A7211EB70AAC5CB81
                        Function 010EF4B9 Relevance: .7, Instructions: 673COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.4571541369.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_10e0000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4eac9d615b0470a714f342a8fbfb1ba018c0de5935e18e1d88b621503119c727
                        • Instruction ID: ac2d50553b10bf315ca99b525dd9cee1f5e3ab6aa0124c057226dac70ae7bf43
                        • Opcode Fuzzy Hash: 4eac9d615b0470a714f342a8fbfb1ba018c0de5935e18e1d88b621503119c727
                        • Instruction Fuzzy Hash: 15522C30A002068FDB64DF69C588B9DBBF2EF89314F5485AAD489EB351DB75EC81CB41
                        Function 010E41B8 Relevance: .3, Instructions: 281COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 4109 10e41b8-10e421e 4111 10e4268-10e426a 4109->4111 4112 10e4220-10e422b 4109->4112 4113 10e426c-10e4285 4111->4113 4112->4111 4114 10e422d-10e4239 4112->4114 4120 10e4287-10e4293 4113->4120 4121 10e42d1-10e42d3 4113->4121 4115 10e425c-10e4266 4114->4115 4116 10e423b-10e4245 4114->4116 4115->4113 4118 10e4249-10e4258 4116->4118 4119 10e4247 4116->4119 4118->4118 4122 10e425a 4118->4122 4119->4118 4120->4121 4123 10e4295-10e42a1 4120->4123 4124 10e42d5-10e432d 4121->4124 4122->4115 4125 10e42c4-10e42cf 4123->4125 4126 10e42a3-10e42ad 4123->4126 4133 10e432f-10e433a 4124->4133 4134 10e4377-10e4379 4124->4134 4125->4124 4127 10e42af 4126->4127 4128 10e42b1-10e42c0 4126->4128 4127->4128 4128->4128 4130 10e42c2 4128->4130 4130->4125 4133->4134 4135 10e433c-10e4348 4133->4135 4136 10e437b-10e4393 4134->4136 4137 10e434a-10e4354 4135->4137 4138 10e436b-10e4375 4135->4138 4143 10e43dd-10e43df 4136->4143 4144 10e4395-10e43a0 4136->4144 4139 10e4358-10e4367 4137->4139 4140 10e4356 4137->4140 4138->4136 4139->4139 4142 10e4369 4139->4142 4140->4139 4142->4138 4145 10e43e1-10e4432 4143->4145 4144->4143 4146 10e43a2-10e43ae 4144->4146 4154 10e4438-10e4446 4145->4154 4147 10e43b0-10e43ba 4146->4147 4148 10e43d1-10e43db 4146->4148 4150 10e43be-10e43cd 4147->4150 4151 10e43bc 4147->4151 4148->4145 4150->4150 4152 10e43cf 4150->4152 4151->4150 4152->4148 4155 10e444f-10e44af 4154->4155 4156 10e4448-10e444e 4154->4156 4163 10e44bf-10e44c3 4155->4163 4164 10e44b1-10e44b5 4155->4164 4156->4155 4166 10e44c5-10e44c9 4163->4166 4167 10e44d3-10e44d7 4163->4167 4164->4163 4165 10e44b7 4164->4165 4165->4163 4166->4167 4168 10e44cb 4166->4168 4169 10e44d9-10e44dd 4167->4169 4170 10e44e7-10e44eb 4167->4170 4168->4167 4169->4170 4173 10e44df-10e44e2 call 10e0ab8 4169->4173 4171 10e44ed-10e44f1 4170->4171 4172 10e44fb-10e44ff 4170->4172 4171->4172 4175 10e44f3-10e44f6 call 10e0ab8 4171->4175 4176 10e450f-10e4513 4172->4176 4177 10e4501-10e4505 4172->4177 4173->4170 4175->4172 4180 10e4515-10e4519 4176->4180 4181 10e4523-10e4527 4176->4181 4177->4176 4179 10e4507-10e450a call 10e0ab8 4177->4179 4179->4176 4180->4181 4183 10e451b 4180->4183 4184 10e4529-10e452d 4181->4184 4185 10e4537 4181->4185 4183->4181 4184->4185 4186 10e452f 4184->4186 4187 10e4538 4185->4187 4186->4185 4187->4187
                        Memory Dump Source
                        • Source File: 0000000E.00000002.4571541369.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_10e0000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 42ed64044d99ce7ccae3b69eb4cf2d5cd82f7d90c9d5d6c5aeda29e41b6c71d0
                        • Instruction ID: 64253c7e4d4175ac3a9fc5bbb3ee36cf8998be9f38644a067354efaa721ed853
                        • Opcode Fuzzy Hash: 42ed64044d99ce7ccae3b69eb4cf2d5cd82f7d90c9d5d6c5aeda29e41b6c71d0
                        • Instruction Fuzzy Hash: A3B13B71E002198FDF54CFAAC8897EEBBF2BF88714F148129D855E7294EB749845CB81
                        Function 010E4A88 Relevance: .3, Instructions: 266COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.4571541369.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_10e0000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 81d71f7cb8051c602c7ba499fa9e7a4c95d1689da26b10e15f1177c4dedfadb1
                        • Instruction ID: 5cf24c1c9e3299a7ca99ea6509835b2fe92e4d588b170cd0e9eaf1a9beb12683
                        • Opcode Fuzzy Hash: 81d71f7cb8051c602c7ba499fa9e7a4c95d1689da26b10e15f1177c4dedfadb1
                        • Instruction Fuzzy Hash: E8B17B70E04209CFDF54CFAAC8997EDBBF2AF88714F148129D854EB294EB759845CB81
                        Function 010E3E70 Relevance: .2, Instructions: 238COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.4571541369.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_10e0000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c2efe40af4e6352f0356897fa0f01802fe1d38f865ffdb8b29214040b04bd458
                        • Instruction ID: 72ace4e90553c7713de9481848ca110f4a2352aa7c77a533abc2dfc741c01745
                        • Opcode Fuzzy Hash: c2efe40af4e6352f0356897fa0f01802fe1d38f865ffdb8b29214040b04bd458
                        • Instruction Fuzzy Hash: 99915A70E002098FDF54CFAAC98979EBFF2BF88714F148169E485EB254EB749845CB81
                        Function 05FCE228 Relevance: 1.6, APIs: 1, Instructions: 133COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1137 5fce228-5fce243 1138 5fce26d-5fce28c call 5fcd3f4 1137->1138 1139 5fce245-5fce26c call 5fcd3e8 1137->1139 1145 5fce28e-5fce291 1138->1145 1146 5fce292-5fce2f1 1138->1146 1153 5fce2f7-5fce384 GlobalMemoryStatusEx 1146->1153 1154 5fce2f3-5fce2f6 1146->1154 1157 5fce38d-5fce3b5 1153->1157 1158 5fce386-5fce38c 1153->1158 1158->1157
                        Memory Dump Source
                        • Source File: 0000000E.00000002.4582928112.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_5fc0000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4d36a5c2baf7585ab290c6e1340432573f6e93f1e9801bf20a34f4ef1c2941db
                        • Instruction ID: a056be73909d858db2a7c846be081a7ba5387c206295a3d6af8d3d07ceee870a
                        • Opcode Fuzzy Hash: 4d36a5c2baf7585ab290c6e1340432573f6e93f1e9801bf20a34f4ef1c2941db
                        • Instruction Fuzzy Hash: 27411232D187568FCB04DFA9D8447EEBFF5AF89210F1486AAD505A7240DB789885CBA0
                        Function 05FCE310 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1161 5fce310-5fce34e 1162 5fce356-5fce384 GlobalMemoryStatusEx 1161->1162 1163 5fce38d-5fce3b5 1162->1163 1164 5fce386-5fce38c 1162->1164 1164->1163
