Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe

Overview

General Information

Sample name:Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe
renamed because original name is a hash value
Original sample name:Nowe zamwienie - 0072291855.pdf (243KB).com.exe
Analysis ID:1567376
MD5:96493f8a0252e4e492de924d83db5a8a
SHA1:09dad264469e86a858f0183ed6e5bfe2d53781f4
SHA256:e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879
Tags:comexeuser-abuse_ch
Infos:

Detection

Quasar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected Quasar RAT
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe (PID: 7756 cmdline: "C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe" MD5: 96493F8A0252E4E492DE924D83DB5A8A)
    • powershell.exe (PID: 7956 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 8020 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EPhabVgXw.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 8060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 8068 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EPhabVgXw" /XML "C:\Users\user\AppData\Local\Temp\tmp870B.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 8088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe (PID: 7268 cmdline: "C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe" MD5: 96493F8A0252E4E492DE924D83DB5A8A)
      • schtasks.exe (PID: 6772 cmdline: "schtasks" /create /tn "Outlooks" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe" /rl HIGHEST /f MD5: 48C2FE20575769DE916F48EF0676A965)
        • conhost.exe (PID: 4612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • outlooks.exe (PID: 2596 cmdline: "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe" MD5: 96493F8A0252E4E492DE924D83DB5A8A)
        • powershell.exe (PID: 2988 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 1080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 5652 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EPhabVgXw.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 3556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • schtasks.exe (PID: 3892 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EPhabVgXw" /XML "C:\Users\user\AppData\Local\Temp\tmpA8BC.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
          • conhost.exe (PID: 6084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • outlooks.exe (PID: 2968 cmdline: "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe" MD5: 96493F8A0252E4E492DE924D83DB5A8A)
          • schtasks.exe (PID: 3248 cmdline: "schtasks" /create /tn "Outlooks" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe" /rl HIGHEST /f MD5: 48C2FE20575769DE916F48EF0676A965)
            • conhost.exe (PID: 3476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • EPhabVgXw.exe (PID: 5332 cmdline: C:\Users\user\AppData\Roaming\EPhabVgXw.exe MD5: 96493F8A0252E4E492DE924D83DB5A8A)
    • schtasks.exe (PID: 4844 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EPhabVgXw" /XML "C:\Users\user\AppData\Local\Temp\tmpDA5B.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 4080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • EPhabVgXw.exe (PID: 8132 cmdline: "C:\Users\user\AppData\Roaming\EPhabVgXw.exe" MD5: 96493F8A0252E4E492DE924D83DB5A8A)
  • outlooks.exe (PID: 6220 cmdline: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe MD5: 96493F8A0252E4E492DE924D83DB5A8A)
    • powershell.exe (PID: 4464 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7800 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EPhabVgXw.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 3776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 1624 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EPhabVgXw" /XML "C:\Users\user\AppData\Local\Temp\tmpDCBC.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • outlooks.exe (PID: 7196 cmdline: "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe" MD5: 96493F8A0252E4E492DE924D83DB5A8A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Quasar RAT, QuasarRATQuasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
  • APT33
  • Dropping Elephant
  • Stone Panda
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{"Version": "1.4.1", "Host:Port": "Zyg.ydns.eu:5829;Opy.ydns.eu:5829;", "SubDirectory": "WindowsUpdates", "InstallName": "outlooks.exe", "MutexName": "9c58b2ba-07eb-415a-b48b-21bbb68d32285e", "StartupKey": "Outlooks", "Tag": "JEKWU", "LogDirectoryName": "Logs", "ServerSignature": "cMAo43KgwCRkLXKVNIKcbYF07RAwbtRiV0xjmkvAofyHyMq4KQaMcDP+RYvo1XiqFvef4x+X0rbd142vWz4pHg5viwUqxUX1M6robk46oLiAINhWpLys7jGBDZM901rJZjqqDBIINPcsgv4AWIy0U/a7tZxg6OolVtO+sjchc/DrQikiod3q1OY2KJoHDKtwiRU3hwmo3XAK1rnJCm9//ZKLqEpP/DdCH5oGKU3eUq2ag0KGgcHjyAZuOSMbuDGNqGib2CVkxbyWxYq3QO2kfmB7BUHIxUZFdcv96UXAstsNW/O2INHr1fZcEWb60EDooIPifUNDgK6y5owwE57m7fVryCJMvBkg8rjUjOQHIs47qpUd3llalYmrd7NBKuHpT7j6yGGxUqvIdb8jBDV1hE4ZN5Uj9Niv/8holMJceh3+Tlw/ZolpP63q1J6vD2/Y3trWWfM4EE+p77psVZVDhW/Lmz8My1WsvjUlXbYVOYopNIE9T278LpJYHT2hbdd508tIF3+OsysQr88ALAVUfSK9M34qgF9C8y3e6sziotc7goPVuhSFNiqnwNZna0lcFMRiQJHXYLbEdblvCS8sw7gxi71tBqSWnN4n2BB+XxnjG3aKD3c24kr8f2S6x2bL9LU48qkJ1oSE238B1Uo7cG5tMJjXh2hQrFsMnuArxuQ=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAI7O15gZ6Bvo1v7Z6Z+o8zANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MTAyNzIyNDYwNloYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqbPveNu2fk+RQb1R3gm4Prdzthf81O6C4rvp3RcGpa8WzDlFIkUJlXlZq7CutP//HEzLJNmi8Uh5bhjgkulxUchu6qMN9+9Jp+6XLvYKP1aFl7wqJg7DKAHl7YxaaRGO1SA+eCffgbFQflu2IDKGQdq6euhYB3Hf5fyPi/J8qQyT3vkT7EOU4yTSLSOB5Chey+0Vnd9UHDVDaFvNspUfomDPE20kDevZjfeIIRpuNPwQQwaRl56UImZwfQus48RiJj8ec1t6djIpmwW+AzlB1bPCQrC8O/MO2FwHpQ1dcEGQv0kF04UP3CElKcm2YETUylyrkpRAOZPKCsItn3IfL0d61z3wZGB5y6w0bGHFlB4Wka0CAO1Ut4GR5yOeTyoK7tU/qeqrUH5UI/vtaNOCVy40h7OLblm6BKMezr+jLiXtr8g3IZ0tvSdDdM8mpLxYhUF9sWN4czZjw2/TWYQV7NmP8zWbcNtvzN+1M/TSxr2T+TIQCP9/53dElp8soycnY93mu4yGp4EkIP7/yHIhZJUAYYGhbGargWK+84YWH+CdW5494T04AeYBctFxIWG1uW/dHCcIdA4cN75ix8R58h7typtKInugH3CpGYBOzyJXW9NqBkrpxnT8sW9Js90VQRADLwoXBWu03CZ5aVb9be6P42FdFl+noKLQ/R5XkmkCAwEAAaMyMDAwHQYDVR0OBBYEFL+5mluRt/P41ETYJZpAZazC28C/MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAEJE3+krpRiCkX9UWAzNqNBa9oqQOSoqju90CrhZs1+BKZQpkh2fFHn6NVH9joVzu+lXegf/O1Ub/I0ZxHn1zbGzJXw2PqrZ2X8ewj+23EbWweedx76Uh+AZAby9TvZIAO2/HFFGqGy5T4WJ2swTZgwrZ9mFRqDgQWF1QWFrnOluaOa7T+jvMW0rxAX+kgEVDl/9e3PRa5xFrQCg/vy0pnzvnmTD5W/B0yViwtruDt5xyoxRlCnhTK9IIBNgGhY74mc+xa4lObXfcbz6zz4xgz0KvSrKZfu69cP2Y5LSH8TUD5bzsSgl15M9mVSHsqADSL40SjK3eoxcj33cMgMS5dvNB6o25l8QGJtuhz+IGqtCQaU13ev1YxTwOZKYjwwpSIycpV+LDmoR2dWgyDhjbhkuJ92reL16ND9DcZRTwrx6Idyy3oKrUyWlS6kHIXujTQHvvU+qLgfgQJYOryT0iRcn6DWkhLzRq0yzhrgD3ZPPreZ3xJ/RSnyvRjOEivReVBDlm0eWbg0J2bpOa1cDdlfsRg9nuZWkXeghkFtzvgOB0rkgRYD+m0S5N/qlhPXETBO5sGqHsSHTPjyAnVyP61Zr4cn/H0otTzReF6/FjIKsqH+v6Q27D0j6fJRbvTtShZdOzT6RtyoCh1HIeByJX5Ae18uHkU+wvUXXaIijYOR5"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.1548216347.0000000003553000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
    0000000B.00000002.1468238184.0000000000720000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
      00000010.00000002.1695231359.0000000002940000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
        00000000.00000002.1438590915.0000000002F31000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
          00000000.00000002.1447999343.0000000003F31000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
            Click to see the 13 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe.b88e658.4.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
              0.2.Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe.b88e658.4.unpackMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
              • 0x28d09d:$x1: Quasar.Common.Messages
              • 0x29d3c6:$x1: Quasar.Common.Messages
              • 0x2a9a42:$x4: Uninstalling... good bye :-(
              • 0x2ab237:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
              0.2.Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe.b88e658.4.unpackINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
              • 0x2a8ff4:$f1: FileZilla\recentservers.xml
              • 0x2a9034:$f2: FileZilla\sitemanager.xml
              • 0x2a9076:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
              • 0x2a92c2:$b1: Chrome\User Data\
              • 0x2a9318:$b1: Chrome\User Data\
              • 0x2a95f0:$b2: Mozilla\Firefox\Profiles
              • 0x2a96ec:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
              • 0x2fb670:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
              • 0x2a9844:$b4: Opera Software\Opera Stable\Login Data
              • 0x2a98fe:$b5: YandexBrowser\User Data\
              • 0x2a996c:$b5: YandexBrowser\User Data\
              • 0x2a9640:$s4: logins.json
              • 0x2a9376:$a1: username_value
              • 0x2a9394:$a2: password_value
              • 0x2a9680:$a3: encryptedUsername
              • 0x2fb5b4:$a3: encryptedUsername
              • 0x2a96a4:$a4: encryptedPassword
              • 0x2fb5d2:$a4: encryptedPassword
              • 0x2fb550:$a5: httpRealm
              0.2.Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe.b88e658.4.unpackMALWARE_Win_QuasarStealerDetects Quasar infostealerditekshen
              • 0x163116:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null
              • 0x2a9b2c:$s3: Process already elevated.
              • 0x28cd9c:$s4: get_PotentiallyVulnerablePasswords
              • 0x276e58:$s5: GetKeyloggerLogsDirectory
              • 0x29cb25:$s5: GetKeyloggerLogsDirectory
              • 0x28cdbf:$s6: set_PotentiallyVulnerablePasswords
              • 0x2fcc9e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
              0.2.Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe.b88e658.4.raw.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
                Click to see the 18 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe", ParentImage: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe, ParentProcessId: 7756, ParentProcessName: Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe", ProcessId: 7956, ProcessName: powershell.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe", ParentImage: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe, ParentProcessId: 7756, ParentProcessName: Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe", ProcessId: 7956, ProcessName: powershell.exe
                Sigma detected: Suspicious Add Scheduled Task Parent
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EPhabVgXw" /XML "C:\Users\user\AppData\Local\Temp\tmpA8BC.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EPhabVgXw" /XML "C:\Users\user\AppData\Local\Temp\tmpA8BC.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe", ParentImage: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe, ParentProcessId: 2596, ParentProcessName: outlooks.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EPhabVgXw" /XML "C:\Users\user\AppData\Local\Temp\tmpA8BC.tmp", ProcessId: 3892, ProcessName: schtasks.exe
                Sigma detected: Suspicious Schtasks From Env Var Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EPhabVgXw" /XML "C:\Users\user\AppData\Local\Temp\tmp870B.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EPhabVgXw" /XML "C:\Users\user\AppData\Local\Temp\tmp870B.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe", ParentImage: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe, ParentProcessId: 7756, ParentProcessName: Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EPhabVgXw" /XML "C:\Users\user\AppData\Local\Temp\tmp870B.tmp", ProcessId: 8068, ProcessName: schtasks.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe", ParentImage: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe, ParentProcessId: 7756, ParentProcessName: Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe", ProcessId: 7956, ProcessName: powershell.exe

                Persistence and Installation Behavior

                barindex
                Sigma detected: Scheduled temp file as task from temp location
                Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EPhabVgXw" /XML "C:\Users\user\AppData\Local\Temp\tmp870B.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EPhabVgXw" /XML "C:\Users\user\AppData\Local\Temp\tmp870B.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe", ParentImage: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe, ParentProcessId: 7756, ParentProcessName: Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EPhabVgXw" /XML "C:\Users\user\AppData\Local\Temp\tmp870B.tmp", ProcessId: 8068, ProcessName: schtasks.exe

                Suricata Signatures

                No Suricata rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeAvira: detected
                Antivirus detection for URL or domain
                Source: Zyg.ydns.euAvira URL Cloud: Label: malware
                Antivirus detection for dropped file
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeAvira: detection malicious, Label: HEUR/AGEN.1357257
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeAvira: detection malicious, Label: HEUR/AGEN.1357257
                Found malware configuration
                Source: 11.2.Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe.400000.0.unpackMalware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": "Zyg.ydns.eu:5829;Opy.ydns.eu:5829;", "SubDirectory": "WindowsUpdates", "InstallName": "outlooks.exe", "MutexName": "9c58b2ba-07eb-415a-b48b-21bbb68d32285e", "StartupKey": "Outlooks", "Tag": "JEKWU", "LogDirectoryName": "Logs", "ServerSignature": "cMAo43KgwCRkLXKVNIKcbYF07RAwbtRiV0xjmkvAofyHyMq4KQaMcDP+RYvo1XiqFvef4x+X0rbd142vWz4pHg5viwUqxUX1M6robk46oLiAINhWpLys7jGBDZM901rJZjqqDBIINPcsgv4AWIy0U/a7tZxg6OolVtO+sjchc/DrQikiod3q1OY2KJoHDKtwiRU3hwmo3XAK1rnJCm9//ZKLqEpP/DdCH5oGKU3eUq2ag0KGgcHjyAZuOSMbuDGNqGib2CVkxbyWxYq3QO2kfmB7BUHIxUZFdcv96UXAstsNW/O2INHr1fZcEWb60EDooIPifUNDgK6y5owwE57m7fVryCJMvBkg8rjUjOQHIs47qpUd3llalYmrd7NBKuHpT7j6yGGxUqvIdb8jBDV1hE4ZN5Uj9Niv/8holMJceh3+Tlw/ZolpP63q1J6vD2/Y3trWWfM4EE+p77psVZVDhW/Lmz8My1WsvjUlXbYVOYopNIE9T278LpJYHT2hbdd508tIF3+OsysQr88ALAVUfSK9M34qgF9C8y3e6sziotc7goPVuhSFNiqnwNZna0lcFMRiQJHXYLbEdblvCS8sw7gxi71tBqSWnN4n2BB+XxnjG3aKD3c24kr8f2S6x2bL9LU48qkJ1oSE238B1Uo7cG5tMJjXh2hQrFsMnuArxuQ=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAI7O15gZ6Bvo1v7Z6Z+o8zANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MTAyNzIyNDYwNloYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqbPveNu2fk+RQb1R3gm4Prdzthf81O6C4rvp3RcGpa8WzDlFIkUJlXlZq7CutP//HEzLJNmi8Uh5bhjgkulxUchu6qMN9+9Jp+6XLvYKP1aFl7wqJg7DKAHl7YxaaRGO1SA+eCffgbFQflu2IDKGQdq6euhYB3Hf5fyPi/J8qQyT3vkT7EOU4yTSLSOB5Chey+0Vnd9UHDVDaFvNspUfomDPE20kDevZjfeIIRpuNPwQQwaRl56UImZwfQus48RiJj8ec1t6djIpmwW+AzlB1bPCQrC8O/MO2FwHpQ1dcEGQv0kF04UP3CElKcm2YETUylyrkpRAOZPKCsItn3IfL0d61z3wZGB5y6w0bGHFlB4Wka0CAO1Ut4GR5yOeTyoK7tU/qeqrUH5UI/vtaNOCVy40h7OLblm6BKMezr+jLiXtr8g3IZ0tvSdDdM8mpLxYhUF9sWN4czZjw2/TWYQV7NmP8zWbcNtvzN+1M/TSxr2T+TIQCP9/53dElp8soycnY93mu4yGp4EkIP7/yHIhZJUAYYGhbGargWK+84YWH+CdW5494T04AeYBctFxIWG1uW/dHCcIdA4cN75ix8R58h7typtKInugH3CpGYBOzyJXW9NqBkrpxnT8sW9Js90VQRADLwoXBWu03CZ5aVb9be6P42FdFl+noKLQ/R5XkmkCAwEAAaMyMDAwHQYDVR0OBBYEFL+5mluRt/P41ETYJZpAZazC28C/MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAEJE3+krpRiCkX9UWAzNqNBa9oqQOSoqju90CrhZs1+BKZQpkh2fFHn6NVH9joVzu+lXegf/O1Ub/I0ZxHn1zbGzJXw2PqrZ2X8ewj+23EbWweedx76Uh+AZAby9TvZIAO2/HFFGqGy5T4WJ2swTZgwrZ9mFRqDgQWF1QWFrnOluaOa7T+jvMW0rxAX+kgEVDl/9e3PRa5xFrQCg/vy0pnzvnmTD5W/B0yViwtruDt5xyoxRlCnhTK9IIBNgGhY74mc+xa4lObXfcbz6zz4xgz0KvSrKZfu69cP2Y5LSH8TUD5bzsSgl15M9mVSHsqADSL40SjK3eoxcj33cMgMS5dvNB6o25l8QGJtuhz+IGqtCQaU13ev1YxTwOZKYjwwpSIycpV+LDmoR2dWgyDhjbhkuJ92reL16ND9DcZRTwrx6Idyy3oKrUyWlS6kHIXujTQHvvU+qLgfgQJYOryT0iRcn6DWkhLzRq0yzhrgD3ZPPreZ3xJ/RSnyvRjOEivReVBDlm0eWbg0J2bpOa1cDdlfsRg9nuZWkXeghkFtzvgOB0rkgRYD+m0S5N/qlhPXETBO5sGqHsSHTPjyAnVyP61Zr4cn/H0otTzReF6/FjIKsqH+v6Q27D0j6fJRbvTtShZdOzT6RtyoCh1HIeByJX5Ae18uHkU+wvUXXaIijYOR5"}
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeReversingLabs: Detection: 44%
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeReversingLabs: Detection: 44%
                Multi AV Scanner detection for submitted file
                Source: Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeReversingLabs: Detection: 44%
                Yara detected Quasar RAT
                Source: Yara matchFile source: 0.2.Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe.b88e658.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe.b88e658.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.outlooks.exe.4d31d80.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.outlooks.exe.4d31d80.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000F.00000002.1548216347.0000000003553000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1468238184.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.1695231359.0000000002940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1438590915.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1447999343.0000000003F31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.1695897182.00000000029C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1468238184.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.1575341793.0000000004D31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1503577997.000000000B571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe PID: 7756, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe PID: 7268, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: EPhabVgXw.exe PID: 5332, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: outlooks.exe PID: 2596, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: outlooks.exe PID: 6220, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: outlooks.exe PID: 2968, type: MEMORYSTR
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.5% probability
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeJoe Sandbox ML: detected
                Source: Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Networking

                barindex
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: Zyg.ydns.eu
                Yara detected Generic Downloader
                Source: Yara matchFile source: 0.2.Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe.b88e658.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.outlooks.exe.4d31d80.1.raw.unpack, type: UNPACKEDPE
                Source: global trafficTCP traffic: 192.168.2.9:49763 -> 156.0.0.7:5829
                Source: global trafficTCP traffic: 192.168.2.9:49821 -> 194.59.31.75:5829
                Source: Joe Sandbox ViewASN Name: VODACOM-ZA VODACOM-ZA
                Source: Joe Sandbox ViewASN Name: COMBAHTONcombahtonGmbHDE COMBAHTONcombahtonGmbHDE
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficDNS traffic detected: DNS query: Zyg.ydns.eu
                Source: global trafficDNS traffic detected: DNS query: Opy.ydns.eu
                Source: Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe, EPhabVgXw.exe.0.dr, outlooks.exe.11.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                Source: Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe, EPhabVgXw.exe.0.dr, outlooks.exe.11.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                Source: outlooks.exe, 00000010.00000002.1695231359.00000000028F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://localhost/arkanoid_server/requests.php
                Source: Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe, EPhabVgXw.exe.0.dr, outlooks.exe.11.drString found in binary or memory: http://ocsp.comodoca.com0
                Source: Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe, 00000000.00000002.1438590915.0000000002F8E000.00000004.00000800.00020000.00000000.sdmp, Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe, 0000000B.00000002.1484751531.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, EPhabVgXw.exe, 0000000C.00000002.1695897182.00000000029C3000.00000004.00000800.00020000.00000000.sdmp, outlooks.exe, 0000000F.00000002.1548216347.0000000003553000.00000004.00000800.00020000.00000000.sdmp, outlooks.exe, 00000010.00000002.1695231359.0000000002936000.00000004.00000800.00020000.00000000.sdmp, outlooks.exe, 00000018.00000002.3862325749.00000000033AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe, 00000000.00000002.1447999343.0000000003F31000.00000004.00000800.00020000.00000000.sdmp, Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe, 00000000.00000002.1503577997.000000000B571000.00000004.00000800.00020000.00000000.sdmp, Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe, 0000000B.00000002.1468238184.0000000000402000.00000040.00000400.00020000.00000000.sdmp, outlooks.exe, 0000000F.00000002.1575341793.0000000004D31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                Source: Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe, 00000000.00000002.1447999343.0000000003F31000.00000004.00000800.00020000.00000000.sdmp, Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe, 00000000.00000002.1503577997.000000000B571000.00000004.00000800.00020000.00000000.sdmp, Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe, 0000000B.00000002.1468238184.0000000000402000.00000040.00000400.00020000.00000000.sdmp, outlooks.exe, 0000000F.00000002.1575341793.0000000004D31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipwho.is/
                Source: Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe, 00000000.00000002.1447999343.0000000003F31000.00000004.00000800.00020000.00000000.sdmp, Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe, 00000000.00000002.1503577997.000000000B571000.00000004.00000800.00020000.00000000.sdmp, Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe, 0000000B.00000002.1468238184.0000000000402000.00000040.00000400.00020000.00000000.sdmp, outlooks.exe, 0000000F.00000002.1575341793.0000000004D31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                Source: Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe, 00000000.00000002.1447999343.0000000003F31000.00000004.00000800.00020000.00000000.sdmp, Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe, 00000000.00000002.1503577997.000000000B571000.00000004.00000800.00020000.00000000.sdmp, Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe, 0000000B.00000002.1468238184.0000000000402000.00000040.00000400.00020000.00000000.sdmp, outlooks.exe, 0000000F.00000002.1575341793.0000000004D31000.00000004.00000800.00020000.00000000.sdmp, outlooks.exe, 00000018.00000002.3862325749.00000000033B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                Source: Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe, 00000000.00000002.1447999343.0000000003F31000.00000004.00000800.00020000.00000000.sdmp, Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe, 00000000.00000002.1503577997.000000000B571000.00000004.00000800.00020000.00000000.sdmp, Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe, 0000000B.00000002.1468238184.0000000000402000.00000040.00000400.00020000.00000000.sdmp, outlooks.exe, 0000000F.00000002.1575341793.0000000004D31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot
                Source: Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe, EPhabVgXw.exe.0.dr, outlooks.exe.11.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Installs a global keyboard hook
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe

                E-Banking Fraud

                barindex
                Yara detected Quasar RAT
                Source: Yara matchFile source: 0.2.Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe.b88e658.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe.b88e658.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.outlooks.exe.4d31d80.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.outlooks.exe.4d31d80.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000F.00000002.1548216347.0000000003553000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1468238184.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.1695231359.0000000002940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1438590915.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1447999343.0000000003F31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.1695897182.00000000029C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1468238184.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.1575341793.0000000004D31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1503577997.000000000B571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe PID: 7756, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe PID: 7268, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: EPhabVgXw.exe PID: 5332, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: outlooks.exe PID: 2596, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: outlooks.exe PID: 6220, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: outlooks.exe PID: 2968, type: MEMORYSTR