                        APIs
                        • GlobalMemoryStatusEx.KERNELBASE(8B55051E), ref: 05FCE377
                        Memory Dump Source
                        • Source File: 0000000E.00000002.4582928112.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_5fc0000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID: GlobalMemoryStatus
                        • String ID:
                        • API String ID: 1890195054-0
                        • Opcode ID: 8395a21e4d4ecf64b2da181c9fdcbd49337a44df2cd360566412a483c8b79204
                        • Instruction ID: 4b73b8cf57136460fe3099853714a4b790c2d5da6c47c1d53dc0fc3efda5d708
                        • Opcode Fuzzy Hash: 8395a21e4d4ecf64b2da181c9fdcbd49337a44df2cd360566412a483c8b79204
                        • Instruction Fuzzy Hash: 3C1123B1C0065A9FCB10CF9AC544BDEFBF8BF48320F14826AD918A7240D378A954CFA5
                        Function 010E7910 Relevance: .6, Instructions: 554COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2779 10e7910-10e7927 2780 10e7929-10e792c 2779->2780 2781 10e792e-10e7954 2780->2781 2782 10e7959-10e795c 2780->2782 2781->2782 2783 10e795e-10e7984 2782->2783 2784 10e7989-10e798c 2782->2784 2783->2784 2785 10e798e-10e79b4 2784->2785 2786 10e79b9-10e79bc 2784->2786 2785->2786 2788 10e79be-10e79e4 2786->2788 2789 10e79e9-10e79ec 2786->2789 2788->2789 2792 10e79ee-10e79f0 2789->2792 2793 10e79fd-10e7a00 2789->2793 2993 10e79f2 call 10e920b 2792->2993 2994 10e79f2 call 10e9168 2792->2994 2995 10e79f2 call 10e9159 2792->2995 2795 10e7a1d-10e7a20 2793->2795 2796 10e7a02-10e7a18 2793->2796 2801 10e7a4d-10e7a50 2795->2801 2802 10e7a22-10e7a48 2795->2802 2796->2795 2807 10e7a7d-10e7a80 2801->2807 2808 10e7a52-10e7a78 2801->2808 2802->2801 2803 10e79f8 2803->2793 2810 10e7aad-10e7ab0 2807->2810 2811 10e7a82-10e7aa8 2807->2811 2808->2807 2816 10e7add-10e7ae0 2810->2816 2817 10e7ab2-10e7ad8 2810->2817 2811->2810 2818 10e7b0d-10e7b10 2816->2818 2819 10e7ae2-10e7b08 2816->2819 2817->2816 2824 10e7b3d-10e7b40 2818->2824 2825 10e7b12-10e7b38 2818->2825 2819->2818 2826 10e7b6d-10e7b70 2824->2826 2827 10e7b42-10e7b68 2824->2827 2825->2824 2834 10e7b9d-10e7ba0 2826->2834 2835 10e7b72-10e7b98 2826->2835 2827->2826 2836 10e7bcd-10e7bd0 2834->2836 2837 10e7ba2-10e7bc8 2834->2837 2835->2834 2844 10e7bfd-10e7c00 2836->2844 2845 10e7bd2-10e7bf8 2836->2845 2837->2836 2846 10e7c2d-10e7c30 2844->2846 2847 10e7c02-10e7c28 2844->2847 2845->2844 2854 10e7c5d-10e7c60 2846->2854 2855 10e7c32-10e7c58 2846->2855 2847->2846 2856 10e7c8d-10e7c90 2854->2856 2857 10e7c62-10e7c88 2854->2857 2855->2854 2864 10e7cbd-10e7cc0 2856->2864 2865 10e7c92-10e7cb8 2856->2865 2857->2856 2866 10e7ced-10e7cf0 2864->2866 2867 10e7cc2-10e7ce8 2864->2867 2865->2864 2874 10e7d1d-10e7d20 2866->2874 2875 10e7cf2-10e7d18 2866->2875 2867->2866 2876 10e7d4d-10e7d50 2874->2876 2877 10e7d22-10e7d48 2874->2877 2875->2874 2884 10e7d7d-10e7d80 2876->2884 2885 10e7d52-10e7d78 2876->2885 2877->2876 2886 10e7dad-10e7db0 2884->2886 2887 10e7d82-10e7da8 2884->2887 2885->2884 2894 10e7ddd-10e7de0 2886->2894 2895 10e7db2-10e7dd8 2886->2895 2887->2886 2896 10e7ded-10e7df0 2894->2896 2897 10e7de2 2894->2897 2895->2894 2904 10e7e1d-10e7e20 2896->2904 2905 10e7df2-10e7e18 2896->2905 2908 10e7de8 2897->2908 2906 10e7e4d-10e7e50 2904->2906 2907 10e7e22-10e7e48 2904->2907 2905->2904 2913 10e7e7d-10e7e80 2906->2913 2914 10e7e52-10e7e78 2906->2914 2907->2906 2908->2896 2916 10e7ead-10e7eb0 2913->2916 2917 10e7e82-10e7ea8 2913->2917 2914->2913 2921 10e7edd-10e7ee0 2916->2921 2922 10e7eb2-10e7ed8 2916->2922 2917->2916 2925 10e7f0d-10e7f10 2921->2925 2926 10e7ee2-10e7f08 2921->2926 2922->2921 2930 10e7f3d-10e7f40 2925->2930 2931 10e7f12-10e7f38 2925->2931 2926->2925 2934 10e7f5b-10e7f5e 2930->2934 2935 10e7f42-10e7f56 2930->2935 2931->2930 2940 10e7f8b-10e7f8e 2934->2940 2941 10e7f60-10e7f86 2934->2941 2935->2934 2944 10e7fbb-10e7fbe 2940->2944 2945 10e7f90-10e7fb6 2940->2945 2941->2940 2950 10e7feb-10e7fee 2944->2950 2951 10e7fc0-10e7fe6 2944->2951 2945->2944 2954 10e801b-10e801e 2950->2954 2955 10e7ff0-10e8016 2950->2955 2951->2950 2960 10e804b-10e804e 2954->2960 2961 10e8020-10e8046 2954->2961 2955->2954 2964 10e807b-10e807e 2960->2964 2965 10e8050-10e8076 2960->2965 2961->2960 2968 10e80ab-10e80ae 2964->2968 2969 10e8080-10e80a6 2964->2969 2965->2964 2973 10e80db-10e80dd 2968->2973 2974 10e80b0-10e80d6 2968->2974 2969->2968 2978 10e80df 2973->2978 2979 10e80e4-10e80e7 2973->2979 2974->2973 2978->2979 2979->2780 2986 10e80ed-10e80f3 2979->2986 2993->2803 2994->2803 2995->2803
                        Memory Dump Source
                        • Source File: 0000000E.00000002.4571541369.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_10e0000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a932434d95cbcfa32c0167aed52a52e94d2b53b4570c43eee43386924d015425
                        • Instruction ID: 794d917bace4414c5ef366ddf525a4ba7dc6c10a5c15be975013550b185a2996
                        • Opcode Fuzzy Hash: a932434d95cbcfa32c0167aed52a52e94d2b53b4570c43eee43386924d015425
                        • Instruction Fuzzy Hash: 611280307022039FDB2AAB38E56422936A2FBC9314B10993DE156DF755DF79DD878B80
                        Function 010E96E8 Relevance: .4, Instructions: 355COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 3579 10e96e8-10e9702 3580 10e9704-10e9707 3579->3580 3581 10e9719-10e971c 3580->3581 3582 10e9709 3580->3582 3583 10e971e-10e9721 3581->3583 3584 10e9726-10e9729 3581->3584 3585 10e9711-10e9714 3582->3585 3583->3584 3586 10e972b-10e9747 3584->3586 3587 10e9748-10e974b 3584->3587 3585->3581 3588 10e974d-10e9765 3587->3588 3589 10e9770-10e9773 3587->3589 3602 10e981f-10e9822 3588->3602 3603 10e976b 3588->3603 3590 10e977a-10e9783 3589->3590 3591 10e9775-10e9778 3589->3591 3594 10e9785 3590->3594 3595 10e97f0-10e97f9 3590->3595 3591->3590 3593 10e978a-10e978d 3591->3593 3598 10e978f-10e9795 3593->3598 3599 10e97ac-10e97af 3593->3599 3594->3593 3600 10e97ff-10e9803 3595->3600 3601 10e9885-10e9903 3595->3601 3610 10e979c-10e97a7 3598->3610 3605 10e97c9-10e97cc 3599->3605 3606 10e97b1-10e97c4 3599->3606 3604 10e9808-10e980b 3600->3604 3636 10e9a1a-10e9a21 3601->3636 3637 10e9909-10e990b 