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe.b88e658.4.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                Source: 0.2.Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe.b88e658.4.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 0.2.Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe.b88e658.4.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                Source: 0.2.Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe.b88e658.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                Source: 0.2.Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe.b88e658.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 0.2.Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe.b88e658.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                Source: 15.2.outlooks.exe.4d31d80.1.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                Source: 15.2.outlooks.exe.4d31d80.1.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 15.2.outlooks.exe.4d31d80.1.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                Source: 11.2.Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                Source: 11.2.Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 11.2.Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                Source: 15.2.outlooks.exe.4d31d80.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                Source: 15.2.outlooks.exe.4d31d80.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 15.2.outlooks.exe.4d31d80.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess Stats: CPU usage > 49%
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeCode function: 0_2_07EE34AC0_2_07EE34AC
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeCode function: 0_2_07EE54300_2_07EE5430
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeCode function: 0_2_09931DA80_2_09931DA8
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeCode function: 0_2_099389E50_2_099389E5
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeCode function: 0_2_0993A9400_2_0993A940
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeCode function: 0_2_09938A280_2_09938A28
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeCode function: 0_2_09938E500_2_09938E50
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeCode function: 0_2_09938E600_2_09938E60
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeCode function: 0_2_099392980_2_09939298
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeCode function: 0_2_0993B2F00_2_0993B2F0
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeCode function: 11_2_02CEF03C11_2_02CEF03C
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeCode function: 12_2_029323D812_2_029323D8
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeCode function: 12_2_02930FC812_2_02930FC8
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeCode function: 12_2_029374BC12_2_029374BC
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeCode function: 12_2_029322F412_2_029322F4
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeCode function: 12_2_0293A60812_2_0293A608
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeCode function: 12_2_0293086012_2_02930860
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeCode function: 12_2_0293093012_2_02930930
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeCode function: 12_2_02930EB512_2_02930EB5
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeCode function: 12_2_02930F1C12_2_02930F1C
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeCode function: 12_2_02932D3112_2_02932D31
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeCode function: 12_2_02932D4012_2_02932D40
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeCode function: 12_2_0293371912_2_02933719
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeCode function: 12_2_0293372812_2_02933728
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeCode function: 12_2_0293147012_2_02931470
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeCode function: 12_2_0293353012_2_02933530
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_033F23D815_2_033F23D8
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_033F0FC815_2_033F0FC8
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_033F74BC15_2_033F74BC
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_033F22F415_2_033F22F4
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_033FA60815_2_033FA608
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_033F093015_2_033F0930
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_033F086015_2_033F0860
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_033F0F1C15_2_033F0F1C
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_033F0EB515_2_033F0EB5
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_033F2D3215_2_033F2D32
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_033F2D4015_2_033F2D40
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_033F372815_2_033F3728
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_033F371915_2_033F3719
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_033F353015_2_033F3530
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_033F147015_2_033F1470
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_085197E815_2_085197E8
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_0851A94015_2_0851A940
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_0851A92F15_2_0851A92F
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_085189F115_2_085189F1
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_08518A2815_2_08518A28
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_08511DA815_2_08511DA8
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_08518E5015_2_08518E50
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_08518E6015_2_08518E60
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_0851B2DF15_2_0851B2DF
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_0851B2F015_2_0851B2F0
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_0851929815_2_08519298
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_0851928815_2_08519288
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 16_2_028A0FC816_2_028A0FC8
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 16_2_028A74BC16_2_028A74BC
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 16_2_028AA60816_2_028AA608
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 16_2_028A093016_2_028A0930
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 16_2_028A0EB516_2_028A0EB5
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 16_2_028A0F1C16_2_028A0F1C
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 16_2_028A2D3316_2_028A2D33
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 16_2_028A2D4016_2_028A2D40
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 16_2_028A147016_2_028A1470
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 16_2_0783929816_2_07839298
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 16_2_0783B2F016_2_0783B2F0
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 16_2_07838E5016_2_07838E50
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 16_2_07838E6016_2_07838E60
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 16_2_07831DA816_2_07831DA8
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 16_2_07838A1316_2_07838A13
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 16_2_07838A2816_2_07838A28
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 16_2_0783A94016_2_0783A940
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 24_2_0191F03C24_2_0191F03C
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeCode function: 36_2_01A1F03C36_2_01A1F03C
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeCode function: 36_2_05AD3CF836_2_05AD3CF8
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 37_2_016EF03C37_2_016EF03C
                Source: Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeStatic PE information: invalid certificate
                Source: Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe, 00000000.00000002.1482439937.00000000084C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.E}* vs Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe
                Source: Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe, 00000000.00000002.1482193063.00000000084A0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe
                Source: Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe, 00000000.00000002.1447999343.0000000004739000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe
                Source: Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe, 00000000.00000002.1503577997.000000000B571000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClient.exe. vs Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe
                Source: Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe, 00000000.00000000.1392974629.0000000000C34000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameVQYB.exe. vs Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe
                Source: Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe, 00000000.00000002.1438590915.0000000002F31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClient.exe. vs Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe
                Source: Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe, 0000000B.00000002.1468238184.0000000000720000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClient.exe. vs Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe
                Source: Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeBinary or memory string: OriginalFilenameVQYB.exe. vs Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe
                Source: Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 0.2.Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe.b88e658.4.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                Source: 0.2.Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe.b88e658.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 0.2.Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe.b88e658.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                Source: 0.2.Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe.b88e658.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                Source: 0.2.Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe.b88e658.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 0.2.Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe.b88e658.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                Source: 15.2.outlooks.exe.4d31d80.1.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                Source: 15.2.outlooks.exe.4d31d80.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 15.2.outlooks.exe.4d31d80.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                Source: 11.2.Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                Source: 11.2.Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 11.2.Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                Source: 15.2.outlooks.exe.4d31d80.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                Source: 15.2.outlooks.exe.4d31d80.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 15.2.outlooks.exe.4d31d80.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@53/35@3/2
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeFile created: C:\Users\user\AppData\Roaming\EPhabVgXw.exeJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7964:120:WilError_03
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1080:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8088:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6772:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6084:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3556:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3476:120:WilError_03
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMutant created: \Sessions\1\BaseNamedObjects\Local\9c58b2ba-07eb-415a-b48b-21bbb68d32285e
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7464:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3776:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4080:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8060:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4612:120:WilError_03
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeFile created: C:\Users\user\AppData\Local\Temp\tmp870B.tmpJump to behavior
                Source: Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeReversingLabs: Detection: 44%
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeFile read: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe "C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe"
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EPhabVgXw.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EPhabVgXw" /XML "C:\Users\user\AppData\Local\Temp\tmp870B.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess created: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe "C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe"
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess created: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe "C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe"
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess created: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe "C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\EPhabVgXw.exe C:\Users\user\AppData\Roaming\EPhabVgXw.exe
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "Outlooks" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe" /rl HIGHEST /f
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess created: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EPhabVgXw.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EPhabVgXw" /XML "C:\Users\user\AppData\Local\Temp\tmpA8BC.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "Outlooks" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe" /rl HIGHEST /f
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EPhabVgXw" /XML "C:\Users\user\AppData\Local\Temp\tmpDA5B.tmp"
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EPhabVgXw.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EPhabVgXw" /XML "C:\Users\user\AppData\Local\Temp\tmpDCBC.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeProcess created: C:\Users\user\AppData\Roaming\EPhabVgXw.exe "C:\Users\user\AppData\Roaming\EPhabVgXw.exe"
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EPhabVgXw.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EPhabVgXw" /XML "C:\Users\user\AppData\Local\Temp\tmp870B.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess created: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe "C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess created: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe "C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess created: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe "C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "Outlooks" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe" /rl HIGHEST /fJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess created: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EPhabVgXw" /XML "C:\Users\user\AppData\Local\Temp\tmpDA5B.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeProcess created: C:\Users\user\AppData\Roaming\EPhabVgXw.exe "C:\Users\user\AppData\Roaming\EPhabVgXw.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EPhabVgXw.exe"
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EPhabVgXw" /XML "C:\Users\user\AppData\Local\Temp\tmpA8BC.tmp"
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EPhabVgXw.exe"
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EPhabVgXw" /XML "C:\Users\user\AppData\Local\Temp\tmpDCBC.tmp"
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "Outlooks" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe" /rl HIGHEST /f
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: apphelp.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: windowscodecs.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: amsi.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: userenv.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: msasn1.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: gpapi.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: iconcodecservice.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: dwrite.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: propsys.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: edputil.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: urlmon.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: iertutil.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: srvcli.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: netutils.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: windows.staterepositoryps.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: wintypes.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: appresolver.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: bcp47langs.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: slc.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: sppc.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: onecorecommonproxystub.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: onecoreuapcommonproxystub.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: windowscodecs.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: amsi.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: userenv.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: msasn1.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: gpapi.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: iconcodecservice.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: dwrite.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: propsys.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: edputil.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: urlmon.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: iertutil.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: srvcli.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: netutils.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: windows.staterepositoryps.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: wintypes.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: appresolver.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: bcp47langs.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: slc.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: sppc.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: onecorecommonproxystub.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: onecoreuapcommonproxystub.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: msasn1.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: mswsock.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: dnsapi.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: iphlpapi.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: rasadhlp.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: fwpuclnt.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: secur32.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: schannel.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeSection loaded: msasn1.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: msasn1.dll
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeStatic file information: File size 3836424 > 1048576
                Source: Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x3a0200
                Source: Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: 0.2.Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe.4751d80.0.raw.unpack, L2.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeCode function: 0_2_07EEE07D push cs; iretd 0_2_07EEE07E
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeCode function: 12_2_0293184B pushfd ; ret 12_2_0293184C
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_033F2A93 push esi; ret 15_2_033F2A94
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_033F184B pushfd ; ret 15_2_033F184C
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_085141A0 push eax; retf 15_2_085141AD
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 16_2_028A2A93 push esi; ret 16_2_028A2A94
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 16_2_028A184B pushfd ; ret 16_2_028A184C
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeFile created: C:\Users\user\AppData\Roaming\EPhabVgXw.exeJump to dropped file
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeFile created: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeJump to dropped file

                Boot Survival

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EPhabVgXw" /XML "C:\Users\user\AppData\Local\Temp\tmp870B.tmp"

                Hooking and other Techniques for Hiding and Protection

                barindex
                Hides that the sample has been downloaded from the Internet (zone.identifier)
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeFile opened: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeFile opened: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeFile opened: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe:Zone.Identifier read attributes | delete
                Loading BitLocker PowerShell Module
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe PID: 7756, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: EPhabVgXw.exe PID: 5332, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: outlooks.exe PID: 2596, type: MEMORYSTR
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeMemory allocated: 1580000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeMemory allocated: 2F30000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeMemory allocated: 4F30000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeMemory allocated: 55C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeMemory allocated: 65C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeMemory allocated: 66F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeMemory allocated: 76F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeMemory allocated: AD70000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeMemory allocated: A310000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeMemory allocated: BD70000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeMemory allocated: CD70000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeMemory allocated: 2CE0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeMemory allocated: 2EA0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeMemory allocated: 4EA0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeMemory allocated: 28F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeMemory allocated: 2980000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeMemory allocated: 4980000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeMemory allocated: 5020000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeMemory allocated: 6020000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeMemory allocated: 6150000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeMemory allocated: 7150000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeMemory allocated: 9400000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeMemory allocated: A400000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeMemory allocated: 64C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 1B10000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 3510000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 3300000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 5BF0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 6BF0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 6D20000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 7D20000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 9FD0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: AFD0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 7090000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: F60000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 28F0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 48F0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 4F10000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 5F10000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 6040000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 7040000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 9320000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: A320000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 63B0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 1910000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 3380000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 32A0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeMemory allocated: 1A10000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeMemory allocated: 3680000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeMemory allocated: 33F0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 16E0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 2F30000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 4F30000 memory reserve | memory write watch
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4525Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 480Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5465Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3566
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3263
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeWindow / User API: threadDelayed 9610
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5465
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5331
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe TID: 7776Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8044Thread sleep count: 4525 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7252Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8040Thread sleep count: 480 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8128Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7524Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7204Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe TID: 7380Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exe TID: 6208Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe TID: 6412Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe TID: 7620Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2284Thread sleep time: -1844674407370954s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4712Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3004Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2624Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe TID: 7928Thread sleep time: -27670116110564310s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7972Thread sleep count: 5465 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1072Thread sleep time: -4611686018427385s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7972Thread sleep count: 208 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8104Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5372Thread sleep time: -6456360425798339s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8156Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exe TID: 2316Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe TID: 6860Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeThread delayed: delay time: 922337203685477
                Source: Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe, 00000000.00000002.1436632210.0000000001205000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}(S#
                Source: EPhabVgXw.exe, 0000000C.00000002.1675424491.0000000000CEB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}t
                Source: outlooks.exe, 00000018.00000002.3883488440.0000000005CF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess token adjusted: Debug
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe"
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EPhabVgXw.exe"
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EPhabVgXw.exe"
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EPhabVgXw.exe"
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EPhabVgXw.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EPhabVgXw.exe"
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EPhabVgXw.exe"
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeMemory written: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory written: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe base: 400000 value starts with: 4D5A
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory written: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe base: 400000 value starts with: 4D5A
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EPhabVgXw.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EPhabVgXw" /XML "C:\Users\user\AppData\Local\Temp\tmp870B.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess created: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe "C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess created: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe "C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess created: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe "C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "Outlooks" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe" /rl HIGHEST /fJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeProcess created: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EPhabVgXw" /XML "C:\Users\user\AppData\Local\Temp\tmpDA5B.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeProcess created: C:\Users\user\AppData\Roaming\EPhabVgXw.exe "C:\Users\user\AppData\Roaming\EPhabVgXw.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EPhabVgXw.exe"
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EPhabVgXw" /XML "C:\Users\user\AppData\Local\Temp\tmpA8BC.tmp"
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EPhabVgXw.exe"
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EPhabVgXw" /XML "C:\Users\user\AppData\Local\Temp\tmpDCBC.tmp"
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "Outlooks" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe" /rl HIGHEST /f
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeQueries volume information: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeQueries volume information: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeQueries volume information: C:\Users\user\AppData\Roaming\EPhabVgXw.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeQueries volume information: C:\Users\user\AppData\Roaming\EPhabVgXw.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\EPhabVgXw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Quasar RAT
                Source: Yara matchFile source: 0.2.Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe.b88e658.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe.b88e658.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.outlooks.exe.4d31d80.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.outlooks.exe.4d31d80.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000F.00000002.1548216347.0000000003553000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1468238184.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.1695231359.0000000002940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1438590915.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1447999343.0000000003F31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.1695897182.00000000029C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1468238184.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.1575341793.0000000004D31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1503577997.000000000B571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe PID: 7756, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe PID: 7268, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: EPhabVgXw.exe PID: 5332, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: outlooks.exe PID: 2596, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: outlooks.exe PID: 6220, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: outlooks.exe PID: 2968, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected Quasar RAT
                Source: Yara matchFile source: 0.2.Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe.b88e658.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe.b88e658.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.outlooks.exe.4d31d80.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.outlooks.exe.4d31d80.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000F.00000002.1548216347.0000000003553000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1468238184.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.1695231359.0000000002940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1438590915.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1447999343.0000000003F31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.1695897182.00000000029C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1468238184.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.1575341793.0000000004D31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1503577997.000000000B571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe PID: 7756, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe PID: 7268, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: EPhabVgXw.exe PID: 5332, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: outlooks.exe PID: 2596, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: outlooks.exe PID: 6220, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: outlooks.exe PID: 2968, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Scheduled Task/Job                		1
                Scheduled Task/Job                		111
                Process Injection                		1
                Masquerading                		11
                Input Capture                		11
                Security Software Discovery                		Remote Services11
                Input Capture                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/Job1
                DLL Side-Loading                		1
                Scheduled Task/Job                		11
                Disable or Modify Tools                		LSASS Memory1
                Process Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		1
                Non-Standard Port                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		31
                Virtualization/Sandbox Evasion                		Security Account Manager31
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive1
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture11
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Hidden Files and Directories                		LSA Secrets1
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Obfuscated Files or Information                		Cached Domain Credentials12
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                Software Packing                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1567376 Sample: Nowe zam#U00f3wienie - 0072... Startdate: 03/12/2024 Architecture: WINDOWS Score: 100 90 Zyg.ydns.eu 2->90 92 Opy.ydns.eu 2->92 98 Found malware configuration 2->98 100 Malicious sample detected (through community Yara rule) 2->100 102 Antivirus detection for URL or domain 2->102 104 14 other signatures 2->104 11 Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe 7 2->11         started        15 outlooks.exe 2->15         started        17 EPhabVgXw.exe 5 2->17         started        signatures3 process4 file5 82 C:\Users\user\AppData\RoamingPhabVgXw.exe, PE32 11->82 dropped 84 C:\Users\...PhabVgXw.exe:Zone.Identifier, ASCII 11->84 dropped 86 C:\Users\user\AppData\Local\...\tmp870B.tmp, XML 11->86 dropped 88 Nowe zam#U00f3wien...(243KB).com.exe.log, ASCII 11->88 dropped 124 Adds a directory exclusion to Windows Defender 11->124 126 Injects a PE file into a foreign processes 11->126 19 Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe 4 11->19         started        23 powershell.exe 23 11->23         started        25 powershell.exe 22 11->25         started        35 3 other processes 11->35 27 powershell.exe 15->27         started        29 powershell.exe 15->29         started        37 2 other processes 15->37 128 Antivirus detection for dropped file 17->128 130 Multi AV Scanner detection for dropped file 17->130 132 Machine Learning detection for dropped file 17->132 31 schtasks.exe 17->31         started        33 EPhabVgXw.exe 17->33         started        signatures6 process7 file8 80 C:\Users\user\AppData\...\outlooks.exe, PE32 19->80 dropped 106 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->106 39 outlooks.exe 19->39         started        42 schtasks.exe 19->42         started        108 Loading BitLocker PowerShell Module 23->108 44 conhost.exe 23->44         started        46 conhost.exe 25->46         started        48 conhost.exe 27->48         started        50 conhost.exe 29->50         started        52 conhost.exe 31->52         started        54 conhost.exe 35->54         started        56 conhost.exe 37->56         started        signatures9 process10 signatures11 110 Antivirus detection for dropped file 39->110 112 Multi AV Scanner detection for dropped file 39->112 114 Machine Learning detection for dropped file 39->114 116 2 other signatures 39->116 58 outlooks.exe 39->58         started        62 powershell.exe 39->62         started        64 powershell.exe 39->64         started        66 schtasks.exe 39->66         started        68 conhost.exe 42->68         started        process12 dnsIp13 94 Zyg.ydns.eu 156.0.0.7, 49763, 49878, 49985 VODACOM-ZA Lesotho 58->94 96 Opy.ydns.eu 194.59.31.75, 49821, 49933, 49986 COMBAHTONcombahtonGmbHDE Germany 58->96 118 Hides that the sample has been downloaded from the Internet (zone.identifier) 58->118 120 Installs a global keyboard hook 58->120 70 schtasks.exe 58->70         started        122 Loading BitLocker PowerShell Module 62->122 72 conhost.exe 62->72         started        74 conhost.exe 64->74         started        76 conhost.exe 66->76         started        signatures14 process15 process16 78 conhost.exe 70->78         started       

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe45%ReversingLabsWin32.Trojan.Nekark
                Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe100%AviraHEUR/AGEN.1357257
                Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\EPhabVgXw.exe100%AviraHEUR/AGEN.1357257
                C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe100%AviraHEUR/AGEN.1357257
                C:\Users\user\AppData\Roaming\EPhabVgXw.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\EPhabVgXw.exe45%ReversingLabsWin32.Trojan.Nekark
                C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe45%ReversingLabsWin32.Trojan.Nekark

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://localhost/arkanoid_server/requests.php0%Avira URL Cloudsafe
                Zyg.ydns.eu100%Avira URL Cloudmalware

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                Opy.ydns.eu
                		194.59.31.75
                		truetrue
                  		unknown
                  Zyg.ydns.eu
                  		156.0.0.7
                  		truetrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    Zyg.ydns.eutrue
                    • Avira URL Cloud: malware
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://api.ipify.org/Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe, 00000000.00000002.1447999343.0000000003F31000.00000004.00000800.00020000.00000000.sdmp, Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe, 00000000.00000002.1503577997.000000000B571000.00000004.00000800.00020000.00000000.sdmp, Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe, 0000000B.00000002.1468238184.0000000000402000.00000040.00000400.00020000.00000000.sdmp, outlooks.exe, 0000000F.00000002.1575341793.0000000004D31000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://localhost/arkanoid_server/requests.phpoutlooks.exe, 00000010.00000002.1695231359.00000000028F9000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://stackoverflow.com/q/14436606/23354Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe, 00000000.00000002.1447999343.0000000003F31000.00000004.00000800.00020000.00000000.sdmp, Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe, 00000000.00000002.1503577997.000000000B571000.00000004.00000800.00020000.00000000.sdmp, Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe, 0000000B.00000002.1468238184.0000000000402000.00000040.00000400.00020000.00000000.sdmp, outlooks.exe, 0000000F.00000002.1575341793.0000000004D31000.00000004.00000800.00020000.00000000.sdmp, outlooks.exe, 00000018.00000002.3862325749.00000000033B2000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://stackoverflow.com/q/2152978/23354sCannotNowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe, 00000000.00000002.1447999343.0000000003F31000.00000004.00000800.00020000.00000000.sdmp, Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe, 00000000.00000002.1503577997.000000000B571000.00000004.00000800.00020000.00000000.sdmp, Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe, 0000000B.00000002.1468238184.0000000000402000.00000040.00000400.00020000.00000000.sdmp, outlooks.exe, 0000000F.00000002.1575341793.0000000004D31000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://ipwho.is/Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe, 00000000.00000002.1447999343.0000000003F31000.00000004.00000800.00020000.00000000.sdmp, Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe, 00000000.00000002.1503577997.000000000B571000.00000004.00000800.00020000.00000000.sdmp, Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe, 0000000B.00000002.1468238184.0000000000402000.00000040.00000400.00020000.00000000.sdmp, outlooks.exe, 0000000F.00000002.1575341793.0000000004D31000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameNowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe, 00000000.00000002.1438590915.0000000002F8E000.00000004.00000800.00020000.00000000.sdmp, Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe, 0000000B.00000002.1484751531.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, EPhabVgXw.exe, 0000000C.00000002.1695897182.00000000029C3000.00000004.00000800.00020000.00000000.sdmp, outlooks.exe, 0000000F.00000002.1548216347.0000000003553000.00000004.00000800.00020000.00000000.sdmp, outlooks.exe, 00000010.00000002.1695231359.0000000002936000.00000004.00000800.00020000.00000000.sdmp, outlooks.exe, 00000018.00000002.3862325749.00000000033AB000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://www.chiark.greenend.org.uk/~sgtatham/putty/0Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe, EPhabVgXw.exe.0.dr, outlooks.exe.11.drfalse
                                		high
                                https://stackoverflow.com/q/11564914/23354;Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe, 00000000.00000002.1447999343.0000000003F31000.00000004.00000800.00020000.00000000.sdmp, Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe, 00000000.00000002.1503577997.000000000B571000.00000004.00000800.00020000.00000000.sdmp, Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe, 0000000B.00000002.1468238184.0000000000402000.00000040.00000400.00020000.00000000.sdmp, outlooks.exe, 0000000F.00000002.1575341793.0000000004D31000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  156.0.0.7
                                  		Zyg.ydns.euLesotho
                                  		29975VODACOM-ZAtrue
                                  194.59.31.75
                                  		Opy.ydns.euGermany
                                  		30823COMBAHTONcombahtonGmbHDEtrue

                                  General Information

                                  Joe Sandbox version:41.0.0 Charoite
                                  Analysis ID:1567376
                                  Start date and time:2024-12-03 14:00:12 +01:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 11m 24s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:41
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe
                                  renamed because original name is a hash value
                                  Original Sample Name:Nowe zamwienie - 0072291855.pdf (243KB).com.exe
                                  Detection:MAL
                                  Classification:mal100.troj.spyw.evad.winEXE@53/35@3/2
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HCA Information:
                                  • Successful, ratio: 98%
                                  • Number of executed functions: 118
                                  • Number of non-executed functions: 8
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe
                                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                                  Warnings