3601->3637 3607 10e9827-10e982a 3602->3607 3603->3589 3611 10e980d-10e9812 3604->3611 3612 10e9815-10e9818 3604->3612 3608 10e97ce-10e97e6 3605->3608 3609 10e97eb-10e97ee 3605->3609 3606->3605 3614 10e982c-10e983a 3607->3614 3615 10e9845-10e9848 3607->3615 3608->3609 3609->3595 3609->3604 3610->3599 3611->3612 3618 10e987a-10e9884 3612->3618 3619 10e981a-10e981d 3612->3619 3614->3586 3627 10e9840 3614->3627 3616 10e984a-10e9863 3615->3616 3617 10e9868-10e986a 3615->3617 3616->3617 3625 10e986c 3617->3625 3626 10e9871-10e9874 3617->3626 3619->3602 3619->3607 3625->3626 3626->3580 3626->3618 3627->3615 3678 10e990e call 10e936c 3637->3678 3679 10e990e call 10e9498 3637->3679 3680 10e990e call 10e96e8 3637->3680 3681 10e990e call 10e9696 3637->3681 3682 10e990e call 10e9890 3637->3682 3638 10e9914-10e9920 3640 10e992b-10e9932 3638->3640 3641 10e9922-10e9929 3638->3641 3641->3640 3642 10e9933-10e995a 3641->3642 3646 10e995c-10e9963 3642->3646 3647 10e9964-10e996b 3642->3647 3648 10e9a22-10e9a53 3647->3648 3649 10e9971-10e9975 3647->3649 3653 10e9a55-10e9a57 3648->3653 3650 10e997f-10e99fe 3649->3650 3651 10e9977-10e997e 3649->3651 3661 10e9a0e-10e9a12 3650->3661 3662 10e9a00-10e9a07 3650->3662 3655 10e9a5e-10e9a61 3653->3655 3656 10e9a59 3653->3656 3655->3653 3657 10e9a63-10e9a9f call 10e0368 3655->3657 3656->3655 3666 10e9aa7-10e9aaa 3657->3666 3667 10e9aa1-10e9aa3 3657->3667 3683 10e9a14 call 10e9b2f 3661->3683 3684 10e9a14 call 10e9b40 3661->3684 3662->3661 3669 10e9af1 3666->3669 3670 10e9aac-10e9ad6 3666->3670 3668 10e9aa5 3667->3668 3667->3669 3668->3670 3671 10e9af6-10e9afa 3669->3671 3677 10e9adc-10e9aef 3670->3677 3673 10e9afc 3671->3673 3674 10e9b05 3671->3674 3673->3674 3677->3671 3678->3638 3679->3638 3680->3638 3681->3638 3682->3638 3683->3636 3684->3636
                        Memory Dump Source
                        • Source File: 0000000E.00000002.4571541369.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_10e0000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 41d1dcb6df2e30e323d63342db4742b96698d956fee1c3f30771ab0b77740589
                        • Instruction ID: 98371720d1a6af80b4cc2275044c0200180a911833bf3fc43fefae5f6c102590
                        • Opcode Fuzzy Hash: 41d1dcb6df2e30e323d63342db4742b96698d956fee1c3f30771ab0b77740589
                        • Instruction Fuzzy Hash: 80C1AD70B002058FDB55CF69D8847AEBBF2FF88314F1481AAE549DB295DB70D845CB90
                        Function 010E936C Relevance: .3, Instructions: 303COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.4571541369.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_10e0000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1259d97440acaa6aa7eca6c92b12c8a3af3cedc979bc467c4401d72315770308
                        • Instruction ID: ea0b286b9ea262e5e380cc793f04037aa150804840b200c54e5f1e344b96c00d
                        • Opcode Fuzzy Hash: 1259d97440acaa6aa7eca6c92b12c8a3af3cedc979bc467c4401d72315770308
                        • Instruction Fuzzy Hash: 92B17B35A001048FDB15DFA9D998AADBBF2FB88214F148469E546EB395DF34DD42CB40
                        Function 010E41AC Relevance: .3, Instructions: 275COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 4188 10e41ac-10e421e 4190 10e4268-10e426a 4188->4190 4191 10e4220-10e422b 4188->4191 4192 10e426c-10e4285 4190->4192 4191->4190 4193 10e422d-10e4239 4191->4193 4199 10e4287-10e4293 4192->4199 4200 10e42d1-10e42d3 4192->4200 4194 10e425c-10e4266 4193->4194 4195 10e423b-10e4245 4193->4195 4194->4192 4197 10e4249-10e4258 4195->4197 4198 10e4247 4195->4198 4197->4197 4201 10e425a 4197->4201 4198->4197 4199->4200 4202 10e4295-10e42a1 4199->4202 4203 10e42d5-10e432d 4200->4203 4201->4194 4204 10e42c4-10e42cf 4202->4204 4205 10e42a3-10e42ad 4202->4205 4212 10e432f-10e433a 4203->4212 4213 10e4377-10e4379 4203->4213 4204->4203 4206 10e42af 4205->4206 4207 10e42b1-10e42c0 4205->4207 4206->4207 4207->4207 4209 10e42c2 4207->4209 4209->4204 4212->4213 4214 10e433c-10e4348 4212->4214 4215 10e437b-10e4393 4213->4215 4216 10e434a-10e4354 4214->4216 4217 10e436b-10e4375 4214->4217 4222 10e43dd-10e43df 4215->4222 4223 10e4395-10e43a0 4215->4223 4218 10e4358-10e4367 4216->4218 4219 10e4356 4216->4219 4217->4215 4218->4218 4221 10e4369 4218->4221 4219->4218 4221->4217 4224 10e43e1-10e43f3 4222->4224 4223->4222 4225 10e43a2-10e43ae 4223->4225 4232 10e43fa-10e4432 4224->4232 4226 10e43b0-10e43ba 4225->4226 4227 10e43d1-10e43db 4225->4227 4229 10e43be-10e43cd 4226->4229 4230 10e43bc 4226->4230 4227->4224 4229->4229 4231 10e43cf 4229->4231 4230->4229 4231->4227 4233 10e4438-10e4446 4232->4233 4234 10e444f-10e44af 4233->4234 4235 10e4448-10e444e 4233->4235 4242 10e44bf-10e44c3 4234->4242 4243 10e44b1-10e44b5 4234->4243 4235->4234 4245 10e44c5-10e44c9 4242->4245 4246 10e44d3-10e44d7 4242->4246 4243->4242 4244 10e44b7 4243->4244 4244->4242 4245->4246 4247 10e44cb 4245->4247 4248 10e44d9-10e44dd 4246->4248 4249 10e44e7-10e44eb 4246->4249 4247->4246 4248->4249 4252 10e44df-10e44e2 call 10e0ab8 4248->4252 4250 10e44ed-10e44f1 4249->4250 4251 10e44fb-10e44ff 4249->4251 4250->4251 4254 10e44f3-10e44f6 call 10e0ab8 4250->4254 4255 10e450f-10e4513 4251->4255 4256 10e4501-10e4505 4251->4256 4252->4249 4254->4251 4259 10e4515-10e4519 4255->4259 4260 10e4523-10e4527 4255->4260 4256->4255 4258 10e4507-10e450a call 10e0ab8 4256->4258 4258->4255 4259->4260 4262 10e451b 4259->4262 4263 10e4529-10e452d 4260->4263 4264 10e4537 4260->4264 4262->4260 4263->4264 4265 10e452f 4263->4265 4266 10e4538 4264->4266 4265->4264 4266->4266
                        Memory Dump Source
                        • Source File: 0000000E.00000002.4571541369.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_10e0000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0de558127c42051afb0752edecf120235ff6c9ae079e9117796e88fae1424bfc
                        • Instruction ID: b25f9f8a2e60864d38296be2bfbd2b5b1015cd79f2b64476629f94be8e40ffab
                        • Opcode Fuzzy Hash: 0de558127c42051afb0752edecf120235ff6c9ae079e9117796e88fae1424bfc
                        • Instruction Fuzzy Hash: 8FB13971E002198FDB50CFAAC8897EEBBF2AF88714F148129D895E7254EB749845CB91
                        Function 010ECAA8 Relevance: .3, Instructions: 271COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 4267 10ecaa8-10ecaaf 4268 10ecaea-10ecaed 4267->4268 4269 10ecaef-10ecaf4 4268->4269 4270 10ecaf5-10ecaf8 4268->4270 4271 10ecafa-10ecb00 4270->4271 4272 10ecb07-10ecb09 4270->4272 4273 10ecb02 4271->4273 4274 10ecad0-10ecad7 4271->4274 4272->4268 4275 10ecb0b-10ecb10 4272->4275 4273->4272 4276 10ecad9-10ecae2 4274->4276 4277 10ecb17-10ecb1f 4274->4277 4275->4268 4278 10ecae4-10ecae9 4276->4278 4279 10ecab1-10ecab7 4276->4279 4278->4268 4280 10ecab9-10ecac8 4279->4280 4281 10ecb20-10ecb53 4279->4281 4282 10ecaca-10ecacf 4280->4282 4283 10ecb12-10ecb15 4280->4283 4285 10ecb55-10ecb58 4281->4285 4283->4276 4283->4277 4286 10ecb5a-10ecb5f 4285->4286 4287 10ecb62-10ecb65 4285->4287 4286->4287 4288 10ecb7e-10ecb81 4287->4288 4289 10ecb67-10ecb6c 4287->4289 4290 10ecb83-10ecb8e 4288->4290 4291 10ecb91-10ecb94 4288->4291 4292 10ecb76-10ecb79 4289->4292 4293 10ecbda-10ecbdd 4291->4293 4294 10ecb96-10ecb99 4291->4294 4292->4288 4295 10ecbdf-10ecbf2 4293->4295 4296 10ecbf9-10ecbfc 4293->4296 4297 10ecb9f-10ecba8 4294->4297 4298 10ecc24-10ecc27 4294->4298 4295->4294 4301 10ecbf4 4295->4301 4302 10ecbfe-10ecbff 4296->4302 4303 10ecc04-10ecc07 4296->4303 4299 10ecd6e-10ecdab 4297->4299 4300 10ecbae-10ecbbd 4297->4300 4304 10ecc29 4298->4304 4305 10ecc30-10ecc47 4298->4305 4300->4299 4306 10ecbc3-10ecbd7 4300->4306 4301->4296 4302->4303 4309 10ecc09-10ecc0d 4303->4309 4310 10ecc12-10ecc14 4303->4310 4304->4305 4307 10ecc78-10ecc7b 4305->4307 4308 10ecc49-10ecc55 4305->4308 4313 10ecd5a-10ecd6b 4307->4313 4314 10ecc81-10ecc86 4307->4314 4308->4299 4311 10ecc5b-10ecc67 4308->4311 4309->4310 4315 10ecc1b-10ecc1e 4310->4315 4316 10ecc16 4310->4316 4311->4299 4318 10ecc6d-10ecc71 4311->4318 4319 10ecc88-10ecc91 4314->4319 4320 10ecd03-10ecd07 4314->4320 4315->4285 4315->4298 4316->4315 4318->4307 4319->4299 4322 10ecc97-10eccc2 4319->4322 4323 10ecd09-10ecd12 4320->4323 4324 10ecd51-10ecd54 4320->4324 4322->4299 4325 10eccc8-10eccec 4322->4325 4323->4299 4326 10ecd14-10ecd49 4323->4326 4324->4313 4324->4314 4325->4299 4327 10eccf2-10ecd01 4325->4327 4326->4299 4328 10ecd4b-10ecd4d 4326->4328 4327->4324 4328->4324
                        Memory Dump Source
                        • Source File: 0000000E.00000002.4571541369.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_10e0000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0fa429eff3c30057a7cb1c0282f62e3bd007a3e3d44f0b5b94b52be586a58b46
                        • Instruction ID: 2b8ca2eaf2fe60185ea8fab8247ff64a7ba2f28bcdaaeb5b072fb7c943c1e417
                        • Opcode Fuzzy Hash: 0fa429eff3c30057a7cb1c0282f62e3bd007a3e3d44f0b5b94b52be586a58b46
                        • Instruction Fuzzy Hash: E291F432A041598FEB25CB59CA847FDFBF1EB80310F1989A6D485EB642C236EC85D790
                        Function 010E4A7C Relevance: .3, Instructions: 261COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.4571541369.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_10e0000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 791503f911512e8c13029755c81d0444f4c029bd3b446b2af67ff6c3d17d89ac
                        • Instruction ID: 4a36b9c04740c7d406b5410cccbdbc337d401939bc1e67f692ab8b159720a59e
                        • Opcode Fuzzy Hash: 791503f911512e8c13029755c81d0444f4c029bd3b446b2af67ff6c3d17d89ac
                        • Instruction Fuzzy Hash: 21A17B70E04209CFDF54CFAAC8997DDBBF2AF88714F148129D854EB294EB759885CB81
                        Function 010E3E64 Relevance: .2, Instructions: 234COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.4571541369.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_10e0000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3a2a9229591a847d6789b7fb82395da7942a53dd26c25cb4020e6c326ef9257b
                        • Instruction ID: b09b1be08e5052f75e487138a418078696749e5fa07d7832ab056d37bb7b1229
                        • Opcode Fuzzy Hash: 3a2a9229591a847d6789b7fb82395da7942a53dd26c25cb4020e6c326ef9257b
                        • Instruction Fuzzy Hash: 04914870E002098FDF50CFAAC9897DEBFF2AF88314F148169E484EB254EB749845CB91
                        Function 010EFC38 Relevance: .2, Instructions: 216COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.4571541369.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_10e0000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a04a72c039f6817b789ab12abec1a5fddae25f2a4d5b2b7ff91fb5986bcef91b
                        • Instruction ID: bd2055c0c0d22ae3bf27c686785fe592f836e4f7b30d8913200fe2266118480b
                        • Opcode Fuzzy Hash: a04a72c039f6817b789ab12abec1a5fddae25f2a4d5b2b7ff91fb5986bcef91b
                        • Instruction Fuzzy Hash: EE71A231F0421A9BDB19EFA9C8546AEBBF6AFC4A00F144529E505AB380DF349D42CB91
                        Function 010E4800 Relevance: .2, Instructions: 180COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.4571541369.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_10e0000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 88b85ea0d6305888c780e076eb485cdc009d3c81d57cec02a639f72ad1233a56
                        • Instruction ID: dc7e2afbf3d0ff38fe64b57d418082b8492fe4d9a931384cb65cf908615d22ea
                        • Opcode Fuzzy Hash: 88b85ea0d6305888c780e076eb485cdc009d3c81d57cec02a639f72ad1233a56
                        • Instruction Fuzzy Hash: A3716970E002499FDB54CFAAC8887EEBBF2BF88714F188129E455E7254EB749841CF95
                        Function 010E47F4 Relevance: .2, Instructions: 178COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.4571541369.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_10e0000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5c8043e0a97d184998ed62f74d76b18a7316fca902df1e14edec1df425af7c13
                        • Instruction ID: d0540256ca1afa1480df48c4d7fd498677a8b092010e2e8efdc4ac3fdbdc294e
                        • Opcode Fuzzy Hash: 5c8043e0a97d184998ed62f74d76b18a7316fca902df1e14edec1df425af7c13
                        • Instruction Fuzzy Hash: 4B714870E002498FDB54CFAAC9897DEBBF2BF88714F188129E494E7254EB749841CF95
                        Function 010E6EC7 Relevance: .1, Instructions: 141COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.4571541369.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_10e0000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 902f58914c5f0fddb4d654fde462b17ae6476050ba9090901f06108b52a1f25a