                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                  • Report size getting too big, too many NtCreateKey calls found.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                                  • VT rate limit hit for: Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  08:01:15API Interceptor1x Sleep call for process: Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe modified
                                  08:01:17API Interceptor150x Sleep call for process: powershell.exe modified
                                  08:01:22API Interceptor8110572x Sleep call for process: outlooks.exe modified
                                  08:01:35API Interceptor1x Sleep call for process: EPhabVgXw.exe modified
                                  13:01:20Task SchedulerRun new task: EPhabVgXw path: C:\Users\user\AppData\Roaming\EPhabVgXw.exe
                                  13:01:22Task SchedulerRun new task: Outlooks path: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  156.0.0.7Cotizaci#U00f3n 99026475526_pdf.com.exeGet hashmaliciousQuasarBrowse
                                    WMdKM7E5Yg.exeGet hashmaliciousQuasarBrowse
                                      194.59.31.75Cotizaci#U00f3n 99026475526_pdf.com.exeGet hashmaliciousQuasarBrowse

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        Opy.ydns.euCotizaci#U00f3n 99026475526_pdf.com.exeGet hashmaliciousQuasarBrowse
                                        • 194.59.31.75
                                        WMdKM7E5Yg.exeGet hashmaliciousQuasarBrowse
                                        • 79.110.49.79
                                        Zyg.ydns.euCotizaci#U00f3n 99026475526_pdf.com.exeGet hashmaliciousQuasarBrowse
                                        • 156.0.0.7
                                        WMdKM7E5Yg.exeGet hashmaliciousQuasarBrowse
                                        • 156.0.0.7

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        VODACOM-ZAsora.mips.elfGet hashmaliciousMiraiBrowse
                                        • 156.24.5.78
                                        la.bot.mipsel.elfGet hashmaliciousMiraiBrowse
                                        • 41.28.9.178
                                        la.bot.arm7.elfGet hashmaliciousMiraiBrowse
                                        • 41.22.92.99
                                        la.bot.powerpc.elfGet hashmaliciousMiraiBrowse
                                        • 105.250.4.122
                                        sora.m68k.elfGet hashmaliciousMiraiBrowse
                                        • 41.2.112.2
                                        botnet.spc.elfGet hashmaliciousMirai, MoobotBrowse
                                        • 41.18.70.130
                                        mips.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                        • 156.5.220.72
                                        powerpc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                        • 41.18.187.7
                                        x86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                        • 156.138.65.132
                                        x86_64.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                        • 156.24.15.226
                                        COMBAHTONcombahtonGmbHDEhttps://cloudserver-filesredir667900989385.s3.eu-central-1.amazonaws.com/6354799604_PDF.htmlGet hashmaliciousScreenConnect ToolBrowse
                                        • 194.59.31.199
                                        https://cloudserver-filesredir667900989385.s3.eu-central-1.amazonaws.com/6354799604_PDF.htmlGet hashmaliciousScreenConnect ToolBrowse
                                        • 194.59.31.199
                                        firestub.batGet hashmaliciousUnknownBrowse
                                        • 194.59.30.10
                                        Cotizaci#U00f3n 99026475526_pdf.com.exeGet hashmaliciousQuasarBrowse
                                        • 194.59.31.75
                                        file.exeGet hashmaliciousScreenConnect ToolBrowse
                                        • 194.59.30.222
                                        DEMASI-24-12B DOC. SCAN.exeGet hashmaliciousGuLoader, RemcosBrowse
                                        • 194.59.31.40
                                        Orden de Noviembre.com.exeGet hashmaliciousAsyncRATBrowse
                                        • 194.59.31.47
                                        monthly-eStatementForum120478962.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                                        • 194.59.30.201
                                        monthly-eStatementForum120478962.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                                        • 194.59.30.201
                                        0jg24sHn9q.exeGet hashmaliciousRemcosBrowse
                                        • 194.59.31.120

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\EPhabVgXw.exe.log

                                        Download File
                                        Process:C:\Users\user\AppData\Roaming\EPhabVgXw.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1216
                                        Entropy (8bit):5.34331486778365
                                        Encrypted:false
                                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                        MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                        SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                        SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                        SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                        Malicious:false
                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe.log

                                        Download File
                                        Process:C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1216
                                        Entropy (8bit):5.34331486778365
                                        Encrypted:false
                                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                        MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                        SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                        SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                        SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                        Malicious:true
                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\outlooks.exe.log

                                        Download File
                                        Process:C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1216
                                        Entropy (8bit):5.34331486778365
                                        Encrypted:false
                                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                        MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                        SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                        SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                        SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                        Malicious:false
                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:modified
                                        Size (bytes):2232
                                        Entropy (8bit):5.378678664000099
                                        Encrypted:false
                                        SSDEEP:48:1WSU4xympjgs4RIoU99tK8NPZHUl7u1iMugeC/ZM0Uyus:1LHxvCsIfA2KRHmOugw1s
                                        MD5:5216250CDCE69539C3F647B340B688B8
                                        SHA1:6BD5FC16B9C7FC7BD455C85C487D6FB37AD85BF6
                                        SHA-256:09BC4F5E0A47E52581272A6257AD56A1E78DFA17B9E5CDBCB6B724AAF40766E5
                                        SHA-512:B4E90B8D425CAB211FA160931EDFF16FA69939CF0B751F649E8A35E6217863CC6EA843ED6B22AC2B2AD048F38C80B97EDA1A674AF1C64CB7BDC63A0AD3102A1F
                                        Malicious:false
                                        Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_12bo0w1d.mdz.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1gfcxtw5.ubw.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1i04yvpt.m1z.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2kjs00ai.xwh.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_44houpfx.jvh.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_50bgsdss.qmf.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5crrnoww.vhk.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_awh3apqj.jy1.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b54t2011.wwx.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dj5oy3jb.yf2.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fgxmklxe.axm.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hgqtqidy.0x1.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_je1irkqu.0ps.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_liumipkt.mpa.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lq0vdkes.mrc.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m44l2mek.t2a.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mxg5aog1.ysp.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sxkq345p.qup.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_usifofi4.tzl.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vdhv5huk.hj5.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wf2fzjh5.y0a.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xvspbwqq.431.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y4nynydy.fe3.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yymafytc.0bl.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\tmp870B.tmp

                                        Download File
                                        Process:C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe
                                        File Type:XML 1.0 document, ASCII text
                                        Category:dropped
                                        Size (bytes):1568
                                        Entropy (8bit):5.088192154438477
                                        Encrypted:false
                                        SSDEEP:48:cge2oHr8YrFdOFzOzN33ODOiDdKrsuTewv9v:HeLwYrFdOFzOz6dKrsuqk
                                        MD5:CE4CEA31E87C2E2BBE57C88E9EF437F4
                                        SHA1:CF0B45CE2C95A69134DA41B7A16EF83A31AD60AF
                                        SHA-256:CCAE01E04ADD63B6AE804F57C97AAE0B63F443E1700EC8EEA0432DC1DB61C003
                                        SHA-512:D186CBAD6BCBF75404572D0CF5693D0FB33E70872593D60507CC577C2F81D2E580691F427CF7FBE66C2624F299690FF1DF60EF24A59F7A1B50A494B2D13E2CC7
                                        Malicious:true
                                        Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>f

                                        C:\Users\user\AppData\Local\Temp\tmpA8BC.tmp

                                        Download File
                                        Process:C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe
                                        File Type:XML 1.0 document, ASCII text
                                        Category:dropped
                                        Size (bytes):1568
                                        Entropy (8bit):5.088192154438477
                                        Encrypted:false
                                        SSDEEP:48:cge2oHr8YrFdOFzOzN33ODOiDdKrsuTewv9v:HeLwYrFdOFzOz6dKrsuqk
                                        MD5:CE4CEA31E87C2E2BBE57C88E9EF437F4
                                        SHA1:CF0B45CE2C95A69134DA41B7A16EF83A31AD60AF
                                        SHA-256:CCAE01E04ADD63B6AE804F57C97AAE0B63F443E1700EC8EEA0432DC1DB61C003
                                        SHA-512:D186CBAD6BCBF75404572D0CF5693D0FB33E70872593D60507CC577C2F81D2E580691F427CF7FBE66C2624F299690FF1DF60EF24A59F7A1B50A494B2D13E2CC7
                                        Malicious:false
                                        Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>f

                                        C:\Users\user\AppData\Local\Temp\tmpDA5B.tmp

                                        Download File
                                        Process:C:\Users\user\AppData\Roaming\EPhabVgXw.exe
                                        File Type:XML 1.0 document, ASCII text
                                        Category:dropped
                                        Size (bytes):1568
                                        Entropy (8bit):5.088192154438477
                                        Encrypted:false
                                        SSDEEP:48:cge2oHr8YrFdOFzOzN33ODOiDdKrsuTewv9v:HeLwYrFdOFzOz6dKrsuqk
                                        MD5:CE4CEA31E87C2E2BBE57C88E9EF437F4
                                        SHA1:CF0B45CE2C95A69134DA41B7A16EF83A31AD60AF
                                        SHA-256:CCAE01E04ADD63B6AE804F57C97AAE0B63F443E1700EC8EEA0432DC1DB61C003
                                        SHA-512:D186CBAD6BCBF75404572D0CF5693D0FB33E70872593D60507CC577C2F81D2E580691F427CF7FBE66C2624F299690FF1DF60EF24A59F7A1B50A494B2D13E2CC7
                                        Malicious:false
                                        Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>f

                                        C:\Users\user\AppData\Local\Temp\tmpDCBC.tmp

                                        Download File
                                        Process:C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe
                                        File Type:XML 1.0 document, ASCII text
                                        Category:dropped
                                        Size (bytes):1568
                                        Entropy (8bit):5.088192154438477
                                        Encrypted:false
                                        SSDEEP:48:cge2oHr8YrFdOFzOzN33ODOiDdKrsuTewv9v:HeLwYrFdOFzOz6dKrsuqk
                                        MD5:CE4CEA31E87C2E2BBE57C88E9EF437F4
                                        SHA1:CF0B45CE2C95A69134DA41B7A16EF83A31AD60AF
                                        SHA-256:CCAE01E04ADD63B6AE804F57C97AAE0B63F443E1700EC8EEA0432DC1DB61C003
                                        SHA-512:D186CBAD6BCBF75404572D0CF5693D0FB33E70872593D60507CC577C2F81D2E580691F427CF7FBE66C2624F299690FF1DF60EF24A59F7A1B50A494B2D13E2CC7
                                        Malicious:false
                                        Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>f

                                        C:\Users\user\AppData\Roaming\EPhabVgXw.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe
                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):3836424
                                        Entropy (8bit):7.979070872377809
                                        Encrypted:false
                                        SSDEEP:49152:wBeT66BYzsKDeAo4hJFXMOqlI9XGhvPEpCaZKfpObuLkEnmnK0QnFRhe5+ET8QVY:TTF7GbIlDvPEpz4ptnHhK87nhUnIJb
                                        MD5:96493F8A0252E4E492DE924D83DB5A8A
                                        SHA1:09DAD264469E86A858F0183ED6E5BFE2D53781F4
                                        SHA-256:E14C8CD3613B5D94CD5CA407FD329B61954ADD690C779EDBD41B362D035F7879
                                        SHA-512:29D6192B4AAE0AF83FE15D015BE5CF3E1B8832E154C6E847D71DE1834C30421F435192490FC9F5B868C99E71F2BBDB92685582985ECE2E7694D02799CD315B78
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Avira, Detection: 100%
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 45%
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Ng..............0...:..P.......!:.. ...@:...@.. ........................:...........@.................................`!:.K....@:.hM...........T:..6....:...................................................... ............... ..H............text.....:.. ....:................. ..`.rsrc...hM...@:..N....:.............@..@.reloc........:......R:.............@..B.................!:.....H.........9............0...h.9............................................V...4......~...(.MVn2.;.=.sR...x.....}.d...<.1.....Y.......U..3..P....`U...?.m}.;..f.!......>.....Z...)...`]k.@..a..1...c..#X..D #..;.O(..P=.f.-<....Y8.*...|....Xq&<...!.....#9".S.......,Y..w...r.O.Z.YG<&..=.:;R...-..[.......pu...`~d....O...T.%D....\.P.5....5R...v.`.;.....5K.W].w.1..m....'_...2.p.Mm..BCs.,....%.Yx..D'..eC7...K...8...4.........Zg.j........2.p.Mm..BC.0..........(....*...0..

                                        C:\Users\user\AppData\Roaming\EPhabVgXw.exe:Zone.Identifier

                                        Download File
                                        Process:C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:true
                                        Preview:[ZoneTransfer]....ZoneId=0

                                        C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe
                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):3836424
                                        Entropy (8bit):7.979070872377809
                                        Encrypted:false
                                        SSDEEP:49152:wBeT66BYzsKDeAo4hJFXMOqlI9XGhvPEpCaZKfpObuLkEnmnK0QnFRhe5+ET8QVY:TTF7GbIlDvPEpz4ptnHhK87nhUnIJb
                                        MD5:96493F8A0252E4E492DE924D83DB5A8A
                                        SHA1:09DAD264469E86A858F0183ED6E5BFE2D53781F4
                                        SHA-256:E14C8CD3613B5D94CD5CA407FD329B61954ADD690C779EDBD41B362D035F7879
                                        SHA-512:29D6192B4AAE0AF83FE15D015BE5CF3E1B8832E154C6E847D71DE1834C30421F435192490FC9F5B868C99E71F2BBDB92685582985ECE2E7694D02799CD315B78
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Avira, Detection: 100%
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 45%
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Ng..............0...:..P.......!:.. ...@:...@.. ........................:...........@.................................`!:.K....@:.hM...........T:..6....:...................................................... ............... ..H............text.....:.. ....:................. ..`.rsrc...hM...@:..N....:.............@..@.reloc........:......R:.............@..B.................!:.....H.........9............0...h.9............................................V...4......~...(.MVn2.;.=.sR...x.....}.d...<.1.....Y.......U..3..P....`U...?.m}.;..f.!......>.....Z...)...`]k.@..a..1...c..#X..D #..;.O(..P=.f.-<....Y8.*...|....Xq&<...!.....#9".S.......,Y..w...r.O.Z.YG<&..=.:;R...-..[.......pu...`~d....O...T.%D....\.P.5....5R...v.`.;.....5K.W].w.1..m....'_...2.p.Mm..BCs.,....%.Yx..D'..eC7...K...8...4.........Zg.j........2.p.Mm..BC.0..........(....*...0..

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Entropy (8bit):7.979070872377809
                                        TrID:
                                        • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                        • Win32 Executable (generic) a (10002005/4) 49.97%
                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                        • DOS Executable Generic (2002/1) 0.01%
                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                        File name:Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe
                                        File size:3'836'424 bytes
                                        MD5:96493f8a0252e4e492de924d83db5a8a
                                        SHA1:09dad264469e86a858f0183ed6e5bfe2d53781f4
                                        SHA256:e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879
                                        SHA512:29d6192b4aae0af83fe15d015be5cf3e1b8832e154c6e847d71de1834c30421f435192490fc9f5b868c99e71f2bbdb92685582985ece2e7694d02799cd315b78
                                        SSDEEP:49152:wBeT66BYzsKDeAo4hJFXMOqlI9XGhvPEpCaZKfpObuLkEnmnK0QnFRhe5+ET8QVY:TTF7GbIlDvPEpz4ptnHhK87nhUnIJb
                                        TLSH:2006238C3A04F42FC946D53056B0FD75B9682D9ED30393238AEB2EDBB95ED665E040D2
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Ng..............0...:..P.......!:.. ...@:...@.. ........................:...........@................................

                                        File Icon

                                        Icon Hash:033424c4c199d839

                                        Static PE Info

                                        General

                                        Entrypoint:0x7a21ae
                                        Entrypoint Section:.text
                                        Digitally signed:true
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                        Time Stamp:0x674E9EFD [Tue Dec 3 06:02:37 2024 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                        Authenticode Signature

                                        Signature Valid:false
                                        Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                                        Signature Validation Error:The digital signature of the object did not verify
                                        Error Number:-2146869232
                                        Not Before, Not After
                                        • 12/11/2018 19:00:00 08/11/2021 18:59:59
                                        Subject Chain
                                        • CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
                                        Version:3
                                        Thumbprint MD5:DABD77E44EF6B3BB91740FA46696B779
                                        Thumbprint SHA-1:5B9E273CF11941FD8C6BE3F038C4797BBE884268
                                        Thumbprint SHA-256:4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
                                        Serial:7C1118CBBADC95DA3752C46E47A27438

                                        Entrypoint Preview

                                        Instruction
                                        jmp dword ptr [00402000h]
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x3a21600x4b.text
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x3a40000x4d68.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x3a54000x3608.rsrc
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x3aa0000xc.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x20000x3a01b40x3a0200ffc4b12bc29680aa16c4433a16d4846bunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .rsrc0x3a40000x4d680x4e00a521700251478ab75e9300ecba0a9ce6False0.9449118589743589data7.788308918599237IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0x3aa0000xc0x2003dfd70e7ab83051d009c88485c797071False0.044921875MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 ":"0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                        RT_ICON0x3a41300x46f9PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9932852661126094
                                        RT_GROUP_ICON0x3a882c0x14data1.05
                                        RT_VERSION0x3a88400x338data0.441747572815534
                                        RT_MANIFEST0x3a8b780x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                        Imports

                                        DLLImport
                                        mscoree.dll_CorExeMain

                                        Network Behavior

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Dec 3, 2024 14:01:32.307295084 CET497635829192.168.2.9156.0.0.7
                                        Dec 3, 2024 14:01:32.430250883 CET582949763156.0.0.7192.168.2.9
                                        Dec 3, 2024 14:01:32.430543900 CET497635829192.168.2.9156.0.0.7
                                        Dec 3, 2024 14:01:32.437326908 CET497635829192.168.2.9156.0.0.7
                                        Dec 3, 2024 14:01:32.558274984 CET582949763156.0.0.7192.168.2.9
                                        Dec 3, 2024 14:01:54.334552050 CET582949763156.0.0.7192.168.2.9
                                        Dec 3, 2024 14:01:54.334649086 CET497635829192.168.2.9156.0.0.7
                                        Dec 3, 2024 14:01:54.342677116 CET497635829192.168.2.9156.0.0.7
                                        Dec 3, 2024 14:01:54.464052916 CET582949763156.0.0.7192.168.2.9
                                        Dec 3, 2024 14:01:58.063922882 CET498215829192.168.2.9194.59.31.75
                                        Dec 3, 2024 14:01:58.184020042 CET582949821194.59.31.75192.168.2.9
                                        Dec 3, 2024 14:01:58.184205055 CET498215829192.168.2.9194.59.31.75
                                        Dec 3, 2024 14:01:58.205486059 CET498215829192.168.2.9194.59.31.75
                                        Dec 3, 2024 14:01:58.326841116 CET582949821194.59.31.75192.168.2.9
                                        Dec 3, 2024 14:02:20.083812952 CET582949821194.59.31.75192.168.2.9
                                        Dec 3, 2024 14:02:20.083910942 CET498215829192.168.2.9194.59.31.75
                                        Dec 3, 2024 14:02:20.084358931 CET498215829192.168.2.9194.59.31.75
                                        Dec 3, 2024 14:02:20.204570055 CET582949821194.59.31.75192.168.2.9
                                        Dec 3, 2024 14:02:23.574594021 CET498785829192.168.2.9156.0.0.7
                                        Dec 3, 2024 14:02:23.695652962 CET582949878156.0.0.7192.168.2.9
                                        Dec 3, 2024 14:02:23.695801973 CET498785829192.168.2.9156.0.0.7
                                        Dec 3, 2024 14:02:23.696276903 CET498785829192.168.2.9156.0.0.7
                                        Dec 3, 2024 14:02:23.816247940 CET582949878156.0.0.7192.168.2.9
                                        Dec 3, 2024 14:02:45.655787945 CET582949878156.0.0.7192.168.2.9
                                        Dec 3, 2024 14:02:45.658339024 CET498785829192.168.2.9156.0.0.7
                                        Dec 3, 2024 14:02:45.661453962 CET498785829192.168.2.9156.0.0.7
                                        Dec 3, 2024 14:02:45.781414032 CET582949878156.0.0.7192.168.2.9
                                        Dec 3, 2024 14:02:49.293411970 CET499335829192.168.2.9194.59.31.75
                                        Dec 3, 2024 14:02:49.414289951 CET582949933194.59.31.75192.168.2.9
                                        Dec 3, 2024 14:02:49.414478064 CET499335829192.168.2.9194.59.31.75
                                        Dec 3, 2024 14:02:49.414828062 CET499335829192.168.2.9194.59.31.75
                                        Dec 3, 2024 14:02:49.535201073 CET582949933194.59.31.75192.168.2.9
                                        Dec 3, 2024 14:03:11.319063902 CET582949933194.59.31.75192.168.2.9
                                        Dec 3, 2024 14:03:11.322323084 CET499335829192.168.2.9194.59.31.75
                                        Dec 3, 2024 14:03:11.324289083 CET499335829192.168.2.9194.59.31.75
                                        Dec 3, 2024 14:03:11.444191933 CET582949933194.59.31.75192.168.2.9
                                        Dec 3, 2024 14:03:14.996313095 CET499855829192.168.2.9156.0.0.7
                                        Dec 3, 2024 14:03:15.116278887 CET582949985156.0.0.7192.168.2.9
                                        Dec 3, 2024 14:03:15.116394043 CET499855829192.168.2.9156.0.0.7
                                        Dec 3, 2024 14:03:15.116842985 CET499855829192.168.2.9156.0.0.7
                                        Dec 3, 2024 14:03:15.236887932 CET582949985156.0.0.7192.168.2.9
                                        Dec 3, 2024 14:03:37.047368050 CET582949985156.0.0.7192.168.2.9
                                        Dec 3, 2024 14:03:37.047708988 CET499855829192.168.2.9156.0.0.7
                                        Dec 3, 2024 14:03:37.049271107 CET499855829192.168.2.9156.0.0.7
                                        Dec 3, 2024 14:03:37.169256926 CET582949985156.0.0.7192.168.2.9
                                        Dec 3, 2024 14:03:40.482176065 CET499865829192.168.2.9194.59.31.75
                                        Dec 3, 2024 14:03:40.602332115 CET582949986194.59.31.75192.168.2.9
                                        Dec 3, 2024 14:03:40.602477074 CET499865829192.168.2.9194.59.31.75
                                        Dec 3, 2024 14:03:40.602896929 CET499865829192.168.2.9194.59.31.75
                                        Dec 3, 2024 14:03:40.723701000 CET582949986194.59.31.75192.168.2.9
                                        Dec 3, 2024 14:04:02.548157930 CET582949986194.59.31.75192.168.2.9
                                        Dec 3, 2024 14:04:02.548265934 CET499865829192.168.2.9194.59.31.75
                                        Dec 3, 2024 14:04:02.549649954 CET499865829192.168.2.9194.59.31.75
                                        Dec 3, 2024 14:04:02.669589043 CET582949986194.59.31.75192.168.2.9
                                        Dec 3, 2024 14:04:06.246368885 CET499875829192.168.2.9156.0.0.7
                                        Dec 3, 2024 14:04:06.366427898 CET582949987156.0.0.7192.168.2.9
                                        Dec 3, 2024 14:04:06.366532087 CET499875829192.168.2.9156.0.0.7
                                        Dec 3, 2024 14:04:06.366920948 CET499875829192.168.2.9156.0.0.7
                                        Dec 3, 2024 14:04:06.486980915 CET582949987156.0.0.7192.168.2.9
                                        Dec 3, 2024 14:04:28.329437971 CET582949987156.0.0.7192.168.2.9
                                        Dec 3, 2024 14:04:28.329590082 CET499875829192.168.2.9156.0.0.7
                                        Dec 3, 2024 14:04:28.336599112 CET499875829192.168.2.9156.0.0.7
                                        Dec 3, 2024 14:04:28.456691027 CET582949987156.0.0.7192.168.2.9
                                        Dec 3, 2024 14:04:31.718166113 CET499885829192.168.2.9194.59.31.75
                                        Dec 3, 2024 14:04:31.838342905 CET582949988194.59.31.75192.168.2.9
                                        Dec 3, 2024 14:04:31.838432074 CET499885829192.168.2.9194.59.31.75
                                        Dec 3, 2024 14:04:31.839274883 CET499885829192.168.2.9194.59.31.75
                                        Dec 3, 2024 14:04:31.959322929 CET582949988194.59.31.75192.168.2.9
                                        Dec 3, 2024 14:04:53.829941988 CET582949988194.59.31.75192.168.2.9
                                        Dec 3, 2024 14:04:53.830027103 CET499885829192.168.2.9194.59.31.75
                                        Dec 3, 2024 14:04:53.830526114 CET499885829192.168.2.9194.59.31.75
                                        Dec 3, 2024 14:04:53.950411081 CET582949988194.59.31.75192.168.2.9
                                        Dec 3, 2024 14:04:57.184143066 CET499895829192.168.2.9156.0.0.7
                                        Dec 3, 2024 14:04:57.304241896 CET582949989156.0.0.7192.168.2.9
                                        Dec 3, 2024 14:04:57.304543972 CET499895829192.168.2.9156.0.0.7
                                        Dec 3, 2024 14:04:57.304980993 CET499895829192.168.2.9156.0.0.7
                                        Dec 3, 2024 14:04:57.424979925 CET582949989156.0.0.7192.168.2.9
                                        Dec 3, 2024 14:05:19.252321005 CET582949989156.0.0.7192.168.2.9
                                        Dec 3, 2024 14:05:19.252397060 CET499895829192.168.2.9156.0.0.7
                                        Dec 3, 2024 14:05:19.253715038 CET499895829192.168.2.9156.0.0.7
                                        Dec 3, 2024 14:05:19.373683929 CET582949989156.0.0.7192.168.2.9

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Dec 3, 2024 14:01:31.952594995 CET5350853192.168.2.91.1.1.1
                                        Dec 3, 2024 14:01:32.273351908 CET53535081.1.1.1192.168.2.9
                                        Dec 3, 2024 14:01:45.449042082 CET5887053192.168.2.91.1.1.1
                                        Dec 3, 2024 14:01:45.587213039 CET53588701.1.1.1192.168.2.9
                                        Dec 3, 2024 14:01:57.793560982 CET5488253192.168.2.91.1.1.1
                                        Dec 3, 2024 14:01:58.039246082 CET53548821.1.1.1192.168.2.9

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Dec 3, 2024 14:01:31.952594995 CET192.168.2.91.1.1.10x8b61Standard query (0)Zyg.ydns.euA (IP address)IN (0x0001)false
                                        Dec 3, 2024 14:01:45.449042082 CET192.168.2.91.1.1.10xc478Standard query (0)Zyg.ydns.euA (IP address)IN (0x0001)false
                                        Dec 3, 2024 14:01:57.793560982 CET192.168.2.91.1.1.10x2ccfStandard query (0)Opy.ydns.euA (IP address)IN (0x0001)false

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Dec 3, 2024 14:01:32.273351908 CET1.1.1.1192.168.2.90x8b61No error (0)Zyg.ydns.eu156.0.0.7A (IP address)IN (0x0001)false
                                        Dec 3, 2024 14:01:45.587213039 CET1.1.1.1192.168.2.90xc478No error (0)Zyg.ydns.eu156.0.0.7A (IP address)IN (0x0001)false
                                        Dec 3, 2024 14:01:58.039246082 CET1.1.1.1192.168.2.90x2ccfNo error (0)Opy.ydns.eu194.59.31.75A (IP address)IN (0x0001)false

                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:08:01:14
                                        Start date:03/12/2024
                                        Path:C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe"
                                        Imagebase:0x890000
                                        File size:3'836'424 bytes
                                        MD5 hash:96493F8A0252E4E492DE924D83DB5A8A
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.1438590915.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.1447999343.0000000003F31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.1503577997.000000000B571000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:3
                                        Start time:08:01:16
                                        Start date:03/12/2024
                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe"
                                        Imagebase:0xd70000
                                        File size:433'152 bytes
                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:4
                                        Start time:08:01:16
                                        Start date:03/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff70f010000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:5
                                        Start time:08:01:17
                                        Start date:03/12/2024
                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EPhabVgXw.exe"
                                        Imagebase:0xd70000
                                        File size:433'152 bytes
                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:6
                                        Start time:08:01:17
                                        Start date:03/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff70f010000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:7
                                        Start time:08:01:17
                                        Start date:03/12/2024
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EPhabVgXw" /XML "C:\Users\user\AppData\Local\Temp\tmp870B.tmp"
                                        Imagebase:0x230000
                                        File size:187'904 bytes
                                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:8
                                        Start time:08:01:17
                                        Start date:03/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff70f010000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:9
                                        Start time:08:01:17
                                        Start date:03/12/2024
                                        Path:C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe"
                                        Imagebase:0x220000
                                        File size:3'836'424 bytes
                                        MD5 hash:96493F8A0252E4E492DE924D83DB5A8A
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:10
                                        Start time:08:01:17
                                        Start date:03/12/2024
                                        Path:C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe"
                                        Imagebase:0x390000
                                        File size:3'836'424 bytes
                                        MD5 hash:96493F8A0252E4E492DE924D83DB5A8A
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:11
                                        Start time:08:01:17
                                        Start date:03/12/2024
                                        Path:C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe"
                                        Imagebase:0x9a0000
                                        File size:3'836'424 bytes
                                        MD5 hash:96493F8A0252E4E492DE924D83DB5A8A
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000B.00000002.1468238184.0000000000720000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000B.00000002.1468238184.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:12
                                        Start time:08:01:20
                                        Start date:03/12/2024
                                        Path:C:\Users\user\AppData\Roaming\EPhabVgXw.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\AppData\Roaming\EPhabVgXw.exe
                                        Imagebase:0x310000
                                        File size:3'836'424 bytes
                                        MD5 hash:96493F8A0252E4E492DE924D83DB5A8A
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000C.00000002.1695897182.00000000029C3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Antivirus matches:
                                        • Detection: 100%, Avira
                                        • Detection: 100%, Joe Sandbox ML
                                        • Detection: 45%, ReversingLabs
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:13
                                        Start time:08:01:20
                                        Start date:03/12/2024
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:"schtasks" /create /tn "Outlooks" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe" /rl HIGHEST /f
                                        Imagebase:0x230000
                                        File size:187'904 bytes
                                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:14
                                        Start time:08:01:21
                                        Start date:03/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff70f010000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:15
                                        Start time:08:01:21
                                        Start date:03/12/2024
                                        Path:C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"
                                        Imagebase:0xf20000
                                        File size:3'836'424 bytes
                                        MD5 hash:96493F8A0252E4E492DE924D83DB5A8A
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000F.00000002.1548216347.0000000003553000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000F.00000002.1575341793.0000000004D31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Antivirus matches:
                                        • Detection: 100%, Avira
                                        • Detection: 100%, Joe Sandbox ML
                                        • Detection: 45%, ReversingLabs
                                        Has exited:true

                                        General

                                        Target ID:16
                                        Start time:08:01:22
                                        Start date:03/12/2024
                                        Path:C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe
                                        Imagebase:0x270000
                                        File size:3'836'424 bytes
                                        MD5 hash:96493F8A0252E4E492DE924D83DB5A8A
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000010.00000002.1695231359.0000000002940000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Has exited:true

                                        General

                                        Target ID:18
                                        Start time:08:01:25
                                        Start date:03/12/2024
                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"
                                        Imagebase:0xd70000
                                        File size:433'152 bytes
                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:19
                                        Start time:08:01:25
                                        Start date:03/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff70f010000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:20
                                        Start time:08:01:25
                                        Start date:03/12/2024
                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EPhabVgXw.exe"
                                        Imagebase:0xd70000
                                        File size:433'152 bytes
                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:21
                                        Start time:08:01:25
                                        Start date:03/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff70f010000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:22
                                        Start time:08:01:25
                                        Start date:03/12/2024
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EPhabVgXw" /XML "C:\Users\user\AppData\Local\Temp\tmpA8BC.tmp"
                                        Imagebase:0x230000
                                        File size:187'904 bytes
                                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:23
                                        Start time:08:01:25
                                        Start date:03/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff70f010000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:24
                                        Start time:08:01:26
                                        Start date:03/12/2024
                                        Path:C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"
                                        Imagebase:0xd80000
                                        File size:3'836'424 bytes
                                        MD5 hash:96493F8A0252E4E492DE924D83DB5A8A
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:false

                                        General

                                        Target ID:26
                                        Start time:08:01:29
                                        Start date:03/12/2024
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:"schtasks" /create /tn "Outlooks" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe" /rl HIGHEST /f
                                        Imagebase:0x230000
                                        File size:187'904 bytes
                                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:27
                                        Start time:08:01:29
                                        Start date:03/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff70f010000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:28
                                        Start time:08:01:38
                                        Start date:03/12/2024
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EPhabVgXw" /XML "C:\Users\user\AppData\Local\Temp\tmpDA5B.tmp"
                                        Imagebase:0x230000
                                        File size:187'904 bytes
                                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:29
                                        Start time:08:01:38
                                        Start date:03/12/2024
                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"
                                        Imagebase:0xd70000
                                        File size:433'152 bytes
                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:30
                                        Start time:08:01:38
                                        Start date:03/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff70f010000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:31
                                        Start time:08:01:38
                                        Start date:03/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff70f010000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:32
                                        Start time:08:01:38
                                        Start date:03/12/2024
                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EPhabVgXw.exe"
                                        Imagebase:0xd70000
                                        File size:433'152 bytes
                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:33
                                        Start time:08:01:39
                                        Start date:03/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff70f010000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:34
                                        Start time:08:01:39
                                        Start date:03/12/2024
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EPhabVgXw" /XML "C:\Users\user\AppData\Local\Temp\tmpDCBC.tmp"
                                        Imagebase:0x230000
                                        File size:187'904 bytes
                                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:35
                                        Start time:08:01:39
                                        Start date:03/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff70f010000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:36
                                        Start time:08:01:39
                                        Start date:03/12/2024
                                        Path:C:\Users\user\AppData\Roaming\EPhabVgXw.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\AppData\Roaming\EPhabVgXw.exe"
                                        Imagebase:0xe00000
                                        File size:3'836'424 bytes
                                        MD5 hash:96493F8A0252E4E492DE924D83DB5A8A
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:37
                                        Start time:08:01:39
                                        Start date:03/12/2024
                                        Path:C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"
                                        Imagebase:0x840000
                                        File size:3'836'424 bytes
                                        MD5 hash:96493F8A0252E4E492DE924D83DB5A8A
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Disassembly

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:10.8%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:0%
                                          Total number of Nodes:176
                                          Total number of Limit Nodes:8
                                          execution_graph 25111 993bee3 25112 993bee9 25111->25112 25113 993bf56 25111->25113 25117 993e4b6 25112->25117 25138 993e448 25112->25138 25158 993e458 25112->25158 25118 993e444 25117->25118 25120 993e4b9 25117->25120 25119 993e496 25118->25119 25178 993e931 25118->25178 25184 993ee8c 25118->25184 25189 993f02a 25118->25189 25194 993e8ca 25118->25194 25200 993ebcb 25118->25200 25205 993f1eb 25118->25205 25211 993f205 25118->25211 25219 993e9a5 25118->25219 25224 993ea03 25118->25224 25229 993ecc3 25118->25229 25235 993eadc 25118->25235 25241 993eb1d 25118->25241 25246 993ecde 25118->25246 25250 993e95a 25118->25250 25254 993e815 25118->25254 25259 993eb30 25118->25259 25263 993e831 25118->25263 25119->25113 25120->25113 25139 993e472 25138->25139 25140 993e931 4 API calls 25139->25140 25141 993e831 2 API calls 25139->25141 25142 993eb30 2 API calls 25139->25142 25143 993e815 2 API calls 25139->25143 25144 993e496 25139->25144 25145 993e95a 2 API calls 25139->25145 25146 993ecde 2 API calls 25139->25146 25147 993eb1d 2 API calls 25139->25147 25148 993eadc 2 API calls 25139->25148 25149 993ecc3 4 API calls 25139->25149 25150 993ea03 2 API calls 25139->25150 25151 993e9a5 2 API calls 25139->25151 25152 993f205 4 API calls 25139->25152 25153 993f1eb 4 API calls 25139->25153 25154 993ebcb 2 API calls 25139->25154 25155 993e8ca 4 API calls 25139->25155 25156 993f02a 2 API calls 25139->25156 25157 993ee8c 2 API calls 25139->25157 25140->25144 25141->25144 25142->25144 25143->25144 25144->25113 25145->25144 25146->25144 25147->25144 25148->25144 25149->25144 25150->25144 25151->25144 25152->25144 25153->25144 25154->25144 25155->25144 25156->25144 25157->25144 25159 993e472 25158->25159 25160 993e931 4 API calls 25159->25160 25161 993e831 2 API calls 25159->25161 25162 993eb30 2 API calls 25159->25162 25163 993e815 2 API calls 25159->25163 25164 993e496 25159->25164 25165 993e95a 2 API calls 25159->25165 25166 993ecde 2 API calls 25159->25166 25167 993eb1d 2 API calls 25159->25167 25168 993eadc 2 API calls 25159->25168 25169 993ecc3 4 API calls 25159->25169 25170 993ea03 2 API calls 25159->25170 25171 993e9a5 2 API calls 25159->25171 25172 993f205 4 API calls 25159->25172 25173 993f1eb 4 API calls 25159->25173 25174 993ebcb 2 API calls 25159->25174 25175 993e8ca 4 API calls 25159->25175 25176 993f02a 2 API calls 25159->25176 25177 993ee8c 2 API calls 25159->25177 25160->25164 25161->25164 25162->25164 25163->25164 25164->25113 25165->25164 25166->25164 25167->25164 25168->25164 25169->25164 25170->25164 25171->25164 25172->25164 25173->25164 25174->25164 25175->25164 25176->25164 25177->25164 25179 993e8e1 25178->25179 25268 993b161 25179->25268 25272 993b168 25179->25272 25276 993b210 25179->25276 25280 993b218 25179->25280 25185 993ee90 25184->25185 25284 993b720 25185->25284 25288 993b728 25185->25288 25186 993eeae 25190 993e9ac 25189->25190 25191 993e9e4 25190->25191 25292 993b7e0 25190->25292 25296 993b7e8 25190->25296 25195 993e8d0 25194->25195 25196 993b161 ResumeThread 25195->25196 25197 993b168 ResumeThread 25195->25197 25198 993b210 Wow64SetThreadContext 25195->25198 25199 993b218 Wow64SetThreadContext 25195->25199 25196->25195 25197->25195 25198->25195 25199->25195 25201 993e9ac 25200->25201 25202 993e9e4 25201->25202 25203 993b7e0 WriteProcessMemory 25201->25203 25204 993b7e8 WriteProcessMemory 25201->25204 25203->25202 25204->25202 25206 993e8e1 25205->25206 25207 993b161 ResumeThread 25206->25207 25208 993b168 ResumeThread 25206->25208 25209 993b210 Wow64SetThreadContext 25206->25209 25210 993b218 Wow64SetThreadContext 25206->25210 25207->25206 25208->25206 25209->25206 25210->25206 25300 993b8d0 25211->25300 25304 993b8d8 25211->25304 25212 993f2a1 25212->25119 25213 993ea1a 25213->25212 25217 993b720 VirtualAllocEx 25213->25217 25218 993b728 VirtualAllocEx 25213->25218 25214 993eeae 25217->25214 25218->25214 25220 993e9ab 25219->25220 25222 993b7e0 WriteProcessMemory 25220->25222 25223 993b7e8 WriteProcessMemory 25220->25223 25221 993e9e4 25222->25221 25223->25221 25225 993ea09 25224->25225 25227 993b720 VirtualAllocEx 25225->25227 25228 993b728 VirtualAllocEx 25225->25228 25226 993eeae 25227->25226 25228->25226 25230 993e8e1 25229->25230 25231 993b161 ResumeThread 25230->25231 25232 993b168 ResumeThread 25230->25232 25233 993b210 Wow64SetThreadContext 25230->25233 25234 993b218 Wow64SetThreadContext 25230->25234 25231->25230 25232->25230 25233->25230 25234->25230 25237 993ea1a 25235->25237 25236 993f2a1 25236->25119 25237->25236 25239 993b720 VirtualAllocEx 25237->25239 25240 993b728 VirtualAllocEx 25237->25240 25238 993eeae 25239->25238 25240->25238 25242 993ea1a 25241->25242 25244 993b720 VirtualAllocEx 25242->25244 25245 993b728 VirtualAllocEx 25242->25245 25243 993eeae 25244->25243 25245->25243 25248 993b7e0 WriteProcessMemory 25246->25248 25249 993b7e8 WriteProcessMemory 25246->25249 25247 993ec62 25247->25119 25248->25247 25249->25247 25252 993b210 Wow64SetThreadContext 25250->25252 25253 993b218 Wow64SetThreadContext 25250->25253 25251 993e974 25251->25119 25252->25251 25253->25251 25255 993e824 25254->25255 25256 993e8b5 25255->25256 25308 993ba70 25255->25308 25312 993ba6c 25255->25312 25256->25119 25261 993b7e0 WriteProcessMemory 25259->25261 25262 993b7e8 WriteProcessMemory 25259->25262 25260 993e8b5 25260->25119 25261->25260 25262->25260 25264 993e824 25263->25264 25265 993e8b5 25264->25265 25266 993ba70 CreateProcessA 25264->25266 25267 993ba6c CreateProcessA 25264->25267 25265->25119 25266->25264 25267->25264 25269 993b1a8 ResumeThread 25268->25269 25271 993b1d9 25269->25271 25271->25179 25273 993b1a8 ResumeThread 25272->25273 25275 993b1d9 25273->25275 25275->25179 25277 993b25d Wow64SetThreadContext 25276->25277 25279 993b2a5 25277->25279 25279->25179 25281 993b25d Wow64SetThreadContext 25280->25281 25283 993b2a5 25281->25283 25283->25179 25285 993b768 VirtualAllocEx 25284->25285 25287 993b7a5 25285->25287 25287->25186 25289 993b768 VirtualAllocEx 25288->25289 25291 993b7a5 25289->25291 25291->25186 25293 993b830 WriteProcessMemory 25292->25293 25295 993b887 25293->25295 25295->25191 25297 993b830 WriteProcessMemory 25296->25297 25299 993b887 25297->25299 25299->25191 25301 993b8d5 ReadProcessMemory 25300->25301 25303 993b967 25301->25303 25303->25213 25305 993b923 ReadProcessMemory 25304->25305 25307 993b967 25305->25307 25307->25213 25309 993baf9 25308->25309 25309->25309 25310 993bc5e CreateProcessA 25309->25310 25311 993bcbb 25310->25311 25313 993baf9 25312->25313 25313->25313 25314 993bc5e CreateProcessA 25313->25314 25315 993bcbb 25314->25315 25104 993f750 25105 993f8db 25104->25105 25107 993f776 25104->25107 25107->25105 25108 993a070 25107->25108 25109 993f9d0 PostMessageW 25108->25109 25110 993fa3c 25109->25110 25110->25107 25316 7ee6ab8 25322 7ee5e44 25316->25322 25318 7ee6adf 25320 7ee6b51 CreateIconFromResourceEx 25321 7ee6b86 25320->25321 25323 7ee6b08 CreateIconFromResourceEx 25322->25323 25325 7ee6ad2 25323->25325 25325->25318 25325->25320