                        • Instruction ID: 1c6a8aa1fef9cd89ac1e1330e4512c248380972159810cf144db48d10acab954
                        • Opcode Fuzzy Hash: 902f58914c5f0fddb4d654fde462b17ae6476050ba9090901f06108b52a1f25a
                        • Instruction Fuzzy Hash: 1351B330A002599FDB19DF79D4587AEB7F2FF85300F20856AE446EB291DB719842CB50
                        Function 010E6CCD Relevance: .1, Instructions: 132COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.4571541369.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_10e0000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c363e8c994791d49c4541b217f4ecfa08a44c4bd1bf5276fe815aaa3f8604531
                        • Instruction ID: 879a32468b700427f9f06137c1d9a02e763a646621de15bc9c37deaac7521b17
                        • Opcode Fuzzy Hash: c363e8c994791d49c4541b217f4ecfa08a44c4bd1bf5276fe815aaa3f8604531
                        • Instruction Fuzzy Hash: 22513470E002588FDB18DFAAD8887DDBBF1BF48314F54815AE855BB391C7B5A840CB55
                        Function 010E6CD8 Relevance: .1, Instructions: 132COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.4571541369.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_10e0000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0f796ee5714eb1058e58d96377337198da3455cf681dcac7f2be7ef1dafac20f
                        • Instruction ID: 531d1c02c1a0ca5b1e2bd4c92aeaf5a3a6af0390ca83fd1751b48e88e06679b8
                        • Opcode Fuzzy Hash: 0f796ee5714eb1058e58d96377337198da3455cf681dcac7f2be7ef1dafac20f
                        • Instruction Fuzzy Hash: DA511470D002188FDB18DFAAD848B9DBBF1BF48310F54815AE855BB391D775A844CF95
                        Function 010E112A Relevance: .1, Instructions: 113COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.4571541369.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_10e0000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8dc4b4c538b842760fbdfb181eee5b829a54875d0afea62bab3b124ce24b8372
                        • Instruction ID: 8908f4b712f2b32c476055ddc88f0a5ece7e25ea97fe7a9af5f498dfe8941a54
                        • Opcode Fuzzy Hash: 8dc4b4c538b842760fbdfb181eee5b829a54875d0afea62bab3b124ce24b8372
                        • Instruction Fuzzy Hash: CF51ED342032828FCB19EF28FBB09543FA1BB9131D300596DD1449BE6EFA746A16CB51
                        Function 010E1138 Relevance: .1, Instructions: 109COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.4571541369.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_10e0000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d2ff86b6cb1ca4b3a66c0c94aaf8a80b5a894812274996b99774ac54f9d4d3e5
                        • Instruction ID: 1bf1fafb2d5bd02effbda88785c9611240d1ca412624080c28bd9866d2a933fa
                        • Opcode Fuzzy Hash: d2ff86b6cb1ca4b3a66c0c94aaf8a80b5a894812274996b99774ac54f9d4d3e5
                        • Instruction Fuzzy Hash: 8A51AD34207283CFCB19EF28FBB09443FA1FB9131D3045969D1449BE6EEA746A26CB51
                        Function 010EF31D Relevance: .1, Instructions: 109COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.4571541369.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_10e0000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: decbbcde417e5d91178ad7c4de49c3b93d7f13acfb91920d03c6cdb67b5bec59
                        • Instruction ID: 6060fef0ee57baefd4cdaabef84864712b2d492aebfb140300f24c4dbd1222e3
                        • Opcode Fuzzy Hash: decbbcde417e5d91178ad7c4de49c3b93d7f13acfb91920d03c6cdb67b5bec59
                        • Instruction Fuzzy Hash: 2E31F470B002068FDB5AAB39C55866E7BE3AFCA640F54446CD486DB399DF35CC42CB91
                        Function 010E6F68 Relevance: .1, Instructions: 99COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.4571541369.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_10e0000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e59fc3737e80e5855d352b622456a7eac5719eb018c94c525dffb74a499e64a4
                        • Instruction ID: 48c2b9f084b173cf476f194be300ecac664fb0fa9953487aaa207cba41515030
                        • Opcode Fuzzy Hash: e59fc3737e80e5855d352b622456a7eac5719eb018c94c525dffb74a499e64a4
                        • Instruction Fuzzy Hash: 08318134E0121ADFDB29CBA9D45879DBBF1FF85300F508565F442EB245D771A982CB90
                        Function 010EF1E0 Relevance: .1, Instructions: 96COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.4571541369.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_10e0000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f896fd576b405b64eb79e655efba5babb0856cf2dcb162e373f9020eb55be23b
                        • Instruction ID: 6d8a58d33d9e8cb500c5a738275849464888b5b24ed5b17c289d4f6b28fe3ce0
                        • Opcode Fuzzy Hash: f896fd576b405b64eb79e655efba5babb0856cf2dcb162e373f9020eb55be23b
                        • Instruction Fuzzy Hash: 22315C34E102069FDB19DFA9D4946AEBBF6BF89300F10855DE856EB250DB70AC42CB40
                        Function 010E26CE Relevance: .1, Instructions: 92COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.4571541369.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_10e0000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4265aa8a12db593d1cc293b00983d735ac4b8633b88b5cc495b6e00290468942
                        • Instruction ID: deaaddbffe720c53f76f80a93d23f115d0b65243ba5d9c91cd54db62aa13ad9b
                        • Opcode Fuzzy Hash: 4265aa8a12db593d1cc293b00983d735ac4b8633b88b5cc495b6e00290468942
                        • Instruction Fuzzy Hash: DA41E1B0D01349DFEB14CF9AC984ADEBFF5BF48310F148429E849AB254DB759949CB90
                        Function 010EF1F0 Relevance: .1, Instructions: 91COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.4571541369.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_10e0000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ec5e5c4fa77a1314eb592d08370c822e661220138dfd6909a33f75837e2c3159
                        • Instruction ID: 2a830b95689a98f078404186f1e3215164e1c4220cf1875fb9aff857114fdfd3
                        • Opcode Fuzzy Hash: ec5e5c4fa77a1314eb592d08370c822e661220138dfd6909a33f75837e2c3159
                        • Instruction Fuzzy Hash: A6313A34E106069FDB19DFA9D49869EB7F6BF89300F508919E856FB350DF70A842CB50