                                          Executed Functions

                                          Function 09931DA8 Relevance: .3, Instructions: 319COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1485549550.0000000009930000.00000040.00000800.00020000.00000000.sdmp, Offset: 09930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9930000_Nowe zam#U00f3wienie - 0072291855.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5be64ac8c7c1e5397195eb24f5612b6469985b22210f302209a35ce9e2970e80
                                          • Instruction ID: 8ece94f4b6496a2744a96e8b825baf4e2dba477fa28b4feda3b3ea051f06cc33
                                          • Opcode Fuzzy Hash: 5be64ac8c7c1e5397195eb24f5612b6469985b22210f302209a35ce9e2970e80
                                          • Instruction Fuzzy Hash: 4AC1F431A08256DFC7198F69C8417AEBBF1FF42301F44C5BAE165DB2A2C7359846CB92
                                          Function 099389E5 Relevance: .2, Instructions: 225COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1485549550.0000000009930000.00000040.00000800.00020000.00000000.sdmp, Offset: 09930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9930000_Nowe zam#U00f3wienie - 0072291855.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 63ac81ca5c8b5986e747bbd7e3ae34dfdd684c0a06e22cf375e0cfa831eab359
                                          • Instruction ID: 94932840929a3f909392ea4f8364a8eff84864bdfb80f77727601f40cedf8e28
                                          • Opcode Fuzzy Hash: 63ac81ca5c8b5986e747bbd7e3ae34dfdd684c0a06e22cf375e0cfa831eab359
                                          • Instruction Fuzzy Hash: 929181B4D042498FDB14DFA9D9805AEBBF2FF89305F24C16AE458AB256D7309D02CF91
                                          Function 0993BA6C Relevance: 1.7, APIs: 1, Instructions: 245processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 0 993ba6c-993bb05 2 993bb07-993bb11 0->2 3 993bb3e-993bb5e 0->3 2->3 4 993bb13-993bb15 2->4 10 993bb60-993bb6a 3->10 11 993bb97-993bbc6 3->11 5 993bb17-993bb21 4->5 6 993bb38-993bb3b 4->6 8 993bb23 5->8 9 993bb25-993bb34 5->9 6->3 8->9 9->9 12 993bb36 9->12 10->11 13 993bb6c-993bb6e 10->13 17 993bbc8-993bbd2 11->17 18 993bbff-993bcb9 CreateProcessA 11->18 12->6 15 993bb91-993bb94 13->15 16 993bb70-993bb7a 13->16 15->11 19 993bb7e-993bb8d 16->19 20 993bb7c 16->20 17->18 21 993bbd4-993bbd6 17->21 31 993bcc2-993bd48 18->31 32 993bcbb-993bcc1 18->32 19->19 22 993bb8f 19->22 20->19 23 993bbf9-993bbfc 21->23 24 993bbd8-993bbe2 21->24 22->15 23->18 26 993bbe6-993bbf5 24->26 27 993bbe4 24->27 26->26 28 993bbf7 26->28 27->26 28->23 42 993bd4a-993bd4e 31->42 43 993bd58-993bd5c 31->43 32->31 42->43 44 993bd50 42->44 45 993bd5e-993bd62 43->45 46 993bd6c-993bd70 43->46 44->43 45->46 47 993bd64 45->47 48 993bd72-993bd76 46->48 49 993bd80-993bd84 46->49 47->46 48->49 52 993bd78 48->52 50 993bd96-993bd9d 49->50 51 993bd86-993bd8c 49->51 53 993bdb4 50->53 54 993bd9f-993bdae 50->54 51->50 52->49 56 993bdb5 53->56 54->53 56->56
                                          APIs
                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0993BCA6
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1485549550.0000000009930000.00000040.00000800.00020000.00000000.sdmp, Offset: 09930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9930000_Nowe zam#U00f3wienie - 0072291855.jbxd
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: 75cf11bbdd6b1d7f41a4899c3df68ad05f145c2bcad1c4479135058710e36045
                                          • Instruction ID: 5a0b99a6832aafa508f35fcb8e55c237727f71fbe5e81bb0cac853f2bbbe81bc
                                          • Opcode Fuzzy Hash: 75cf11bbdd6b1d7f41a4899c3df68ad05f145c2bcad1c4479135058710e36045
                                          • Instruction Fuzzy Hash: 64916A71D003198FEF24CF69C8417EEBBB6BF48310F4481AAE859A7250DB749985CF91
                                          Function 0993BA70 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 57 993ba70-993bb05 59 993bb07-993bb11 57->59 60 993bb3e-993bb5e 57->60 59->60 61 993bb13-993bb15 59->61 67 993bb60-993bb6a 60->67 68 993bb97-993bbc6 60->68 62 993bb17-993bb21 61->62 63 993bb38-993bb3b 61->63 65 993bb23 62->65 66 993bb25-993bb34 62->66 63->60 65->66 66->66 69 993bb36 66->69 67->68 70 993bb6c-993bb6e 67->70 74 993bbc8-993bbd2 68->74 75 993bbff-993bcb9 CreateProcessA 68->75 69->63 72 993bb91-993bb94 70->72 73 993bb70-993bb7a 70->73 72->68 76 993bb7e-993bb8d 73->76 77 993bb7c 73->77 74->75 78 993bbd4-993bbd6 74->78 88 993bcc2-993bd48 75->88 89 993bcbb-993bcc1 75->89 76->76 79 993bb8f 76->79 77->76 80 993bbf9-993bbfc 78->80 81 993bbd8-993bbe2 78->81 79->72 80->75 83 993bbe6-993bbf5 81->83 84 993bbe4 81->84 83->83 85 993bbf7 83->85 84->83 85->80 99 993bd4a-993bd4e 88->99 100 993bd58-993bd5c 88->100 89->88 99->100 101 993bd50 99->101 102 993bd5e-993bd62 100->102 103 993bd6c-993bd70 100->103 101->100 102->103 104 993bd64 102->104 105 993bd72-993bd76 103->105 106 993bd80-993bd84 103->106 104->103 105->106 109 993bd78 105->109 107 993bd96-993bd9d 106->107 108 993bd86-993bd8c 106->108 110 993bdb4 107->110 111 993bd9f-993bdae 107->111 108->107 109->106 113 993bdb5 110->113 111->110 113->113
                                          APIs
                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0993BCA6
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1485549550.0000000009930000.00000040.00000800.00020000.00000000.sdmp, Offset: 09930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9930000_Nowe zam#U00f3wienie - 0072291855.jbxd
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: 0926fa0b4fae1adbedd2062a30cb1e08b576ce7df23b4617b099383910bc07ef
                                          • Instruction ID: 8adf407f835c819732426a47fde1648fdb388924602f7149fc3aea5531f6aa70
                                          • Opcode Fuzzy Hash: 0926fa0b4fae1adbedd2062a30cb1e08b576ce7df23b4617b099383910bc07ef
                                          • Instruction Fuzzy Hash: 74915971D003198FEF24CF69C841BEEBBB6BF48310F5481AAE859A7250DB749985CF91
                                          Function 07EE6AB8 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 114 7ee6ab8-7ee6add call 7ee5e44 117 7ee6adf-7ee6aef call 7ee6578 114->117 118 7ee6af2-7ee6b00 114->118 122 7ee6b02-7ee6b4e 118->122 123 7ee6b51-7ee6b84 CreateIconFromResourceEx 118->123 122->123 124 7ee6b8d-7ee6baa 123->124 125 7ee6b86-7ee6b8c 123->125 125->124
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1482073479.0000000007EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ee0000_Nowe zam#U00f3wienie - 0072291855.jbxd
                                          Similarity
                                          • API ID: CreateFromIconResource
                                          • String ID:
                                          • API String ID: 3668623891-0
                                          • Opcode ID: a91d5034b1cbdc071c9d6679621873e480a7ccc03c5c699eb3609e153bfe124b
                                          • Instruction ID: 269db78ba96437a99892583289008970a93f6cd7ea899b196689700753150ad0
                                          • Opcode Fuzzy Hash: a91d5034b1cbdc071c9d6679621873e480a7ccc03c5c699eb3609e153bfe124b
                                          • Instruction Fuzzy Hash: FF31ADB29053889FCB11CFA9D844ADEBFF9EF09310F04846AE554AB221C335D950CFA1
                                          Function 0993B7E0 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 128 993b7e0-993b836 130 993b846-993b885 WriteProcessMemory 128->130 131 993b838-993b844 128->131 133 993b887-993b88d 130->133 134 993b88e-993b8be 130->134 131->130 133->134
                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0993B878
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1485549550.0000000009930000.00000040.00000800.00020000.00000000.sdmp, Offset: 09930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9930000_Nowe zam#U00f3wienie - 0072291855.jbxd
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: 889f594e7327af0315fe7b304f712eaa4660aaea92ecfaff21dd4d0f9a1ea2d6
                                          • Instruction ID: 9f18ac7a9c1547aa7601f0ba3a3d1f66bdcfc8056217240cc7a50267f1b48322
                                          • Opcode Fuzzy Hash: 889f594e7327af0315fe7b304f712eaa4660aaea92ecfaff21dd4d0f9a1ea2d6
                                          • Instruction Fuzzy Hash: C12135729003099FDB10CFAAC885BEEBBF5FF48310F50842AE959A7240D7799945CBA5
                                          Function 0993B7E8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 138 993b7e8-993b836 140 993b846-993b885 WriteProcessMemory 138->140 141 993b838-993b844 138->141 143 993b887-993b88d 140->143 144 993b88e-993b8be 140->144 141->140 143->144
                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0993B878
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1485549550.0000000009930000.00000040.00000800.00020000.00000000.sdmp, Offset: 09930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9930000_Nowe zam#U00f3wienie - 0072291855.jbxd
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: 6773fbaa1f9dd38d6f034d32d91ff5ee84a623fc3d29ddb502e06a9ff2be1cfc
                                          • Instruction ID: 700467009b1d1aaae3cf0fff574b1807a5db2237c3db97d86357248b33d3c8e0
                                          • Opcode Fuzzy Hash: 6773fbaa1f9dd38d6f034d32d91ff5ee84a623fc3d29ddb502e06a9ff2be1cfc
                                          • Instruction Fuzzy Hash: A12127719003499FDB10CFAAC885BEEBBF5FF48310F50842AE959A7240D7799940CBA5
                                          Function 0993B210 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 148 993b210-993b263 150 993b273-993b2a3 Wow64SetThreadContext 148->150 151 993b265-993b271 148->151 153 993b2a5-993b2ab 150->153 154 993b2ac-993b2dc 150->154 151->150 153->154
                                          APIs
                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0993B296
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1485549550.0000000009930000.00000040.00000800.00020000.00000000.sdmp, Offset: 09930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9930000_Nowe zam#U00f3wienie - 0072291855.jbxd
                                          Similarity
                                          • API ID: ContextThreadWow64
                                          • String ID:
                                          • API String ID: 983334009-0
                                          • Opcode ID: 64bf3b377045c38e12cbf46817f3966d2ca97c707a422ec77fcbdf07bfc66ad7
                                          • Instruction ID: 6c282054e078912c0d71cadbab85451d32c694b3f1f3577226acb7edcd6b2015
                                          • Opcode Fuzzy Hash: 64bf3b377045c38e12cbf46817f3966d2ca97c707a422ec77fcbdf07bfc66ad7
                                          • Instruction Fuzzy Hash: 4D213A71D043088FDB10DFAAC8857EEBBF5EF48350F54842AD559A7240C7789545CFA5
                                          Function 0993B8D0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 158 993b8d0-993b965 ReadProcessMemory 162 993b967-993b96d 158->162 163 993b96e-993b99e 158->163 162->163
                                          APIs
                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0993B958
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1485549550.0000000009930000.00000040.00000800.00020000.00000000.sdmp, Offset: 09930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9930000_Nowe zam#U00f3wienie - 0072291855.jbxd
                                          Similarity
                                          • API ID: MemoryProcessRead
                                          • String ID:
                                          • API String ID: 1726664587-0
                                          • Opcode ID: 870cd720a19b8fbd7f29c98e8effe954da9f19632cf707e52c47b6f1e4537543
                                          • Instruction ID: 8fe8da92b00710748de20aceab22d2fa710f0e44f705ab85bb1f21d7e72ac51c
                                          • Opcode Fuzzy Hash: 870cd720a19b8fbd7f29c98e8effe954da9f19632cf707e52c47b6f1e4537543
                                          • Instruction Fuzzy Hash: DF2128718003499FDB10CFAAC881BEEBBF5FF48310F50842AE559A7250C7799541CBA5
                                          Function 0993B8D8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 177 993b8d8-993b965 ReadProcessMemory 180 993b967-993b96d 177->180 181 993b96e-993b99e 177->181 180->181
                                          APIs
                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0993B958
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1485549550.0000000009930000.00000040.00000800.00020000.00000000.sdmp, Offset: 09930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9930000_Nowe zam#U00f3wienie - 0072291855.jbxd
                                          Similarity
                                          • API ID: MemoryProcessRead
                                          • String ID:
                                          • API String ID: 1726664587-0
                                          • Opcode ID: 848457645f5301906ee1dfc553cbc7a336d297072e3e934a72842dff039c102e
                                          • Instruction ID: 87f5b199b1778c91ef9cb43e671efdb2c6147f4e7c3b31eecaa78cac35df8c79
                                          • Opcode Fuzzy Hash: 848457645f5301906ee1dfc553cbc7a336d297072e3e934a72842dff039c102e
                                          • Instruction Fuzzy Hash: 5B2128718003499FDB10CFAAC881BEEBBF5FF48310F50842AE559A7240C7799540CBA5
                                          Function 0993B218 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 167 993b218-993b263 169 993b273-993b2a3 Wow64SetThreadContext 167->169 170 993b265-993b271 167->170 172 993b2a5-993b2ab 169->172 173 993b2ac-993b2dc 169->173 170->169 172->173
                                          APIs
                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0993B296
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1485549550.0000000009930000.00000040.00000800.00020000.00000000.sdmp, Offset: 09930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9930000_Nowe zam#U00f3wienie - 0072291855.jbxd
                                          Similarity
                                          • API ID: ContextThreadWow64
                                          • String ID:
                                          • API String ID: 983334009-0
                                          • Opcode ID: 1760743638aada0c35f399d14dbc2b37b2193d06cd6c215fd226f49b3b7d2fba
                                          • Instruction ID: f91806bcb2e5de0d3690461e00427f977d64e274ce9dfe3d3fd9db5f808584b0
                                          • Opcode Fuzzy Hash: 1760743638aada0c35f399d14dbc2b37b2193d06cd6c215fd226f49b3b7d2fba
                                          • Instruction Fuzzy Hash: 23213871D003088FDB10DFAAC885BEEBBF5AF48310F54842AD559A7240C7B89945CFA5
                                          Function 0993B720 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 185 993b720-993b7a3 VirtualAllocEx 188 993b7a5-993b7ab 185->188 189 993b7ac-993b7d1 185->189 188->189
                                          APIs
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0993B796
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1485549550.0000000009930000.00000040.00000800.00020000.00000000.sdmp, Offset: 09930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9930000_Nowe zam#U00f3wienie - 0072291855.jbxd
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: bb282f7a1ab5c625f58221965189671161b174848424c77f28b653cb1a4bc46e
                                          • Instruction ID: 59ad1a6b7e575beef9e86e04b4265be799ce6624a8a4b71ac516c24352d26a41
                                          • Opcode Fuzzy Hash: bb282f7a1ab5c625f58221965189671161b174848424c77f28b653cb1a4bc46e
                                          • Instruction Fuzzy Hash: AB116A728003489FDB10DFAAC885BEFBBF5EF48320F108419E519A7250C7759945CFA5
                                          Function 07EE5E44 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 193 7ee5e44-7ee6b84 CreateIconFromResourceEx 196 7ee6b8d-7ee6baa 193->196 197 7ee6b86-7ee6b8c 193->197 197->196
                                          APIs
                                          • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,07EE6AD2,?,?,?,?,?), ref: 07EE6B77
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1482073479.0000000007EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ee0000_Nowe zam#U00f3wienie - 0072291855.jbxd
                                          Similarity
                                          • API ID: CreateFromIconResource
                                          • String ID:
                                          • API String ID: 3668623891-0
                                          • Opcode ID: 4aa996cb2cd0b307868505bebbae945678911c38fe02418fe9c5f33a4b1c34f5
                                          • Instruction ID: c2c31a884db889283faf58edfb9acc85c29136c021e7ecc1ca50af7087ecb80b
                                          • Opcode Fuzzy Hash: 4aa996cb2cd0b307868505bebbae945678911c38fe02418fe9c5f33a4b1c34f5
                                          • Instruction Fuzzy Hash: AE1114B68003499FDF10CFAAC845BEEBBF8EB48320F14841AE554A7250C375A950CFA5
                                          Function 0993B161 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 200 993b161-993b1d7 ResumeThread 203 993b1e0-993b205 200->203 204 993b1d9-993b1df 200->204 204->203
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1485549550.0000000009930000.00000040.00000800.00020000.00000000.sdmp, Offset: 09930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9930000_Nowe zam#U00f3wienie - 0072291855.jbxd
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: b09d9fbb8604732355ced079f74b9aab1f842fac753ce9130b267b44525d2299
                                          • Instruction ID: 32854c9f845942958e99cb9793340fe1b060cc359dde0e8bf26937f39dc415c6
                                          • Opcode Fuzzy Hash: b09d9fbb8604732355ced079f74b9aab1f842fac753ce9130b267b44525d2299
                                          • Instruction Fuzzy Hash: 131146719003488BDB20DFAAC8857EFBBF5AB48220F15842AD559A7240C7759981CBA5
                                          Function 0993B728 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 208 993b728-993b7a3 VirtualAllocEx 211 993b7a5-993b7ab 208->211 212 993b7ac-993b7d1 208->212 211->212
                                          APIs
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0993B796
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1485549550.0000000009930000.00000040.00000800.00020000.00000000.sdmp, Offset: 09930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9930000_Nowe zam#U00f3wienie - 0072291855.jbxd
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: b3a03ce90631c1f516c76885f7c7af2548c317359e78735e2dafab2394054b75
                                          • Instruction ID: 693b093318b9955d4d8f57b28b62d3bc986b8e35e06f38c111092af624e17b8c
                                          • Opcode Fuzzy Hash: b3a03ce90631c1f516c76885f7c7af2548c317359e78735e2dafab2394054b75
                                          • Instruction Fuzzy Hash: CC1137768003489FDB10DFAAC844BEFBBF9EF48320F14841AE519A7650C7759540CFA5
                                          Function 0993F9C8 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 224 993f9c8-993fa3a PostMessageW 225 993fa43-993fa57 224->225 226 993fa3c-993fa42 224->226 226->225
                                          APIs
                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 0993FA2D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1485549550.0000000009930000.00000040.00000800.00020000.00000000.sdmp, Offset: 09930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9930000_Nowe zam#U00f3wienie - 0072291855.jbxd
                                          Similarity
                                          • API ID: MessagePost
                                          • String ID:
                                          • API String ID: 410705778-0
                                          • Opcode ID: 5e982086b839f1b81b568bb41016e314f613afd9f21b7a0d20516e72d0254cec
                                          • Instruction ID: d6869e4d87c98f2587d64d0d81cabb3c34eb992815d83ad691adf976bea141fc
                                          • Opcode Fuzzy Hash: 5e982086b839f1b81b568bb41016e314f613afd9f21b7a0d20516e72d0254cec
                                          • Instruction Fuzzy Hash: F31103B58003499FDB10DF9AD885BDEFBF8EB48324F10841AE559A7240D375AA45CFA1
                                          Function 0993B168 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 216 993b168-993b1d7 ResumeThread 219 993b1e0-993b205 216->219 220 993b1d9-993b1df 216->220 220->219
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1485549550.0000000009930000.00000040.00000800.00020000.00000000.sdmp, Offset: 09930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9930000_Nowe zam#U00f3wienie - 0072291855.jbxd
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: 69bd6cbcdb882b3ab9b8d1c7926e04882abc422ad569886e13686feaa6bdf5c0
                                          • Instruction ID: f21fb71ea4aeb124eece49a7facab84f1f315a85783de7a30d1c851cbaeab23b
                                          • Opcode Fuzzy Hash: 69bd6cbcdb882b3ab9b8d1c7926e04882abc422ad569886e13686feaa6bdf5c0
                                          • Instruction Fuzzy Hash: 521128719043488BDB10DFAAC8457EFFBF5AF48624F14841AD519A7240C775A940CBA5
                                          Function 0993A070 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 0993FA2D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1485549550.0000000009930000.00000040.00000800.00020000.00000000.sdmp, Offset: 09930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9930000_Nowe zam#U00f3wienie - 0072291855.jbxd
                                          Similarity
                                          • API ID: MessagePost
                                          • String ID:
                                          • API String ID: 410705778-0
                                          • Opcode ID: 791012c0b8d9c0c5d5893f9ba3bd7552f31a74e59b21c7cfd4a5fd477b54b3d5
                                          • Instruction ID: 256de885d5a00447c80873e170692226fe2e3a2f346575fee675b135a3e0970a
                                          • Opcode Fuzzy Hash: 791012c0b8d9c0c5d5893f9ba3bd7552f31a74e59b21c7cfd4a5fd477b54b3d5
                                          • Instruction Fuzzy Hash: BC11F2B58003489FDB10DF9AD885BDEBBF8EB48320F60841AE558A7210D3B5A944CFA5
                                          Function 066E09D0 Relevance: .1, Instructions: 99COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459485081.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_66e0000_Nowe zam#U00f3wienie - 0072291855.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1fce5863fd18bacde86763a31456dba712377bfc4dca3d9cb7c94e0e6b5f6c92
                                          • Instruction ID: 11f89423e52f8b0ebe067f0c8008350d70becee5bef0c13482b9ac0f6a1102a7
                                          • Opcode Fuzzy Hash: 1fce5863fd18bacde86763a31456dba712377bfc4dca3d9cb7c94e0e6b5f6c92
                                          • Instruction Fuzzy Hash: C631D27164A309CFD3948B2CD844AAA7BA1FB46302F0581A7E059CF293C779DCA6C791
                                          Function 066E08D1 Relevance: .0, Instructions: 36COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459485081.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_66e0000_Nowe zam#U00f3wienie - 0072291855.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cbc3fe39b7bf9234cf52e08612e6029e52bbb5525f66bb393559fddb8c195a64
                                          • Instruction ID: 9dd2461e1cf8e891312eca20a3b0fd8d058c1baf05e639cb0f2063517329b335
                                          • Opcode Fuzzy Hash: cbc3fe39b7bf9234cf52e08612e6029e52bbb5525f66bb393559fddb8c195a64
                                          • Instruction Fuzzy Hash: AA01C8B5C46208EFDB91EFF4CC51A997FB0BF08300F1184A9D454EB222D7758516CB61
                                          Function 066E090C Relevance: .0, Instructions: 28COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459485081.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_66e0000_Nowe zam#U00f3wienie - 0072291855.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0cdf229f14a39ad90a0c27fa2c2698250d09e18f7a0a816640d8907fbd9a197d
                                          • Instruction ID: edc80df62b82c68810908188ae81a11915cdf007cd559ce405cfbc02ae72ccaf
                                          • Opcode Fuzzy Hash: 0cdf229f14a39ad90a0c27fa2c2698250d09e18f7a0a816640d8907fbd9a197d
                                          • Instruction Fuzzy Hash: F3E02B60C093CA5FE7629F3948A52DA7F705B06125F18C3DBC0E0DE583C679011B8B51
                                          Function 066E0928 Relevance: .0, Instructions: 16COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459485081.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_66e0000_Nowe zam#U00f3wienie - 0072291855.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 24022d08ef316db603ffcf658b6d511d7a61a656ae6583280c8c3f77ec9499ab
                                          • Instruction ID: bf44524093807a7aa3a97f50beb7398a4c3ee8dff530ede822498bb50cd1ad37
                                          • Opcode Fuzzy Hash: 24022d08ef316db603ffcf658b6d511d7a61a656ae6583280c8c3f77ec9499ab
                                          • Instruction Fuzzy Hash: DDD0ECB4C4120E9FE780EFB989053AEBAF46B04200F5088698014E6201EBB842158B91

                                          Non-executed Functions

                                          Function 07EE34AC Relevance: .6, Instructions: 644COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1482073479.0000000007EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ee0000_Nowe zam#U00f3wienie - 0072291855.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5909450becc003f97ee106520d34c0171667f2df47b6b064e94c43fd417740d7
                                          • Instruction ID: 2376e8fae1c8c72e2eabce7b0ea4e404ccedf11be6cbf3961e38d5af21aff06f
                                          • Opcode Fuzzy Hash: 5909450becc003f97ee106520d34c0171667f2df47b6b064e94c43fd417740d7
                                          • Instruction Fuzzy Hash: 5B429DB0E012188FDB64DFA8C8507AEBBF6BF89304F148469D409AB394DB349D95CF95
                                          Function 0993A940 Relevance: .3, Instructions: 312COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1485549550.0000000009930000.00000040.00000800.00020000.00000000.sdmp, Offset: 09930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9930000_Nowe zam#U00f3wienie - 0072291855.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8643d35dd6829b54357009953a45573811985843370b11458fd22602f1bf82c8
                                          • Instruction ID: 287ccd46abdf354162ed0f2700e9e76c1e11176f46aea49ee47214d2638236e5
                                          • Opcode Fuzzy Hash: 8643d35dd6829b54357009953a45573811985843370b11458fd22602f1bf82c8
                                          • Instruction Fuzzy Hash: 49E1F674E002598FDB14DFA8C580AAEBBB2FF89305F24C16AD855AB355D731AD42CF60
                                          Function 09938A28 Relevance: .3, Instructions: 312COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1485549550.0000000009930000.00000040.00000800.00020000.00000000.sdmp, Offset: 09930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9930000_Nowe zam#U00f3wienie - 0072291855.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6185fc3780d4b31fa2e7deaf47710b7335a7ba7dabea5049eefea8043f381c6b
                                          • Instruction ID: 4a746a0a590174b83a09467d02e5a835e39ef0c34db304b3faf562034a1cc5be
                                          • Opcode Fuzzy Hash: 6185fc3780d4b31fa2e7deaf47710b7335a7ba7dabea5049eefea8043f381c6b
                                          • Instruction Fuzzy Hash: A3E109B4E002598FDB14DFA9C580AAEBBB2FF89305F24C16AE455AB355C7319D41CF60
                                          Function 09938E60 Relevance: .3, Instructions: 312COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1485549550.0000000009930000.00000040.00000800.00020000.00000000.sdmp, Offset: 09930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9930000_Nowe zam#U00f3wienie - 0072291855.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: eb52b8b66a2c8f2f6c913f2c3267d3a3aacb4750d724f4b90ef958b272440fc9
                                          • Instruction ID: b9a41c866ce66e4a7f906c1d50a27173f573f54b9d710ebb12b169c50ddd87b9
                                          • Opcode Fuzzy Hash: eb52b8b66a2c8f2f6c913f2c3267d3a3aacb4750d724f4b90ef958b272440fc9
                                          • Instruction Fuzzy Hash: 56E1F874E00259CFDB14DFA9C580AAEBBB2FF89305F24C169E855AB355C731A942CF60
                                          Function 09939298 Relevance: .3, Instructions: 312COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1485549550.0000000009930000.00000040.00000800.00020000.00000000.sdmp, Offset: 09930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9930000_Nowe zam#U00f3wienie - 0072291855.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a611e31950fef00fdab90095dbecbf4d694717f09df29b3b68c5bd03bb4ae22c
                                          • Instruction ID: 2bb5cd4ee9424281b4006aca2a7d85aba96b85f4679d46db15ae33c8a8bf8557
                                          • Opcode Fuzzy Hash: a611e31950fef00fdab90095dbecbf4d694717f09df29b3b68c5bd03bb4ae22c
                                          • Instruction Fuzzy Hash: 03E118B4E00219CFDB14DFA9C580AAEBBB2FF89305F24C169D845AB355D7719941CF60
                                          Function 0993B2F0 Relevance: .3, Instructions: 312COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1485549550.0000000009930000.00000040.00000800.00020000.00000000.sdmp, Offset: 09930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9930000_Nowe zam#U00f3wienie - 0072291855.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 87d03f1270ae91e0036bae41be708d0eb81082722a6e744d513e7fe7f4c98b2d
                                          • Instruction ID: 3c19d2df9abb49f419a00aba6e414ea5e6bbae1d2a8adade7e624a972860d48c
                                          • Opcode Fuzzy Hash: 87d03f1270ae91e0036bae41be708d0eb81082722a6e744d513e7fe7f4c98b2d
                                          • Instruction Fuzzy Hash: 94E10874E002598FDB14DFA9C580AAEBBB2FF89305F24C16AD815AB355D731AD42CF60
                                          Function 07EE5430 Relevance: .3, Instructions: 269COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1482073479.0000000007EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ee0000_Nowe zam#U00f3wienie - 0072291855.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 57a3187b12f8360155dfeeecd9895856a5acb1371e94591732b9e5c1354622a9
                                          • Instruction ID: b90b7d99631244773f032c0501dd9c04929302f13d1c8707c07f0e481409b386
                                          • Opcode Fuzzy Hash: 57a3187b12f8360155dfeeecd9895856a5acb1371e94591732b9e5c1354622a9
                                          • Instruction Fuzzy Hash: 40B17CB4E01215CFDF25CFA8D88079EBBF6AF84314F1499AAD409AB255DB30D994CF50
                                          Function 09938E50 Relevance: .1, Instructions: 133COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1485549550.0000000009930000.00000040.00000800.00020000.00000000.sdmp, Offset: 09930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9930000_Nowe zam#U00f3wienie - 0072291855.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e9b286028ef7eb02582320295f0fb72d1603bd829c0269bba9f0714bc97367a7
                                          • Instruction ID: f2d6658c962cc3fa1bb2de253e50c33459611a881e193650f00863a1b31270d2
                                          • Opcode Fuzzy Hash: e9b286028ef7eb02582320295f0fb72d1603bd829c0269bba9f0714bc97367a7
                                          • Instruction Fuzzy Hash: A4511870E002198FDB14DFAAC5805AEFBB2FF89301F24C16AE418AB255D7319942CFA1