                        Function 010E26D8 Relevance: .1, Instructions: 90COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.4571541369.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_10e0000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1a343204be1670e82702a40785b8316e0c29073b5841a4a06874cf5376fa9085
                        • Instruction ID: c874531cc8d4a4e3d6071056ec34cf7efce1db48d8246a76f0864d838390464a
                        • Opcode Fuzzy Hash: 1a343204be1670e82702a40785b8316e0c29073b5841a4a06874cf5376fa9085
                        • Instruction Fuzzy Hash: 6841EFB0D01349DFEB14DF9AC984A9EBFF5FF48310F148029E809AB254DB75A945CB90
                        Function 010E5098 Relevance: .1, Instructions: 89COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.4571541369.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_10e0000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: dba0bda47c437cd43f8558f570ede2f1dade805b68e700644484f80d05ff0136
                        • Instruction ID: 050904c4829cfa8ae416ef108a90679995a896a868fa7d993df7b0799dadecdd
                        • Opcode Fuzzy Hash: dba0bda47c437cd43f8558f570ede2f1dade805b68e700644484f80d05ff0136
                        • Instruction Fuzzy Hash: EA31A434701255CFDB68EB39C95869E7BF2AF88208F1008A9D441AB794DF36DD41CB91
                        Function 010E5087 Relevance: .1, Instructions: 88COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.4571541369.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_10e0000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 861e75e77532f707fe6c205829778dbc957f347ac3643e21e4e965a5d59e8a01
                        • Instruction ID: 410d0e68716516cdfa6df3d075e81471a9d53f24efa642f2b806664c5a953f1f
                        • Opcode Fuzzy Hash: 861e75e77532f707fe6c205829778dbc957f347ac3643e21e4e965a5d59e8a01
                        • Instruction Fuzzy Hash: 01318134701251CFDB59EB35CA686AD7BF2AF89208F1008E9D441AB7A4DF36DD41CB90
                        Function 010E168F Relevance: .1, Instructions: 83COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.4571541369.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_10e0000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 84340458f83438055ee99f682dee9b9d194292c68f323631e8c8326d417f5f59
                        • Instruction ID: 49bcf513cc847dffb21654fc5e56bd454fc463c0524b0c3bace8cf0af3430943
                        • Opcode Fuzzy Hash: 84340458f83438055ee99f682dee9b9d194292c68f323631e8c8326d417f5f59
                        • Instruction Fuzzy Hash: 8B3109386021418FDF57973DE56C7193BE2EB85318F0409ADD089CB657EA78D845CB92
                        Function 010E9257 Relevance: .1, Instructions: 82COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.4571541369.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_10e0000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4ccb5861acdcfb1bd2387ba6583e1369be790f3c8986ef93287d82765babe669
                        • Instruction ID: 3c198cfe7a602f061d6c6321abbd4760c138c170a9a14ef324d90385910e13ec
                        • Opcode Fuzzy Hash: 4ccb5861acdcfb1bd2387ba6583e1369be790f3c8986ef93287d82765babe669
                        • Instruction Fuzzy Hash: 72318D30E002469FDB06CFA9C59469EFBF2BF85304F14C65AE845BB341DB709842CB80
                        Function 010E9268 Relevance: .1, Instructions: 78COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.4571541369.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_10e0000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9d4cc304034ae47ae05c56341197909256cf4d71c709746a738b18f9f30e6067
                        • Instruction ID: c3f592b923080d336fb5d8e8265cbbe05bbbf89f4d30bfe4991f98ad891feba2
                        • Opcode Fuzzy Hash: 9d4cc304034ae47ae05c56341197909256cf4d71c709746a738b18f9f30e6067
                        • Instruction Fuzzy Hash: 3C218030E0020A9FDB16CFAAD59469EF7F2BF89304F50C659E855BB341DB709842CB90
                        Function 010E9159 Relevance: .1, Instructions: 74COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.4571541369.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_10e0000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 53b180fe9484b1f7ac74550c9e8839d20c8107a87c4c18189b2991bfda60aee0
                        • Instruction ID: e6c34f87a624c827fb90031f6f26aed6f361a4ffbb222bb7714b3a7156944d91
                        • Opcode Fuzzy Hash: 53b180fe9484b1f7ac74550c9e8839d20c8107a87c4c18189b2991bfda60aee0
                        • Instruction Fuzzy Hash: 17219031E006499FCB19CFA9D4586EEFBF2AF89314F10855EE852BB341DB709942CB50
                        Function 0109D124 Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.4571194778.000000000109D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_109d000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d273abcb91e35ebf2ea12f35ba83954a2d0e2eb8de3218cabaf01bb25d79d329
                        • Instruction ID: f6d567362a95f89b0386af9e32c0c794c68b60aae51109f58709147571004a7d
                        • Opcode Fuzzy Hash: d273abcb91e35ebf2ea12f35ba83954a2d0e2eb8de3218cabaf01bb25d79d329
                        • Instruction Fuzzy Hash: B52167B6240200FFDF05CF58C9D0B29BBA1FB84314F20C5ADE9890B292C33AD446CB61
                        Function 010E1868 Relevance: .1, Instructions: 71COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.4571541369.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_10e0000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f5e0df3d8c60051d6ce57b742dfd919741a6d67197d90e2342976fa6ec67370d
                        • Instruction ID: 34ed2e95a1972b689a972de7128c8b73a09478b563a54325d8f09ee479a3fd94
                        • Opcode Fuzzy Hash: f5e0df3d8c60051d6ce57b742dfd919741a6d67197d90e2342976fa6ec67370d
                        • Instruction Fuzzy Hash: BA218E30B00249CFDB69EB79C6597AE7BF2AB49304F5004ADD046EB2A0DB758D41CBA1
                        Function 010E4F7A Relevance: .1, Instructions: 71COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.4571541369.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_10e0000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4025d8188e3c2e2a0a462e1b0cf580f7e7988854d72494355c9e07bb553d35d8
                        • Instruction ID: ec0564c7ec2d6683b2788af2588a0af618198188d8b3a0f183b779ff17c5649b