                                          Execution Graph

                                          Execution Coverage:8.1%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:0%
                                          Total number of Nodes:98
                                          Total number of Limit Nodes:11
                                          execution_graph 13539 2ce4668 13543 2ce4676 13539->13543 13542 2ce4704 13545 2ce6de0 13543->13545 13546 2ce6e05 13545->13546 13554 2ce6edf 13546->13554 13558 2ce6ef0 13546->13558 13547 2ce46e9 13550 2ce421c 13547->13550 13551 2ce4227 13550->13551 13566 2ce8560 13551->13566 13553 2ce8806 13553->13542 13556 2ce6f17 13554->13556 13555 2ce6ff4 13555->13555 13556->13555 13562 2ce6414 13556->13562 13559 2ce6f17 13558->13559 13560 2ce6ff4 13559->13560 13561 2ce6414 CreateActCtxA 13559->13561 13561->13560 13563 2ce7370 CreateActCtxA 13562->13563 13565 2ce7433 13563->13565 13567 2ce856b 13566->13567 13570 2ce8580 13567->13570 13569 2ce88dd 13569->13553 13571 2ce858b 13570->13571 13574 2ce85b0 13571->13574 13573 2ce89ba 13573->13569 13575 2ce85bb 13574->13575 13578 2ce85e0 13575->13578 13577 2ce8aad 13577->13573 13579 2ce85eb 13578->13579 13581 2ce9e93 13579->13581 13584 2cebed1 13579->13584 13580 2ce9ed1 13580->13577 13581->13580 13590 2cedf70 13581->13590 13585 2cebeda 13584->13585 13587 2cebe91 13584->13587 13594 2cebef8 13585->13594 13598 2cebf08 13585->13598 13586 2cebee6 13586->13581 13587->13581 13591 2cedf91 13590->13591 13592 2cedfb5 13591->13592 13633 2cee120 13591->13633 13592->13580 13602 2cec000 13594->13602 13612 2cebff0 13594->13612 13595 2cebf17 13595->13586 13599 2cebf17 13598->13599 13600 2cec000 2 API calls 13598->13600 13601 2cebff0 2 API calls 13598->13601 13599->13586 13600->13599 13601->13599 13603 2cec011 13602->13603 13606 2cec034 13602->13606 13622 2ceaf60 13603->13622 13606->13595 13607 2cec02c 13607->13606 13608 2cec238 GetModuleHandleW 13607->13608 13609 2cec265 13608->13609 13609->13595 13613 2cec011 13612->13613 13616 2cec034 13612->13616 13614 2ceaf60 GetModuleHandleW 13613->13614 13615 2cec01c 13614->13615 13615->13616 13620 2cec698 GetModuleHandleW 13615->13620 13621 2cec689 GetModuleHandleW 13615->13621 13616->13595 13617 2cec02c 13617->13616 13618 2cec238 GetModuleHandleW 13617->13618 13619 2cec265 13618->13619 13619->13595 13620->13617 13621->13617 13623 2cec1f0 GetModuleHandleW 13622->13623 13625 2cec01c 13623->13625 13625->13606 13626 2cec689 13625->13626 13630 2cec698 13625->13630 13627 2cec698 13626->13627 13628 2ceaf60 GetModuleHandleW 13627->13628 13629 2cec6ac 13628->13629 13629->13607 13631 2ceaf60 GetModuleHandleW 13630->13631 13632 2cec6ac 13631->13632 13632->13607 13635 2cee12d 13633->13635 13634 2cee166 13634->13592 13635->13634 13637 2cec464 13635->13637 13639 2cec46f 13637->13639 13638 2cee1d8 13639->13638 13641 2cec498 13639->13641 13642 2cec4a3 13641->13642 13643 2ce85e0 4 API calls 13642->13643 13644 2cee247 13643->13644 13647 2cee2c0 13644->13647 13645 2cee256 13645->13638 13648 2cee2ee 13647->13648 13649 2cee3ba KiUserCallbackDispatcher 13648->13649 13650 2cee3bf 13648->13650 13649->13650 13651 2ce6540 13652 2ce6586 13651->13652 13656 2ce670f 13652->13656 13660 2ce6720 13652->13660 13653 2ce6673 13657 2ce674e 13656->13657 13658 2ce6713 13656->13658 13657->13653 13663 2ce611c 13658->13663 13661 2ce611c DuplicateHandle 13660->13661 13662 2ce674e 13661->13662 13662->13653 13664 2ce6788 DuplicateHandle 13663->13664 13666 2ce681e 13664->13666 13666->13657

                                          Executed Functions

                                          Function 02CEC000 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 196COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.1483541547.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_2ce0000_Nowe zam#U00f3wienie - 0072291855.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID: j/C
                                          • API String ID: 4139908857-2778471894
                                          • Opcode ID: cf7e4e2d3b58eee2645cbcc83cc5a104e3781d7d7d7ae6c9f5648dceffe657f4
                                          • Instruction ID: 62ded0d7c24ff1db14df596a15bd61a81c0f8e4b631acbd7f83460ca9e5ecdac
                                          • Opcode Fuzzy Hash: cf7e4e2d3b58eee2645cbcc83cc5a104e3781d7d7d7ae6c9f5648dceffe657f4
                                          • Instruction Fuzzy Hash: 4E7126B0A00B058FDB24DF6AD44075ABBF2BF88714F00892AD496D7A50D775EA46CF91
                                          Function 02CE6414 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 57 2ce6414-2ce7431 CreateActCtxA 60 2ce743a-2ce7494 57->60 61 2ce7433-2ce7439 57->61 68 2ce7496-2ce7499 60->68 69 2ce74a3-2ce74a7 60->69 61->60 68->69 70 2ce74b8 69->70 71 2ce74a9-2ce74b5 69->71 73 2ce74b9 70->73 71->70 73->73
                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 02CE7421
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.1483541547.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_2ce0000_Nowe zam#U00f3wienie - 0072291855.jbxd
                                          Similarity
                                          • API ID: Create
                                          • String ID: j/C
                                          • API String ID: 2289755597-2778471894
                                          • Opcode ID: bfa9557cc80099ca490491ad290fe97455a1d065c7d6af51584b3a00d56559e1
                                          • Instruction ID: a53f15c228a71d1ef2a4d7b873aaf7dad5aa4482a92a927795404a049851c64f
                                          • Opcode Fuzzy Hash: bfa9557cc80099ca490491ad290fe97455a1d065c7d6af51584b3a00d56559e1
                                          • Instruction Fuzzy Hash: A941AEB0C00719CBEB24DFA9C844BDEBBF5BF48714F20806AD409AB251DBB56949CF90
                                          Function 02CE7364 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 95COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 74 2ce7364-2ce7431 CreateActCtxA 76 2ce743a-2ce7494 74->76 77 2ce7433-2ce7439 74->77 84 2ce7496-2ce7499 76->84 85 2ce74a3-2ce74a7 76->85 77->76 84->85 86 2ce74b8 85->86 87 2ce74a9-2ce74b5 85->87 89 2ce74b9 86->89 87->86 89->89
                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 02CE7421
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.1483541547.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_2ce0000_Nowe zam#U00f3wienie - 0072291855.jbxd
                                          Similarity
                                          • API ID: Create
                                          • String ID: j/C
                                          • API String ID: 2289755597-2778471894
                                          • Opcode ID: 5fb5f74544d23c6089312220d59c117c9c29672a711355f66ad9aa8d9714cdc0
                                          • Instruction ID: cd38ba8bbcf277616f38cbebe72bbda87b1ce87bc23471060c4da1de8a6d0269
                                          • Opcode Fuzzy Hash: 5fb5f74544d23c6089312220d59c117c9c29672a711355f66ad9aa8d9714cdc0
                                          • Instruction Fuzzy Hash: 1841BFB1C00719CBEB25CFA9C844BDEFBB5BF48314F24806AD409AB251D7B55949CF90
                                          Function 02CE6780 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 90 2ce6780-2ce6781 91 2ce67dd-2ce67de 90->91 92 2ce6783-2ce67dc 90->92 94 2ce67df-2ce681c DuplicateHandle 91->94 92->94 95 2ce681e-2ce6824 94->95 96 2ce6825-2ce6842 94->96 95->96
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02CE674E,?,?,?,?,?), ref: 02CE680F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.1483541547.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_2ce0000_Nowe zam#U00f3wienie - 0072291855.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID: j/C
                                          • API String ID: 3793708945-2778471894
                                          • Opcode ID: 60daad753bc084db28de30c2b533589a3e4ec5749a71dea1b69a4e8b3e4bf8c7
                                          • Instruction ID: 130cbd319a50e3449d973a53daa7d78d63ab8bf68ef619968b9990c90867d991
                                          • Opcode Fuzzy Hash: 60daad753bc084db28de30c2b533589a3e4ec5749a71dea1b69a4e8b3e4bf8c7
                                          • Instruction Fuzzy Hash: 812148B18002489FDF10CF9AD884BEEBBF8EF08320F14855AE865A3251C3789941CF64
                                          Function 02CE611C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 99 2ce611c-2ce681c DuplicateHandle 102 2ce681e-2ce6824 99->102 103 2ce6825-2ce6842 99->103 102->103
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02CE674E,?,?,?,?,?), ref: 02CE680F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.1483541547.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_2ce0000_Nowe zam#U00f3wienie - 0072291855.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID: j/C
                                          • API String ID: 3793708945-2778471894
                                          • Opcode ID: 5412f3251a967753724ccb2e8dcb55f4d7aa5ec3cb5e9439af37d6b21c4b2fbe
                                          • Instruction ID: 582a2025ae83baadf378fa9a65bfb85412bcae3dcb47242c67da5cc9255e2618
                                          • Opcode Fuzzy Hash: 5412f3251a967753724ccb2e8dcb55f4d7aa5ec3cb5e9439af37d6b21c4b2fbe
                                          • Instruction Fuzzy Hash: B221E5B59002489FDF10CF9AD884ADEBBF8FB48320F14845AE915A7351D374A940CFA5
                                          Function 02CEAF60 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 106 2ceaf60-2cec230 108 2cec238-2cec263 GetModuleHandleW 106->108 109 2cec232-2cec235 106->109 110 2cec26c-2cec280 108->110 111 2cec265-2cec26b 108->111 109->108 111->110
                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,02CEC01C), ref: 02CEC256
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.1483541547.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_2ce0000_Nowe zam#U00f3wienie - 0072291855.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID: j/C
                                          • API String ID: 4139908857-2778471894
                                          • Opcode ID: 97b99b7286c9e03340c8773793b70d0434ab6da6104b98e6684813a6c2537b39
                                          • Instruction ID: 4f8b44962d00baf1d3d490a913639acf3d538f035a12492144278d9ff9dbb93b
                                          • Opcode Fuzzy Hash: 97b99b7286c9e03340c8773793b70d0434ab6da6104b98e6684813a6c2537b39
                                          • Instruction Fuzzy Hash: 7111F0B58043498BDB20DF9AC444BDEFBF4EB88614F10846AD429B7201D375A645CFA5
                                          Function 02C9D01C Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.1481941481.0000000002C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C9D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_2c9d000_Nowe zam#U00f3wienie - 0072291855.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 82f2ebb30312bec97b97f7c3569afd449ffb0693ea0c73c5fd16c750b85da857
                                          • Instruction ID: 2c3c38fe2970384201c6f1124f2f237a409508e3245669b3ee567a18e4684cfe
                                          • Opcode Fuzzy Hash: 82f2ebb30312bec97b97f7c3569afd449ffb0693ea0c73c5fd16c750b85da857
                                          • Instruction Fuzzy Hash: C221D371504304DFDF14EF24D588B16BBA5FB84214F20C569E84A5B246C336D447CAA2
                                          Function 02C9D005 Relevance: .1, Instructions: 62COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.1481941481.0000000002C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C9D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_2c9d000_Nowe zam#U00f3wienie - 0072291855.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5e6f03319712b926f2863a8ffe5f238759b39bd220830e73eb0b3b82a2bed1da
                                          • Instruction ID: 1eeb4cafc019bcca976553ef98bfaf3163d75536b323db7a893d38a615fca685
                                          • Opcode Fuzzy Hash: 5e6f03319712b926f2863a8ffe5f238759b39bd220830e73eb0b3b82a2bed1da
                                          • Instruction Fuzzy Hash: CE21A4755093C08FDB12DF24D594715BF71FB86214F28C5EAD8498F2A7C33A980ACBA2

                                          Execution Graph

                                          Execution Coverage:12.8%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:0%
                                          Total number of Nodes:18
                                          Total number of Limit Nodes:2
                                          execution_graph 11194 29378f0 11195 29378fa 11194->11195 11197 2937de8 11194->11197 11198 2937e0d 11197->11198 11202 2937ee7 11198->11202 11206 2937ef8 11198->11206 11203 2937ef8 11202->11203 11205 2937ffc 11203->11205 11210 2937b24 11203->11210 11207 2937f1f 11206->11207 11208 2937ffc 11207->11208 11209 2937b24 CreateActCtxA 11207->11209 11209->11208 11211 2938f88 CreateActCtxA 11210->11211 11213 293904b 11211->11213 11214 293ed78 11215 293edc0 GetModuleHandleW 11214->11215 11216 293edba 11214->11216 11217 293eded 11215->11217 11216->11215

                                          Executed Functions

                                          Function 02938F7C Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 0 2938f7c-2938f86 1 2938f88-2939049 CreateActCtxA 0->1 3 2939052-29390ac 1->3 4 293904b-2939051 1->4 11 29390bb-29390bf 3->11 12 29390ae-29390b1 3->12 4->3 13 29390c1-29390cd 11->13 14 29390d0 11->14 12->11 13->14 16 29390d1 14->16 16->16
                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 02939039
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.1694270005.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_2930000_EPhabVgXw.jbxd
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: 2730e85c66fcdf640b46caa1865ea27e1f407d9669653a58e34e6838137846b3
                                          • Instruction ID: 34d91ea70d5d3af5b75bdcf297f3990e97d39416e3cd03397ba7b70b49dbe08f
                                          • Opcode Fuzzy Hash: 2730e85c66fcdf640b46caa1865ea27e1f407d9669653a58e34e6838137846b3
                                          • Instruction Fuzzy Hash: E341D2B0C00719CFEB25CFA9C844BDEBBB5BF49304F24806AD408AB251D7B5694ACF90
                                          Function 02937B24 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 17 2937b24-2939049 CreateActCtxA 20 2939052-29390ac 17->20 21 293904b-2939051 17->21 28 29390bb-29390bf 20->28 29 29390ae-29390b1 20->29 21->20 30 29390c1-29390cd 28->30 31 29390d0 28->31 29->28 30->31 33 29390d1 31->33 33->33
                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 02939039
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.1694270005.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_2930000_EPhabVgXw.jbxd
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: 67e33a87e0f3a2a3b5efcafc0c4288036080d4f07e4a13f21740fdef9a4ca6c0
                                          • Instruction ID: 4282f75c686cb8baff88a8ab191ab5ddabf98a0a517ac7d4f878a95377e34ee2
                                          • Opcode Fuzzy Hash: 67e33a87e0f3a2a3b5efcafc0c4288036080d4f07e4a13f21740fdef9a4ca6c0
                                          • Instruction Fuzzy Hash: 3D41B0B0C00719DBEB25DFA9C845BDEBBF5BF49304F24806AD408AB251DBB56945CF90
                                          Function 0293ED78 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 34 293ed78-293edb8 35 293edc0-293edeb GetModuleHandleW 34->35 36 293edba-293edbd 34->36 37 293edf4-293ee08 35->37 38 293eded-293edf3 35->38 36->35 38->37
                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0293EDDE
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.1694270005.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_2930000_EPhabVgXw.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: 1ccc9ff60f1f6e5804a2f879f37870cd9b9cdca93af70db1469ef40247405c78
                                          • Instruction ID: 366d27163e92974e17d7dc7c145733dad5c4a57f41d9b9824c0cc852c23a570d
                                          • Opcode Fuzzy Hash: 1ccc9ff60f1f6e5804a2f879f37870cd9b9cdca93af70db1469ef40247405c78
                                          • Instruction Fuzzy Hash: 9511DFB6C002498FDB11DF9AD844BDEFBF8EF88324F10846AD469A7610C375A545CFA5
                                          Function 0275D4C4 Relevance: .1, Instructions: 75COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.1682182093.000000000275D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0275D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_275d000_EPhabVgXw.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f8d529bb3d86904f131cce38e712212584c47cb286ffa553f06395ebddcd7dce
                                          • Instruction ID: ef45b5d7a1f1a725ae59d268208bf9fe97d362c89f5f54e4a836e68cfa5cd3b7
                                          • Opcode Fuzzy Hash: f8d529bb3d86904f131cce38e712212584c47cb286ffa553f06395ebddcd7dce
                                          • Instruction Fuzzy Hash: 7B212571504254EFEB25DF10D9C0B26FFA5FB88328F20C569EC090B256C376D456CAA2
                                          Function 0276D01C Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.1683832293.000000000276D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0276D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_276d000_EPhabVgXw.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d14c6e54413b02bc5175078a1caf3afa7baae11f12440984328130fc0184de4b
                                          • Instruction ID: f46b86d640cc8580f8e9c90223f0e295ffdfdfe39ca6e049fb4ee64ec900c53e
                                          • Opcode Fuzzy Hash: d14c6e54413b02bc5175078a1caf3afa7baae11f12440984328130fc0184de4b
                                          • Instruction Fuzzy Hash: B321D075614244EFDB24DF20D988B26BBA5EB88214F24C569EC4A4B246C336D847CAA2
                                          Function 0276D007 Relevance: .1, Instructions: 61COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.1683832293.000000000276D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0276D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_276d000_EPhabVgXw.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6788f0dadaf38c2f1d42f868ffc64a0817c4218289c297ba3c9b11e848552f78
                                          • Instruction ID: 64c4d28330a93213287b19475950a7fab8c7a01a0d5b4c0c560283e3d7c46cf7
                                          • Opcode Fuzzy Hash: 6788f0dadaf38c2f1d42f868ffc64a0817c4218289c297ba3c9b11e848552f78
                                          • Instruction Fuzzy Hash: 6C2162755093C08FDB12CF24D594715BF71EB46214F28C5DAD8498F6A7C33A940ACB62
                                          Function 0275D4BF Relevance: .1, Instructions: 56COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.1682182093.000000000275D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0275D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_275d000_EPhabVgXw.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 335ff2cd27920e120e44ddd98b5f99d48130ef09aa4f624435d54826826d70db
                                          • Instruction ID: be5983716253c507bdadc88419d44a65425e95fd4ef37eb1dc00fe8436ee56b9
                                          • Opcode Fuzzy Hash: 335ff2cd27920e120e44ddd98b5f99d48130ef09aa4f624435d54826826d70db
                                          • Instruction Fuzzy Hash: 2A119D76504280CFDB26CF10D5C4B16BF62FB84218F2486A9DC490B656C336D45ACBA1
                                          Function 0275D731 Relevance: .0, Instructions: 45COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.1682182093.000000000275D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0275D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_275d000_EPhabVgXw.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0e6862f39e2174899fcc16e7484ba7508193757e2c5f3848b5c6ec60ba311d7e
                                          • Instruction ID: 0008053c81d6219855a082ece80a07ef8432e8f50035d49b53d20afa3bcefec5
                                          • Opcode Fuzzy Hash: 0e6862f39e2174899fcc16e7484ba7508193757e2c5f3848b5c6ec60ba311d7e
                                          • Instruction Fuzzy Hash: 4301DB711053559BF7305B25CD847A7FBD8EF41334F14C86AED495A182C3B89840CB76
                                          Function 0275D730 Relevance: .0, Instructions: 36COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.1682182093.000000000275D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0275D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_275d000_EPhabVgXw.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a5286b3b1fa7d79ae80a57f361279a06693ea414802f2e1425df388c175bf57d
                                          • Instruction ID: a74afd5f0ffa5beeb789a2d8ef206e11e7e29964efa9b51b45a1254c298d9a95
                                          • Opcode Fuzzy Hash: a5286b3b1fa7d79ae80a57f361279a06693ea414802f2e1425df388c175bf57d
                                          • Instruction Fuzzy Hash: 13F062714053549FE7209A16DD84B66FBD8EB81734F18C55AED484E282C3B99844CB71

                                          Execution Graph

                                          Execution Coverage:11.8%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:0%
                                          Total number of Nodes:198
                                          Total number of Limit Nodes:11
                                          execution_graph 21694 851e750 21695 851e8db 21694->21695 21697 851e776 21694->21697 21697->21695 21698 851a008 21697->21698 21699 851e9d0 PostMessageW 21698->21699 21700 851ea3c 21699->21700 21700->21697 21725 851bee3 21726 851bee9 21725->21726 21727 851bf56 21725->21727 21731 851d570 21726->21731 21752 851d5ce 21726->21752 21774 851d560 21726->21774 21732 851d58a 21731->21732 21740 851d5ae 21732->21740 21795 851da72 21732->21795 21799 851d92c 21732->21799 21804 851da4d 21732->21804 21812 851dc48 21732->21812 21819 851d949 21732->21819 21824 851dfa6 21732->21824 21829 851e306 21732->21829 21837 851da22 21732->21837 21843 851d9e2 21732->21843 21848 851e143 21732->21848 21853 851dce3 21732->21853 21858 851e320 21732->21858 21866 851dabd 21732->21866 21871 851dddb 21732->21871 21876 851db1b 21732->21876 21881 851ddf6 21732->21881 21885 851dbf4 21732->21885 21891 851dc35 21732->21891 21740->21727 21753 851d55c 21752->21753 21754 851d5d1 21752->21754 21755 851da72 2 API calls 21753->21755 21756 851dc35 2 API calls 21753->21756 21757 851dbf4 2 API calls 21753->21757 21758 851ddf6 2 API calls 21753->21758 21759 851db1b 2 API calls 21753->21759 21760 851dddb 2 API calls 21753->21760 21761 851dabd 2 API calls 21753->21761 21762 851d5ae 21753->21762 21763 851e320 4 API calls 21753->21763 21764 851dce3 2 API calls 21753->21764 21765 851e143 2 API calls 21753->21765 21766 851d9e2 2 API calls 21753->21766 21767 851da22 2 API calls 21753->21767 21768 851e306 4 API calls 21753->21768 21769 851dfa6 2 API calls 21753->21769 21770 851d949 2 API calls 21753->21770 21771 851dc48 4 API calls 21753->21771 21772 851da4d 4 API calls 21753->21772 21773 851d92c 2 API calls 21753->21773 21754->21727 21755->21762 21756->21762 21757->21762 21758->21762 21759->21762 21760->21762 21761->21762 21762->21727 21763->21762 21764->21762 21765->21762 21766->21762 21767->21762 21768->21762 21769->21762 21770->21762 21771->21762 21772->21762 21773->21762 21775 851d58a 21774->21775 21776 851d5ae 21775->21776 21777 851da72 2 API calls 21775->21777 21778 851dc35 2 API calls 21775->21778 21779 851dbf4 2 API calls 21775->21779 21780 851ddf6 2 API calls 21775->21780 21781 851db1b 2 API calls 21775->21781 21782 851dddb 2 API calls 21775->21782 21783 851dabd 2 API calls 21775->21783 21784 851e320 4 API calls 21775->21784 21785 851dce3 2 API calls 21775->21785 21786 851e143 2 API calls 21775->21786 21787 851d9e2 2 API calls 21775->21787 21788 851da22 2 API calls 21775->21788 21789 851e306 4 API calls 21775->21789 21790 851dfa6 2 API calls 21775->21790 21791 851d949 2 API calls 21775->21791 21792 851dc48 4 API calls 21775->21792 21793 851da4d 4 API calls 21775->21793 21794 851d92c 2 API calls 21775->21794 21776->21727 21777->21776 21778->21776 21779->21776 21780->21776 21781->21776 21782->21776 21783->21776 21784->21776 21785->21776 21786->21776 21787->21776 21788->21776 21789->21776 21790->21776 21791->21776 21792->21776 21793->21776 21794->21776 21896 851b210 21795->21896 21900 851b218 21795->21900 21796 851da8c 21796->21740 21800 851d93c 21799->21800 21800->21740 21801 851da0d 21800->21801 21904 851ba70 21800->21904 21908 851ba67 21800->21908 21801->21740 21805 851da52 21804->21805 21806 851d9f9 21805->21806 21810 851b210 Wow64SetThreadContext 21805->21810 21811 851b218 Wow64SetThreadContext 21805->21811 21912 851b161 21806->21912 21916 851b168 21806->21916 21807 851e11b 21810->21805 21811->21805 21920 851b7e0 21812->21920 21924 851b7e8 21812->21924 21813 851da0d 21813->21740 21814 851d93c 21814->21740 21814->21813 21817 851ba70 CreateProcessA 21814->21817 21818 851ba67 CreateProcessA 21814->21818 21817->21814 21818->21814 21820 851d93c 21819->21820 21820->21740 21821 851da0d 21820->21821 21822 851ba70 CreateProcessA 21820->21822 21823 851ba67 CreateProcessA 21820->21823 21821->21740 21822->21820 21823->21820 21825 851dfaa 21824->21825 21928 851b720 21825->21928 21932 851b728 21825->21932 21826 851dfc8 21830 851e23d 21829->21830 21831 851d9f9 21830->21831 21835 851b210 Wow64SetThreadContext 21830->21835 21836 851b218 Wow64SetThreadContext 21830->21836 21833 851b161 ResumeThread 21831->21833 21834 851b168 ResumeThread 21831->21834 21832 851e11b 21833->21832 21834->21832 21835->21830 21836->21830 21838 851d9f6 21837->21838 21840 851da25 21837->21840 21841 851b161 ResumeThread 21838->21841 21842 851b168 ResumeThread 21838->21842 21839 851e11b 21840->21740 21841->21839 21842->21839 21844 851d9e8 21843->21844 21846 851b161 ResumeThread 21844->21846 21847 851b168 ResumeThread 21844->21847 21845 851e11b 21846->21845 21847->21845 21849 851dac4 21848->21849 21850 851dafc 21849->21850 21851 851b7e0 WriteProcessMemory 21849->21851 21852 851b7e8 WriteProcessMemory 21849->21852 21851->21850 21852->21850 21854 851dac4 21853->21854 21855 851dafc 21854->21855 21856 851b7e0 WriteProcessMemory 21854->21856 21857 851b7e8 WriteProcessMemory 21854->21857 21856->21855 21857->21855 21936 851b8d0 21858->21936 21940 851b8d8 21858->21940 21859 851e3bc 21859->21740 21860 851db32 21860->21859 21864 851b720 VirtualAllocEx 21860->21864 21865 851b728 VirtualAllocEx 21860->21865 21861 851dfc8 21864->21861 21865->21861 21867 851dac3 21866->21867 21869 851b7e0 WriteProcessMemory 21867->21869 21870 851b7e8 WriteProcessMemory 21867->21870 21868 851dafc 21869->21868 21870->21868 21872 851dde1 21871->21872 21874 851b161 ResumeThread 21872->21874 21875 851b168 ResumeThread 21872->21875 21873 851e11b 21874->21873 21875->21873 21877 851db21 21876->21877 21879 851b720 VirtualAllocEx 21877->21879 21880 851b728 VirtualAllocEx 21877->21880 21878 851dfc8 21879->21878 21880->21878 21883 851b7e0 WriteProcessMemory 21881->21883 21884 851b7e8 WriteProcessMemory 21881->21884 21882 851dd7a 21882->21740 21883->21882 21884->21882 21887 851db32 21885->21887 21886 851e3bc 21886->21740 21887->21886 21889 851b720 VirtualAllocEx 21887->21889 21890 851b728 VirtualAllocEx 21887->21890 21888 851dfc8 21888->21888 21889->21888 21890->21888 21892 851db32 21891->21892 21894 851b720 VirtualAllocEx 21892->21894 21895 851b728 VirtualAllocEx 21892->21895 21893 851dfc8 21894->21893 21895->21893 21897 851b25d Wow64SetThreadContext 21896->21897 21899 851b2a5 21897->21899 21899->21796 21901 851b25d Wow64SetThreadContext 21900->21901 21903 851b2a5 21901->21903 21903->21796 21905 851baf9 CreateProcessA 21904->21905 21907 851bcbb 21905->21907 21909 851ba70 CreateProcessA 21908->21909 21911 851bcbb 21909->21911 21913 851b1a8 ResumeThread 21912->21913 21915 851b1d9 21913->21915 21915->21807 21917 851b1a8 ResumeThread 21916->21917 21919 851b1d9 21917->21919 21919->21807 21921 851b7e8 WriteProcessMemory 21920->21921 21923 851b887 21921->21923 21923->21814 21925 851b830 WriteProcessMemory 21924->21925 21927 851b887 21925->21927 21927->21814 21929 851b728 VirtualAllocEx 21928->21929 21931 851b7a5 21929->21931 21931->21826 21933 851b768 VirtualAllocEx 21932->21933 21935 851b7a5 21933->21935 21935->21826 21937 851b8d5 ReadProcessMemory 21936->21937 21939 851b967 21937->21939 21939->21860 21941 851b923 ReadProcessMemory 21940->21941 21943 851b967 21941->21943 21943->21860 21701 33fed78 21702 33fedba 21701->21702 21703 33fedc0 GetModuleHandleW 21701->21703 21702->21703 21704 33feded 21703->21704 21705 33f78f0 21706 33f78fa 21705->21706 21708 33f7de8 21705->21708 21709 33f7e0d 21708->21709 21713 33f7ee7 21709->21713 21717 33f7ef8 21709->21717 21715 33f7ef8 21713->21715 21714 33f7ffc 21715->21714 21721 33f7b24 21715->21721 21719 33f7f1f 21717->21719 21718 33f7ffc 21718->21718 21719->21718 21720 33f7b24 CreateActCtxA 21719->21720 21720->21718 21722 33f8f88 CreateActCtxA 21721->21722 21724 33f904b 21722->21724

                                          Executed Functions

                                          Function 0851BA67 Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 0 851ba67-851bb05 3 851bb07-851bb11 0->3 4 851bb3e-851bb5e 0->4 3->4 5 851bb13-851bb15 3->5 11 851bb60-851bb6a 4->11 12 851bb97-851bbc6 4->12 6 851bb17-851bb21 5->6 7 851bb38-851bb3b 5->7 9 851bb23 6->9 10 851bb25-851bb34 6->10 7->4 9->10 10->10 13 851bb36 10->13 11->12 14 851bb6c-851bb6e 11->14 20 851bbc8-851bbd2 12->20 21 851bbff-851bcb9 CreateProcessA 12->21 13->7 15 851bb91-851bb94 14->15 16 851bb70-851bb7a 14->16 15->12 18 851bb7c 16->18 19 851bb7e-851bb8d 16->19 18->19 19->19 22 851bb8f 19->22 20->21 23 851bbd4-851bbd6 20->23 32 851bcc2-851bd48 21->32 33 851bcbb-851bcc1 21->33 22->15 25 851bbf9-851bbfc 23->25 26 851bbd8-851bbe2 23->26 25->21 27 851bbe4 26->27 28 851bbe6-851bbf5 26->28 27->28 28->28 30 851bbf7 28->30 30->25 43 851bd58-851bd5c 32->43 44 851bd4a-851bd4e 32->44 33->32 46 851bd6c-851bd70 43->46 47 851bd5e-851bd62 43->47 44->43 45 851bd50 44->45 45->43 48 851bd80-851bd84 46->48 49 851bd72-851bd76 46->49 47->46 50 851bd64 47->50 52 851bd96-851bd9d 48->52 53 851bd86-851bd8c 48->53 49->48 51 851bd78 49->51 50->46 51->48 54 851bdb4 52->54 55 851bd9f-851bdae 52->55 53->52 57 851bdb5 54->57 55->54 57->57
                                          APIs
                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0851BCA6
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1618976933.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_8510000_outlooks.jbxd
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: cf48e43979246a055c730f72b53b9e36a5b2c148e006dab5064821db3ec57806
                                          • Instruction ID: abd8d0233dc75461cecd1a8af3bceb7a4b054dd0c68a9564b4ed05a8f690519c
                                          • Opcode Fuzzy Hash: cf48e43979246a055c730f72b53b9e36a5b2c148e006dab5064821db3ec57806
                                          • Instruction Fuzzy Hash: ACA13971D00219CFEF14DF69C841BEEBBB2BF48311F0485A9E809A7254DB749985CF92
                                          Function 0851BA70 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 58 851ba70-851bb05 60 851bb07-851bb11 58->60 61 851bb3e-851bb5e 58->61 60->61 62 851bb13-851bb15 60->62 68 851bb60-851bb6a 61->68 69 851bb97-851bbc6 61->69 63 851bb17-851bb21 62->63 64 851bb38-851bb3b 62->64 66 851bb23 63->66 67 851bb25-851bb34 63->67 64->61 66->67 67->67 70 851bb36 67->70 68->69 71 851bb6c-851bb6e 68->71 77 851bbc8-851bbd2 69->77 78 851bbff-851bcb9 CreateProcessA 69->78 70->64 72 851bb91-851bb94 71->72 73 851bb70-851bb7a 71->73 72->69 75 851bb7c 73->75 76 851bb7e-851bb8d 73->76 75->76 76->76 79 851bb8f 76->79 77->78 80 851bbd4-851bbd6 77->80 89 851bcc2-851bd48 78->89 90 851bcbb-851bcc1 78->90 79->72 82 851bbf9-851bbfc 80->82 83 851bbd8-851bbe2 80->83 82->78 84 851bbe4 83->84 85 851bbe6-851bbf5 83->85 84->85 85->85 87 851bbf7 85->87 87->82 100 851bd58-851bd5c 89->100 101 851bd4a-851bd4e 89->101 90->89 103 851bd6c-851bd70 100->103 104 851bd5e-851bd62 100->104 101->100 102 851bd50 101->102 102->100 105 851bd80-851bd84 103->105 106 851bd72-851bd76 103->106 104->103 107 851bd64 104->107 109 851bd96-851bd9d 105->109 110 851bd86-851bd8c 105->110 106->105 108 851bd78 106->108 107->103 108->105 111 851bdb4 109->111 112 851bd9f-851bdae 109->112 110->109 114 851bdb5 111->114 112->111 114->114
                                          APIs
                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0851BCA6
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1618976933.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_8510000_outlooks.jbxd
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: baf1b7f01c2e964f2dd02df8d791f8f7799c81118d4f1a5ae4b95b66e9fb358b
                                          • Instruction ID: 91eac13e2ab35f3b89014de527505831d30ed9e84edc7cb497c503a1180ed14b
                                          • Opcode Fuzzy Hash: baf1b7f01c2e964f2dd02df8d791f8f7799c81118d4f1a5ae4b95b66e9fb358b
                                          • Instruction Fuzzy Hash: DE913971D00219CFEF14DF69C841BEEBBB2BF48311F1485A9E809A7250DB749985CF92
                                          Function 033F8F7C Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 115 33f8f7c-33f8f87 116 33f8f88-33f9049 CreateActCtxA 115->116 118 33f904b-33f9051 116->118 119 33f9052-33f90ac 116->119 118->119 126 33f90ae-33f90b1 119->126 127 33f90bb-33f90bf 119->127 126->127 128 33f90c1-33f90cd 127->128 129 33f90d0 127->129 128->129 130 33f90d1 129->130 130->130
                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 033F9039
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1547786169.00000000033F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_33f0000_outlooks.jbxd
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: a3daf7e29aa36f0b4d959c05dd5a8c408c9e55e27388f064a1a8128c0d05b086
                                          • Instruction ID: a48fac2c6c690fb25711160a6b239684f84731866793fdb819ffb425dcf54c70
                                          • Opcode Fuzzy Hash: a3daf7e29aa36f0b4d959c05dd5a8c408c9e55e27388f064a1a8128c0d05b086
                                          • Instruction Fuzzy Hash: DF41B0B1C00719CFDB24CFAAC884BDEBBB5BF48304F64806AD508AB251DBB56945CF91
                                          Function 033F7B24 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 132 33f7b24-33f9049 CreateActCtxA 135 33f904b-33f9051 132->135 136 33f9052-33f90ac 132->136 135->136 143 33f90ae-33f90b1 136->143 144 33f90bb-33f90bf 136->144 143->144 145 33f90c1-33f90cd 144->145 146 33f90d0 144->146 145->146 147 33f90d1 146->147 147->147
                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 033F9039
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1547786169.00000000033F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_33f0000_outlooks.jbxd
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: e07b0547362586b57ae91274bf39698595ea8534a0ca110103b752e11e758123
                                          • Instruction ID: 20f990b52fb00ab89016afac426f2bce1ff292af7316711041090e2c5f0cffe0
                                          • Opcode Fuzzy Hash: e07b0547362586b57ae91274bf39698595ea8534a0ca110103b752e11e758123
                                          • Instruction Fuzzy Hash: 6641AFB0C00719CFDB24DFAAC884BDEBBB5BF48304F64816AD508AB255DBB56945CF90
                                          Function 0851B7E0 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 149 851b7e0-851b836 152 851b846-851b885 WriteProcessMemory 149->152 153 851b838-851b844 149->153 155 851b887-851b88d 152->155 156 851b88e-851b8be 152->156 153->152 155->156
                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0851B878
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1618976933.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_8510000_outlooks.jbxd
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: 8f95438571ffadd538c67d5471685b619ba39411b90c207be0d34efba3a9e762
                                          • Instruction ID: 5810820a5fa12dafbc3085f7ba152f359c8aee89dbde5d9a58605fbff064c5fb
                                          • Opcode Fuzzy Hash: 8f95438571ffadd538c67d5471685b619ba39411b90c207be0d34efba3a9e762
                                          • Instruction Fuzzy Hash: 4B2123719003599FDF10DFAAC885BEEBBF5FF48320F10842AE919A7250D7789944CBA5
                                          Function 0851B7E8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 160 851b7e8-851b836 162 851b846-851b885 WriteProcessMemory 160->162 163 851b838-851b844 160->163 165 851b887-851b88d 162->165 166 851b88e-851b8be 162->166 163->162 165->166
                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0851B878
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1618976933.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_8510000_outlooks.jbxd
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: aafc1ea62df4027824a4ce8d0009dbf00615650e43aff457ed109097afe58751
                                          • Instruction ID: 0513c68da8c2e6a31b988917b62f6124b8352ada9bd46f99a566605dc892ee2b
                                          • Opcode Fuzzy Hash: aafc1ea62df4027824a4ce8d0009dbf00615650e43aff457ed109097afe58751
                                          • Instruction Fuzzy Hash: B42104719003499FDB10DFAAC885BDEBBF5BB48320F10842AE919A7240D7789944CBA5
                                          Function 0851B210 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 170 851b210-851b263 172 851b273-851b2a3 Wow64SetThreadContext 170->172 173 851b265-851b271 170->173 175 851b2a5-851b2ab 172->175 176 851b2ac-851b2dc 172->176 173->172 175->176
                                          APIs
                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0851B296
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1618976933.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_8510000_outlooks.jbxd
                                          Similarity
                                          • API ID: ContextThreadWow64
                                          • String ID:
                                          • API String ID: 983334009-0
                                          • Opcode ID: 22e1f02a9a8276eeb95bf35bea545819c7af5d77c543fb3ed55a0489eb18c615
                                          • Instruction ID: 5961f11aa546aea1af19332b0954db43ff5b20d7305e107d725ba6b294329405
                                          • Opcode Fuzzy Hash: 22e1f02a9a8276eeb95bf35bea545819c7af5d77c543fb3ed55a0489eb18c615
                                          • Instruction Fuzzy Hash: 99212871900308DFDB50DFAAC885BEEBBF4BF48325F54842AD459A7240C7789545CFA5
                                          Function 0851B8D0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 180 851b8d0-851b965 ReadProcessMemory 184 851b967-851b96d 180->184 185 851b96e-851b99e 180->185 184->185
                                          APIs
                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0851B958
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1618976933.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_8510000_outlooks.jbxd
                                          Similarity
                                          • API ID: MemoryProcessRead
                                          • String ID:
                                          • API String ID: 1726664587-0
                                          • Opcode ID: dfc5eeb4e210fe6b023308e9894ab576a284d11dd0045641aeed8f9adba1a1db
                                          • Instruction ID: 9a87bdbd7172dfdbf126f2448ac2d3c22121ced6f1d4c07d5def80521e9c76e7
                                          • Opcode Fuzzy Hash: dfc5eeb4e210fe6b023308e9894ab576a284d11dd0045641aeed8f9adba1a1db
                                          • Instruction Fuzzy Hash: E72105B1800249DFDB10CFAAC885BEEBBF1FF48310F10842AE519A7250C7799541CBA5
                                          Function 0851B8D8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 199 851b8d8-851b965 ReadProcessMemory 202 851b967-851b96d 199->202 203 851b96e-851b99e 199->203 202->203
                                          APIs
                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0851B958
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1618976933.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_8510000_outlooks.jbxd
                                          Similarity
                                          • API ID: MemoryProcessRead
                                          • String ID:
                                          • API String ID: 1726664587-0
                                          • Opcode ID: 2b4b5eddf141e4d786ab3636610fe836102afc24c9f77ae3bb53a78d8be25ffe
                                          • Instruction ID: a7ddb4395073401ff46e75b06e9848889ec4b3a46ee2f816174b26165b75825d
                                          • Opcode Fuzzy Hash: 2b4b5eddf141e4d786ab3636610fe836102afc24c9f77ae3bb53a78d8be25ffe
                                          • Instruction Fuzzy Hash: 582116B18003499FDB10DFAAC841BEEBBF5FF48320F10842AE519A7250C7799541CBA5
                                          Function 0851B218 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 189 851b218-851b263 191 851b273-851b2a3 Wow64SetThreadContext 189->191 192 851b265-851b271 189->192 194 851b2a5-851b2ab 191->194 195 851b2ac-851b2dc 191->195 192->191 194->195
                                          APIs
                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0851B296
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1618976933.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_8510000_outlooks.jbxd
                                          Similarity
                                          • API ID: ContextThreadWow64
                                          • String ID:
                                          • API String ID: 983334009-0
                                          • Opcode ID: 98468a69003f69ba5830537b36f9503410c92b1a720322256ab3d09179bdc2b2
                                          • Instruction ID: b2ffc012dc43cb8ff42b54a055a0be9265a322d13ddce4fccc17e15e195ddf3b
                                          • Opcode Fuzzy Hash: 98468a69003f69ba5830537b36f9503410c92b1a720322256ab3d09179bdc2b2
                                          • Instruction Fuzzy Hash: 992137719003088FEB10DFAAC4857EEBBF4AF48220F54842AD419A7240C7789944CFA5
                                          Function 0851B720 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 207 851b720-851b7a3 VirtualAllocEx 211 851b7a5-851b7ab 207->211 212 851b7ac-851b7d1 207->212 211->212
                                          APIs
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0851B796
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1618976933.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_8510000_outlooks.jbxd
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: 798ea2d7605d0c07694e649d9957ca16128d50126adac352361204b7939ff559
                                          • Instruction ID: b8bb5c56498a042c977f54e31179f9fb53060b0a0dc78149b0e162fabf4d75cc
                                          • Opcode Fuzzy Hash: 798ea2d7605d0c07694e649d9957ca16128d50126adac352361204b7939ff559
                                          • Instruction Fuzzy Hash: AB213671800248DFDF10DFAAC845BEFBBF5EF49320F148829E515A7250C775A954DBA1
                                          Function 0851B728 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 216 851b728-851b7a3 VirtualAllocEx 219 851b7a5-851b7ab 216->219 220 851b7ac-851b7d1 216->220 219->220
                                          APIs
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0851B796
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1618976933.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_8510000_outlooks.jbxd
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: d8fe2f961e07b4b4c5e5408e2e11386709f34df631a1bbb766fe4744caa2c343
                                          • Instruction ID: c978849d916e491492567d2654cf50a5ec58bc42baefbf375ef76ee2a26d87ff
                                          • Opcode Fuzzy Hash: d8fe2f961e07b4b4c5e5408e2e11386709f34df631a1bbb766fe4744caa2c343
                                          • Instruction Fuzzy Hash: 22112672800248DFDF10DFAAC844BDFBBF5AF48320F14882AE515A7650C775A544CFA5
                                          Function 0851B161 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 224 851b161-851b1d7 ResumeThread 227 851b1e0-851b205 224->227 228 851b1d9-851b1df 224->228 228->227
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1618976933.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_8510000_outlooks.jbxd
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: d2c3e23ffd088111f268bc0988cb7e6f2277c7663e93563b8b2aa1c0be20f397
                                          • Instruction ID: a7fba5d70d2824e87d77994535fe4eac4005256ca90719785a75a1b34a803033
                                          • Opcode Fuzzy Hash: d2c3e23ffd088111f268bc0988cb7e6f2277c7663e93563b8b2aa1c0be20f397
                                          • Instruction Fuzzy Hash: BC1149B19003488FDB20DFAAC4457EFFBF4AF48324F14846AD415A7240C7755945CBA5
                                          Function 0851B168 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 232 851b168-851b1d7 ResumeThread 235 851b1e0-851b205 232->235 236 851b1d9-851b1df 232->236 236->235
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1618976933.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_8510000_outlooks.jbxd
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: aaa5a0cfd59ac81ec1a11c33382ea2221c2307b42f548b39f9187071bd9cd624
                                          • Instruction ID: 953be98628993498768bca97d2366c74e2e14dbf1d74829e848571c461df963d
                                          • Opcode Fuzzy Hash: aaa5a0cfd59ac81ec1a11c33382ea2221c2307b42f548b39f9187071bd9cd624
                                          • Instruction Fuzzy Hash: 5C113AB19003488FDB10DFAAC8457DFFBF4AF48324F14882AD519A7240C779A944CFA5
                                          Function 0851E9C8 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 240 851e9c8-851ea3a PostMessageW 242 851ea43-851ea57 240->242 243 851ea3c-851ea42 240->243 243->242
                                          APIs
                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 0851EA2D
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1618976933.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_8510000_outlooks.jbxd
                                          Similarity
                                          • API ID: MessagePost
                                          • String ID:
                                          • API String ID: 410705778-0
                                          • Opcode ID: 1789ffd090df0fdd42f2772e03dbac72842d050bdcc4f8ad851d19acab7db1b0
                                          • Instruction ID: b6f08949703206542cf6da2a3683aea5fe3ae8e5507b3d99ec20ade2d8f9500e
                                          • Opcode Fuzzy Hash: 1789ffd090df0fdd42f2772e03dbac72842d050bdcc4f8ad851d19acab7db1b0
                                          • Instruction Fuzzy Hash: CF1113B5800349DFDB10DFAAD885BEEBBF8FB48310F10845AE854A7200C375A984CFA1
                                          Function 0851A008 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 0851EA2D
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1618976933.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_8510000_outlooks.jbxd
                                          Similarity
                                          • API ID: MessagePost
                                          • String ID:
                                          • API String ID: 410705778-0
                                          • Opcode ID: 0f669a0b136b5564692f86daae55f94864b93ea99b8edc917e6ca018dcb16aa6
                                          • Instruction ID: 757c8ec771a64b30a3d2d9d57704623772cb9906e3fe77fc0fe771e1b1162b10
                                          • Opcode Fuzzy Hash: 0f669a0b136b5564692f86daae55f94864b93ea99b8edc917e6ca018dcb16aa6
                                          • Instruction Fuzzy Hash: 2711E3B5800249DFDB10DF9AD445BDEBBF8FB48310F14841AE914A7200C375A944CFA5
                                          Function 033FED78 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 033FEDDE
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1547786169.00000000033F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_33f0000_outlooks.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: c4ae8ca83f70d21b70ccb4542c298f36b174d24918e83da551cc4d7c42b37fb3
                                          • Instruction ID: 3e5dbc3ae4f2fa110a13e66fc73bc6fe184ce968c6dd08017d5e461d09269072
                                          • Opcode Fuzzy Hash: c4ae8ca83f70d21b70ccb4542c298f36b174d24918e83da551cc4d7c42b37fb3
                                          • Instruction Fuzzy Hash: 0811E0B6C00249CFDB10CF9AD844BDEFBF5EF88224F14842AE529A7610C379A545CFA5
                                          Function 0186D4C4 Relevance: .1, Instructions: 75COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1535444027.000000000186D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0186D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_186d000_outlooks.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5720226863a3f218fa6ee4f5a1f238a335d19843f6851b6c8245ddc5a6a276b1
                                          • Instruction ID: 1cd9e1064f0696ca023d90d3a2679fbc1d0850cf6589151abf564a8ec34ebdf7
                                          • Opcode Fuzzy Hash: 5720226863a3f218fa6ee4f5a1f238a335d19843f6851b6c8245ddc5a6a276b1
                                          • Instruction Fuzzy Hash: F4213671604244DFDB15DF54D8C4B26BF69FB88318F20C269E8858B656C336D546CAA2
                                          Function 0187D01C Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1536199002.000000000187D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_187d000_outlooks.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2dcbd1dc75969a1a9b554bc20863c61a0e04f4c7a258fc86958b196c93b99527
                                          • Instruction ID: 68e73e7160e1869622c640176592eda8878734eb5d28978998b13c28dd82a0dc
                                          • Opcode Fuzzy Hash: 2dcbd1dc75969a1a9b554bc20863c61a0e04f4c7a258fc86958b196c93b99527
                                          • Instruction Fuzzy Hash: 1E213471604304EFDB16DF64D9C0B26BBA1FF84318F20C66DE80A8B242C33AD547CA62
                                          Function 0186D4BF Relevance: .1, Instructions: 56COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1535444027.000000000186D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0186D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_186d000_outlooks.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 335ff2cd27920e120e44ddd98b5f99d48130ef09aa4f624435d54826826d70db
                                          • Instruction ID: eb89525c8bf46a14122b219ec88879d4f1400d61454b11ab22e092c4b17f6ee0
                                          • Opcode Fuzzy Hash: 335ff2cd27920e120e44ddd98b5f99d48130ef09aa4f624435d54826826d70db
                                          • Instruction Fuzzy Hash: 2D11DF72504280CFCB12CF54D5C4B16BF72FB84318F24C6AAE8494B656C336D556CBA1
                                          Function 0187D017 Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1536199002.000000000187D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_187d000_outlooks.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b45452ff36ccf171b58ba96a6db3430600b1fbfab4e67b74f20ffb50b37cf843
                                          • Instruction ID: e287806107ce7bfb0309f89e5ceca15f2f77da9b4b0a508e5abf25b5c6ef0b19
                                          • Opcode Fuzzy Hash: b45452ff36ccf171b58ba96a6db3430600b1fbfab4e67b74f20ffb50b37cf843
                                          • Instruction Fuzzy Hash: 3D11BE75508280CFDB12CF54D5C4B15BBA2FB44314F24C6AAD8498B656C33AD50ACB61
                                          Function 0186D731 Relevance: .0, Instructions: 45COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1535444027.000000000186D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0186D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_186d000_outlooks.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d1d23843c9afed4fc84f7bac1f2e12b7d32eb01dd61eb029ad75cc8eb055ab20
                                          • Instruction ID: 7e2ad3dc98d2cfe826f3945046b44560a7ae30d6fe9ace8e6d1471449565d8bf
                                          • Opcode Fuzzy Hash: d1d23843c9afed4fc84f7bac1f2e12b7d32eb01dd61eb029ad75cc8eb055ab20
                                          • Instruction Fuzzy Hash: 8F01F7712043889BF7204A65CC80BA6BBDCDF40334F18C629ED888E182C27C9940CAB3
                                          Function 0186D730 Relevance: .0, Instructions: 36COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1535444027.000000000186D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0186D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_186d000_outlooks.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 52acfe708bf1e065482efce25916359d590479fe725db2db459f145c906f9203
                                          • Instruction ID: 1c24bed3da4aecb2abf70ad69267dbd9d455481ff8b005c560782a1f84e7914a
                                          • Opcode Fuzzy Hash: 52acfe708bf1e065482efce25916359d590479fe725db2db459f145c906f9203
                                          • Instruction Fuzzy Hash: 50F0C2711043849FE7208A1ACC84BA2FFDCEB80334F18C56AED484E283C3789944CAB1