                        • Opcode Fuzzy Hash: 4025d8188e3c2e2a0a462e1b0cf580f7e7988854d72494355c9e07bb553d35d8
                        • Instruction Fuzzy Hash: 35214834B00204CFCB64EB79D568AAD7BF2AF89704F1044A9F546EB3A5EB769D01CB50
                        Function 010E9168 Relevance: .1, Instructions: 70COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.4571541369.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_10e0000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3e8e3f191d0b1b6b80969743f9b52d4a86d2e306f30bca9bfa75b854a9817b78
                        • Instruction ID: 29ac160a7872a4b7b29d94ff4dcbabc2b8ce1d87c3db0acf0ec4ce458ebeb4df
                        • Opcode Fuzzy Hash: 3e8e3f191d0b1b6b80969743f9b52d4a86d2e306f30bca9bfa75b854a9817b78
                        • Instruction Fuzzy Hash: EC215E30E4061A9FDB19CFAAC858A9EF7F6AF89304F10855AE815BB341DB70A941CB50
                        Function 010E1370 Relevance: .1, Instructions: 70COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.4571541369.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_10e0000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2500c38ba8c9e289596b9c8ea3def262f86d8883e905706f621d62d809b27120
                        • Instruction ID: efd9ebf51eedbcaa57edb81136acd9584478fefe32a78e1fed1238f0c9f95f1f
                        • Opcode Fuzzy Hash: 2500c38ba8c9e289596b9c8ea3def262f86d8883e905706f621d62d809b27120
                        • Instruction Fuzzy Hash: B821A5B06022109FDB7B573DE55C3683BE1E746318F1405BAE196C7396DE79CC828742
                        Function 010E1878 Relevance: .1, Instructions: 70COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.4571541369.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_10e0000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7d8eaf28d1f92eb33dacbd2219602edb33c43daaac942f7f5a59cd0f029daf75
                        • Instruction ID: b94ddb1ad1a5d956b5d03e66b6eb3f0ee634b427e29b88abec028533f8846dc4
                        • Opcode Fuzzy Hash: 7d8eaf28d1f92eb33dacbd2219602edb33c43daaac942f7f5a59cd0f029daf75
                        • Instruction Fuzzy Hash: ED216D30B00209CFDB68EB79D5687AE7BF2AB89205F5004A9D146EB390DF75DD41CBA1
                        Function 010EFE18 Relevance: .1, Instructions: 70COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.4571541369.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_10e0000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 590d3fb446a690ef6f5a48a7b1000adccefe449a9b8b6c9a47bf8938c2423f44
                        • Instruction ID: 39cce77a132294f25152f5a4fcdc8da4b9f103ad711deaadbdf36a1ead9b61b9
                        • Opcode Fuzzy Hash: 590d3fb446a690ef6f5a48a7b1000adccefe449a9b8b6c9a47bf8938c2423f44
                        • Instruction Fuzzy Hash: FA1178317083950FDB0A6FB898205AE3FB7AFC6550704046AE145DB392DF384C02C7A6
                        Function 010E16A0 Relevance: .1, Instructions: 69COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.4571541369.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_10e0000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8539749c76c47cfc6aa911acd4f603a7a892a2dc7916bda6d4988fde4521afc6
                        • Instruction ID: 1d8886a96cd9308ccc40c4266d12564daeba4ece2970808952e3b7e01e3a2d44
                        • Opcode Fuzzy Hash: 8539749c76c47cfc6aa911acd4f603a7a892a2dc7916bda6d4988fde4521afc6
                        • Instruction Fuzzy Hash: EE21C6386021018FEF66E72DE958B1D37E6FB8431CF105579D04AC765BEA78D8408B92
                        Function 010E6B91 Relevance: .1, Instructions: 69COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.4571541369.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_10e0000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ac466eb96a6326571c58af0156c443412e1fe33719f122bea0c31e995300244c
                        • Instruction ID: d7617b8283e9cd2e7f07f1617cd094a873dad3bd20e998e972f51a40cf7f0a9e
                        • Opcode Fuzzy Hash: ac466eb96a6326571c58af0156c443412e1fe33719f122bea0c31e995300244c
                        • Instruction Fuzzy Hash: EA2101717052449FC719EB38E0647AE3BF2EFD5610F0044AED045CB68AEE758C86CB81
                        Function 010E4F88 Relevance: .1, Instructions: 68COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.4571541369.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_10e0000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9437ce9243177b889592647c108c222141d092b2da9a39af96b7e13c2920a727
                        • Instruction ID: 7ef8146e18b8cc9255d76e836465285d6544e6da922fb538a5ed16f2b7df18dd
                        • Opcode Fuzzy Hash: 9437ce9243177b889592647c108c222141d092b2da9a39af96b7e13c2920a727
                        • Instruction Fuzzy Hash: 68213634700208CFCB64EB79C55CA9D7BF2AB89604F1044A9F546EB3A4EB769D01CB50
                        Function 010E0848 Relevance: .1, Instructions: 62COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.4571541369.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_10e0000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b98897446146da151287fa5282c5d4988d2400e3c08ca17fad0fe189d6d8f538
                        • Instruction ID: feb34c226073e5891dbcef1fce2957a612b04bca02f2d22861b25de71c80a960
                        • Opcode Fuzzy Hash: b98897446146da151287fa5282c5d4988d2400e3c08ca17fad0fe189d6d8f538
                        • Instruction Fuzzy Hash: AF11B230B012098FEFA56A7EC61872936D1FB85218F2045B9F1C6CF24EDAB5CC818BD1
                        Function 010E0838 Relevance: .1, Instructions: 60COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.4571541369.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_10e0000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b602702c9394f3ae536e4c51df2fe0a34882db40ff274eeaf61469a2da2e377c
                        • Instruction ID: 77099eea37eed2114bc8650e50e1f420610ec85c3d9dbe428dd5ad7e56ae9705
                        • Opcode Fuzzy Hash: b602702c9394f3ae536e4c51df2fe0a34882db40ff274eeaf61469a2da2e377c
                        • Instruction Fuzzy Hash: AB11A730B012099FEF665A7AC62836D36D5E741218F1049B9F5C6CF28FDAA5C8418BD2
                        Function 010E1478 Relevance: .1, Instructions: 55COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.4571541369.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_10e0000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d2bb08bd03349b2e666ddbba407aacc00a10bb175c33eb7394c2cbed8b6649e1
                        • Instruction ID: b28db682c2f75d1f25003e2c49cfe8816184202d2a951c1f17ec07696e118396
                        • Opcode Fuzzy Hash: d2bb08bd03349b2e666ddbba407aacc00a10bb175c33eb7394c2cbed8b6649e1
                        • Instruction Fuzzy Hash: 00118272B002158FCF61AFBD84981AE7BE5AF58210B1404BAD885EB341EB35C942CB91
                        Function 010E17B2 Relevance: .1, Instructions: 55COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.4571541369.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_10e0000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 060b04c2f348122d4d9258913617f48a2b382c11d86f67b81197b0e34109777c
                        • Instruction ID: 459327b37060c5d88a90e916a1598211cfa149e459d18f3b550dbc01d39f44b6
                        • Opcode Fuzzy Hash: 060b04c2f348122d4d9258913617f48a2b382c11d86f67b81197b0e34109777c
                        • Instruction Fuzzy Hash: 58112675F022918FCB15EFB9990865E7FFAFB88264F1404B9E956D7704FA308951C780
                        Function 010E1488 Relevance: .1, Instructions: 53COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.4571541369.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_10e0000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9ed70fd9d4569bfe654499d52b4220b35f6af6bb940d5136e5c76c45b8225dd6
                        • Instruction ID: bb005a40739fc3338d1e23f8020d412d2c90dc6337cbc6c05b661e8cf09b53d1
                        • Opcode Fuzzy Hash: 9ed70fd9d4569bfe654499d52b4220b35f6af6bb940d5136e5c76c45b8225dd6
                        • Instruction Fuzzy Hash: 0D018072F002158FCB61EFBE84481AE7BF5EF49220B6404BAD845E7341EA35D842CB91
                        Function 0109D11F Relevance: .1, Instructions: 53COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.4571194778.000000000109D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_109d000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                        • Instruction ID: d3074077923f99b740239406deff6a63a9c6e2a036da23fd3a196cad02c0f70a
                        • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                        • Instruction Fuzzy Hash: 0A11DDB6544280DFDB06CF58C9D0B15BFB2FB84314F24C6A9D8894B692C33AD44ACF61
                        Function 010E9890 Relevance: .0, Instructions: 49COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.4571541369.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_10e0000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 784393c350b3fc81ddc79e4ddbfd45f6d979687651e70e2c02493b96a312d113
                        • Instruction ID: e98f660ffaddd5a5c07a2ea81e3e17d31e50896ac6cccf7c1683dd8c80b7c761
                        • Opcode Fuzzy Hash: 784393c350b3fc81ddc79e4ddbfd45f6d979687651e70e2c02493b96a312d113
                        • Instruction Fuzzy Hash: 2E112631A002018FDB04EF99D988399BFB1FF80311F54C168C9886F29ADBB4D905C7A0
                        Function 010E7080 Relevance: .0, Instructions: 38COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.4571541369.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_10e0000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9b5357fb4451ded0369460c81eb56e62cc676f9e3728e69c3ef80e1c6fbd6ea2
                        • Instruction ID: e9a8b615c88be38eb26ac7bf6a0444af3df65dc706f2af85334319abc41edfe4
                        • Opcode Fuzzy Hash: 9b5357fb4451ded0369460c81eb56e62cc676f9e3728e69c3ef80e1c6fbd6ea2
                        • Instruction Fuzzy Hash: 8E012838702204CFC728DB74D558B6C3BB2EF89215F5400A8E506DB3A8DB35AD82CB40
                        Function 010E80F8 Relevance: .0, Instructions: 37COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.4571541369.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_10e0000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: eb23a6c60ed9bc732db9051c1debd9e83bcd02471e174f153f50b945892aefb8
                        • Instruction ID: 7063de18113b2e91a89047c1a217f5242cb6dade473f77d86e94d3166a75cf5e
                        • Opcode Fuzzy Hash: eb23a6c60ed9bc732db9051c1debd9e83bcd02471e174f153f50b945892aefb8
                        • Instruction Fuzzy Hash: B1018474501187DBDB06EB64F96069C7BA1EB81208B44139CC1546F296EE751E128B81
                        Function 010E1514 Relevance: .0, Instructions: 36COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.4571541369.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_10e0000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 96995dc2493d4cfdda01ea5758e0c7afc71e30344f012a8dbdb87c4c9a96eda8
                        • Instruction ID: 6459eb9daa8cf6f0e0676c07ce0b651b99ffef2af74fe92c636b7721423d60a3
                        • Opcode Fuzzy Hash: 96995dc2493d4cfdda01ea5758e0c7afc71e30344f012a8dbdb87c4c9a96eda8
                        • Instruction Fuzzy Hash: F4F08473B04210CFDB228BEA98980ECBFF1EEA822170900D7D882DB341C734D802CB51
                        Function 010ECB38 Relevance: .0, Instructions: 36COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.4571541369.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_10e0000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 36efd041878435d79134b8f579f29d65da9c1e82f10e9d89253093208c5ec293
                        • Instruction ID: 56a7012aebf25d229a87434b7723a3f55e5549310a5d2ec71257e745f31550d2
                        • Opcode Fuzzy Hash: 36efd041878435d79134b8f579f29d65da9c1e82f10e9d89253093208c5ec293
                        • Instruction Fuzzy Hash: AFF09071E001284AEB54DEAE88005DFFBE9FBC8620F208577D544E3201D231990187D0
                        Function 010E8108 Relevance: .0, Instructions: 33COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.4571541369.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_10e0000_GvgUQlbRIXOe.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4c4748dea47fedd3eee872eb3abca31e4e9887f72693b844b9bb5cf9b7f3cba5
                        • Instruction ID: e6ba04d2884f61f733f55f5344416c26ae549a73966459b22ead67af19d01c57
                        • Opcode Fuzzy Hash: 4c4748dea47fedd3eee872eb3abca31e4e9887f72693b844b9bb5cf9b7f3cba5
                        • Instruction Fuzzy Hash: 86F0A43490114AEFDB05FBA4FA6099C7BB1FB80308F4052ACC108AB255EF746E158B81