                                          Execution Graph

                                          Execution Coverage:10%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:0%
                                          Total number of Nodes:203
                                          Total number of Limit Nodes:15
                                          execution_graph 20430 783bfd3 20431 783bfd9 20430->20431 20436 783d560 20431->20436 20456 783d5ce 20431->20456 20477 783d570 20431->20477 20432 783bf56 20437 783d570 20436->20437 20438 783d5ae 20437->20438 20497 783d92c 20437->20497 20502 783dc48 20437->20502 20506 783d949 20437->20506 20511 783dfa6 20437->20511 20516 783da46 20437->20516 20525 783e306 20437->20525 20534 783e320 20437->20534 20541 783d9e2 20437->20541 20546 783dce3 20437->20546 20551 783e143 20437->20551 20556 783dabd 20437->20556 20561 783db1b 20437->20561 20566 783dddb 20437->20566 20571 783dbf4 20437->20571 20576 783dc35 20437->20576 20581 783ddf6 20437->20581 20585 783da72 20437->20585 20438->20432 20457 783d55c 20456->20457 20458 783d5d1 20456->20458 20459 783e143 2 API calls 20457->20459 20460 783dce3 2 API calls 20457->20460 20461 783d9e2 2 API calls 20457->20461 20462 783d5ae 20457->20462 20463 783e320 4 API calls 20457->20463 20464 783e306 5 API calls 20457->20464 20465 783da46 5 API calls 20457->20465 20466 783dfa6 2 API calls 20457->20466 20467 783d949 2 API calls 20457->20467 20468 783dc48 2 API calls 20457->20468 20469 783d92c 2 API calls 20457->20469 20470 783da72 3 API calls 20457->20470 20471 783ddf6 2 API calls 20457->20471 20472 783dc35 2 API calls 20457->20472 20473 783dbf4 2 API calls 20457->20473 20474 783dddb 2 API calls 20457->20474 20475 783db1b 2 API calls 20457->20475 20476 783dabd 2 API calls 20457->20476 20458->20432 20459->20462 20460->20462 20461->20462 20462->20432 20463->20462 20464->20462 20465->20462 20466->20462 20467->20462 20468->20462 20469->20462 20470->20462 20471->20462 20472->20462 20473->20462 20474->20462 20475->20462 20476->20462 20478 783d58a 20477->20478 20479 783d5ae 20478->20479 20480 783e143 2 API calls 20478->20480 20481 783dce3 2 API calls 20478->20481 20482 783d9e2 2 API calls 20478->20482 20483 783e320 4 API calls 20478->20483 20484 783e306 5 API calls 20478->20484 20485 783da46 5 API calls 20478->20485 20486 783dfa6 2 API calls 20478->20486 20487 783d949 2 API calls 20478->20487 20488 783dc48 2 API calls 20478->20488 20489 783d92c 2 API calls 20478->20489 20490 783da72 3 API calls 20478->20490 20491 783ddf6 2 API calls 20478->20491 20492 783dc35 2 API calls 20478->20492 20493 783dbf4 2 API calls 20478->20493 20494 783dddb 2 API calls 20478->20494 20495 783db1b 2 API calls 20478->20495 20496 783dabd 2 API calls 20478->20496 20479->20432 20480->20479 20481->20479 20482->20479 20483->20479 20484->20479 20485->20479 20486->20479 20487->20479 20488->20479 20489->20479 20490->20479 20491->20479 20492->20479 20493->20479 20494->20479 20495->20479 20496->20479 20499 783d93c 20497->20499 20498 783d9cd 20498->20438 20499->20498 20590 783ba70 20499->20590 20594 783ba64 20499->20594 20598 783b7e0 20502->20598 20602 783b7e8 20502->20602 20503 783d9cd 20503->20438 20507 783d93c 20506->20507 20508 783d9cd 20507->20508 20509 783ba70 CreateProcessA 20507->20509 20510 783ba64 CreateProcessA 20507->20510 20508->20438 20509->20507 20510->20507 20513 783db32 20511->20513 20512 783e3bc 20512->20438 20513->20512 20606 783b720 20513->20606 20610 783b728 20513->20610 20517 783da4c 20516->20517 20518 783d9f9 20517->20518 20622 783b218 20517->20622 20626 783b210 20517->20626 20630 783b2df 20517->20630 20614 783b161 20518->20614 20618 783b168 20518->20618 20519 783e11b 20519->20519 20526 783e23d 20525->20526 20526->20525 20527 783d9f9 20526->20527 20531 783b210 Wow64SetThreadContext 20526->20531 20532 783b218 Wow64SetThreadContext 20526->20532 20533 783b2df Wow64SetThreadContext 20526->20533 20529 783b161 ResumeThread 20527->20529 20530 783b168 ResumeThread 20527->20530 20528 783e11b 20529->20528 20530->20528 20531->20526 20532->20526 20533->20526 20634 783b8d0 20534->20634 20638 783b8d8 20534->20638 20535 783db32 20536 783e3bc 20535->20536 20539 783b720 VirtualAllocEx 20535->20539 20540 783b728 VirtualAllocEx 20535->20540 20536->20438 20539->20535 20540->20535 20542 783d9e8 20541->20542 20544 783b161 ResumeThread 20542->20544 20545 783b168 ResumeThread 20542->20545 20543 783e11b 20544->20543 20545->20543 20547 783dac4 20546->20547 20549 783b7e0 WriteProcessMemory 20547->20549 20550 783b7e8 WriteProcessMemory 20547->20550 20548 783dafc 20549->20548 20550->20548 20552 783dac4 20551->20552 20554 783b7e0 WriteProcessMemory 20552->20554 20555 783b7e8 WriteProcessMemory 20552->20555 20553 783dafc 20554->20553 20555->20553 20557 783dac3 20556->20557 20559 783b7e0 WriteProcessMemory 20557->20559 20560 783b7e8 WriteProcessMemory 20557->20560 20558 783dafc 20559->20558 20560->20558 20562 783db21 20561->20562 20563 783e3bc 20562->20563 20564 783b720 VirtualAllocEx 20562->20564 20565 783b728 VirtualAllocEx 20562->20565 20563->20438 20564->20562 20565->20562 20567 783dde1 20566->20567 20569 783b161 ResumeThread 20567->20569 20570 783b168 ResumeThread 20567->20570 20568 783e11b 20569->20568 20570->20568 20573 783db32 20571->20573 20572 783e3bc 20572->20438 20573->20572 20574 783b720 VirtualAllocEx 20573->20574 20575 783b728 VirtualAllocEx 20573->20575 20574->20573 20575->20573 20577 783db32 20576->20577 20578 783e3bc 20577->20578 20579 783b720 VirtualAllocEx 20577->20579 20580 783b728 VirtualAllocEx 20577->20580 20578->20438 20579->20577 20580->20577 20583 783b7e0 WriteProcessMemory 20581->20583 20584 783b7e8 WriteProcessMemory 20581->20584 20582 783dd7a 20582->20438 20583->20582 20584->20582 20587 783b210 Wow64SetThreadContext 20585->20587 20588 783b218 Wow64SetThreadContext 20585->20588 20589 783b2df Wow64SetThreadContext 20585->20589 20586 783da8c 20586->20438 20587->20586 20588->20586 20589->20586 20591 783baf9 20590->20591 20591->20591 20592 783bc5e CreateProcessA 20591->20592 20593 783bcbb 20592->20593 20595 783baf9 20594->20595 20595->20595 20596 783bc5e CreateProcessA 20595->20596 20597 783bcbb 20596->20597 20599 783b830 WriteProcessMemory 20598->20599 20601 783b887 20599->20601 20601->20503 20603 783b830 WriteProcessMemory 20602->20603 20605 783b887 20603->20605 20605->20503 20607 783b768 VirtualAllocEx 20606->20607 20609 783b7a5 20607->20609 20609->20513 20611 783b768 VirtualAllocEx 20610->20611 20613 783b7a5 20611->20613 20613->20513 20615 783b1a8 ResumeThread 20614->20615 20617 783b1d9 20615->20617 20617->20519 20619 783b1a8 ResumeThread 20618->20619 20621 783b1d9 20619->20621 20621->20519 20623 783b25d Wow64SetThreadContext 20622->20623 20625 783b2a5 20623->20625 20625->20517 20627 783b25d Wow64SetThreadContext 20626->20627 20629 783b2a5 20627->20629 20629->20517 20631 783b27f Wow64SetThreadContext 20630->20631 20633 783b2ef 20630->20633 20632 783b2a5 20631->20632 20632->20517 20633->20517 20635 783b8d5 ReadProcessMemory 20634->20635 20637 783b967 20635->20637 20637->20535 20639 783b923 ReadProcessMemory 20638->20639 20641 783b967 20639->20641 20641->20535 20411 28ae688 20414 28aeb88 20411->20414 20412 28ae697 20415 28aeb99 20414->20415 20418 28aebbc 20414->20418 20423 28ad6fc 20415->20423 20418->20412 20419 28aebb4 20419->20418 20420 28aedc0 GetModuleHandleW 20419->20420 20421 28aeded 20420->20421 20421->20412 20424 28aed78 GetModuleHandleW 20423->20424 20426 28aeba4 20424->20426 20426->20418 20427 28aee20 20426->20427 20428 28ad6fc GetModuleHandleW 20427->20428 20429 28aee34 20428->20429 20429->20419 20642 783e750 20643 783e776 20642->20643 20644 783e8db 20642->20644 20643->20644 20646 783a008 20643->20646 20647 783e9d0 PostMessageW 20646->20647 20648 783ea3c 20647->20648 20648->20643 20649 28a78f0 20650 28a78fa 20649->20650 20652 28a7de8 20649->20652 20653 28a7e0d 20652->20653 20657 28a7ee7 20653->20657 20661 28a7ef8 20653->20661 20658 28a7ef8 20657->20658 20660 28a7ffc 20658->20660 20665 28a7b24 20658->20665 20662 28a7f1f 20661->20662 20663 28a7ffc 20662->20663 20664 28a7b24 CreateActCtxA 20662->20664 20664->20663 20666 28a8f88 CreateActCtxA 20665->20666 20668 28a904b 20666->20668

                                          Executed Functions

                                          Function 0783BA64 Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 0 783ba64-783bb05 2 783bb07-783bb11 0->2 3 783bb3e-783bb5e 0->3 2->3 4 783bb13-783bb15 2->4 10 783bb60-783bb6a 3->10 11 783bb97-783bbc6 3->11 5 783bb17-783bb21 4->5 6 783bb38-783bb3b 4->6 8 783bb23 5->8 9 783bb25-783bb34 5->9 6->3 8->9 9->9 12 783bb36 9->12 10->11 13 783bb6c-783bb6e 10->13 17 783bbc8-783bbd2 11->17 18 783bbff-783bcb9 CreateProcessA 11->18 12->6 15 783bb91-783bb94 13->15 16 783bb70-783bb7a 13->16 15->11 19 783bb7e-783bb8d 16->19 20 783bb7c 16->20 17->18 21 783bbd4-783bbd6 17->21 31 783bcc2-783bd48 18->31 32 783bcbb-783bcc1 18->32 19->19 22 783bb8f 19->22 20->19 23 783bbf9-783bbfc 21->23 24 783bbd8-783bbe2 21->24 22->15 23->18 26 783bbe6-783bbf5 24->26 27 783bbe4 24->27 26->26 28 783bbf7 26->28 27->26 28->23 42 783bd4a-783bd4e 31->42 43 783bd58-783bd5c 31->43 32->31 42->43 46 783bd50 42->46 44 783bd5e-783bd62 43->44 45 783bd6c-783bd70 43->45 44->45 47 783bd64 44->47 48 783bd72-783bd76 45->48 49 783bd80-783bd84 45->49 46->43 47->45 48->49 50 783bd78 48->50 51 783bd96-783bd9d 49->51 52 783bd86-783bd8c 49->52 50->49 53 783bdb4 51->53 54 783bd9f-783bdae 51->54 52->51 55 783bdb5 53->55 54->53 55->55
                                          APIs
                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0783BCA6
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.1789941083.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7830000_outlooks.jbxd
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: 52b4e0da824070dcf7605db94a57b2dd0872e7f74471a16baa3898f0ffee956c
                                          • Instruction ID: e0f5d239db07805488968d4cfe8699f993f772055250c49557925bc15f1306f9
                                          • Opcode Fuzzy Hash: 52b4e0da824070dcf7605db94a57b2dd0872e7f74471a16baa3898f0ffee956c
                                          • Instruction Fuzzy Hash: E7A137F1D003198FEB24CF68C8457EEBBB2AF48314F1485A9E848E7290DB749985CF91
                                          Function 0783BA70 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 57 783ba70-783bb05 59 783bb07-783bb11 57->59 60 783bb3e-783bb5e 57->60 59->60 61 783bb13-783bb15 59->61 67 783bb60-783bb6a 60->67 68 783bb97-783bbc6 60->68 62 783bb17-783bb21 61->62 63 783bb38-783bb3b 61->63 65 783bb23 62->65 66 783bb25-783bb34 62->66 63->60 65->66 66->66 69 783bb36 66->69 67->68 70 783bb6c-783bb6e 67->70 74 783bbc8-783bbd2 68->74 75 783bbff-783bcb9 CreateProcessA 68->75 69->63 72 783bb91-783bb94 70->72 73 783bb70-783bb7a 70->73 72->68 76 783bb7e-783bb8d 73->76 77 783bb7c 73->77 74->75 78 783bbd4-783bbd6 74->78 88 783bcc2-783bd48 75->88 89 783bcbb-783bcc1 75->89 76->76 79 783bb8f 76->79 77->76 80 783bbf9-783bbfc 78->80 81 783bbd8-783bbe2 78->81 79->72 80->75 83 783bbe6-783bbf5 81->83 84 783bbe4 81->84 83->83 85 783bbf7 83->85 84->83 85->80 99 783bd4a-783bd4e 88->99 100 783bd58-783bd5c 88->100 89->88 99->100 103 783bd50 99->103 101 783bd5e-783bd62 100->101 102 783bd6c-783bd70 100->102 101->102 104 783bd64 101->104 105 783bd72-783bd76 102->105 106 783bd80-783bd84 102->106 103->100 104->102 105->106 107 783bd78 105->107 108 783bd96-783bd9d 106->108 109 783bd86-783bd8c 106->109 107->106 110 783bdb4 108->110 111 783bd9f-783bdae 108->111 109->108 112 783bdb5 110->112 111->110 112->112
                                          APIs
                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0783BCA6
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.1789941083.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7830000_outlooks.jbxd
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: d70f5ceb5274619e2b627731a354138dabfa3f6f461b8b60f23f5ed40784cb17
                                          • Instruction ID: f731b88f7cb3234d3065ae04b46ce9c86d5c779cbb2ea276fdc2232b3d0fc6a4
                                          • Opcode Fuzzy Hash: d70f5ceb5274619e2b627731a354138dabfa3f6f461b8b60f23f5ed40784cb17
                                          • Instruction Fuzzy Hash: BA9137F1D003198FEB24CF69C8457AEBBB2AF48314F1485A9E848E7290DB749985CF91
                                          Function 028AEB88 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 114 28aeb88-28aeb97 115 28aeb99-28aeba6 call 28ad6fc 114->115 116 28aebc3-28aebc7 114->116 123 28aeba8-28aebb6 call 28aee20 115->123 124 28aebbc 115->124 118 28aebdb-28aec1c 116->118 119 28aebc9-28aebd3 116->119 125 28aec29-28aec37 118->125 126 28aec1e-28aec26 118->126 119->118 123->124 132 28aecf8-28aedb8 123->132 124->116 127 28aec5b-28aec5d 125->127 128 28aec39-28aec3e 125->128 126->125 133 28aec60-28aec67 127->133 130 28aec49 128->130 131 28aec40-28aec47 call 28ad708 128->131 135 28aec4b-28aec59 130->135 131->135 165 28aedba-28aedbd 132->165 166 28aedc0-28aedeb GetModuleHandleW 132->166 136 28aec69-28aec71 133->136 137 28aec74-28aec7b 133->137 135->133 136->137 138 28aec88-28aec91 call 28ad718 137->138 139 28aec7d-28aec85 137->139 145 28aec9e-28aeca3 138->145 146 28aec93-28aec9b 138->146 139->138 147 28aecc1-28aecce 145->147 148 28aeca5-28aecac 145->148 146->145 154 28aecd0-28aecee 147->154 155 28aecf1-28aecf7 147->155 148->147 150 28aecae-28aecbe call 28ad728 call 28ae774 148->150 150->147 154->155 165->166 167 28aeded-28aedf3 166->167 168 28aedf4-28aee08 166->168 167->168
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.1692933931.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_28a0000_outlooks.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: 0b451aaa123e25f33c98446d59e5392a6a4bb9cfc7ea5b1229d92c8ff70c936e
                                          • Instruction ID: dc8f12c2a010827c6199c308c60fa35961769f3d0d9f82550cacf46c2864a22b
                                          • Opcode Fuzzy Hash: 0b451aaa123e25f33c98446d59e5392a6a4bb9cfc7ea5b1229d92c8ff70c936e
                                          • Instruction Fuzzy Hash: 4F714478A00B058FEB24DF2AD46575ABBF1BF88304F008A2DD48AD7A50DB75E945CF91
                                          Function 0783B2DF Relevance: 1.7, APIs: 1, Instructions: 167threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 171 783b2df-783b2ed 172 783b27f-783b2a3 Wow64SetThreadContext 171->172 173 783b2ef-783b31f 171->173 176 783b2a5-783b2ab 172->176 177 783b2ac-783b2dc 172->177 174 783b321 173->174 175 783b326-783b37f 173->175 174->175 178 783b492-783b4a0 175->178 179 783b385-783b387 175->179 176->177 180 783b4a2-783b4a4 178->180 181 783b518-783b529 178->181 179->178 182 783b38d-783b3bd 179->182 180->181 187 783b4a6-783b4b6 180->187 185 783b708-783b712 181->185 186 783b52f-783b531 181->186 188 783b3c4-783b3d5 182->188 189 783b3bf 182->189 186->185 191 783b537-783b567 186->191 192 783b4c7 187->192 193 783b4b8-783b4c5 187->193 194 783b3d7 188->194 195 783b3dc-783b3f2 188->195 189->188 196 783b569 191->196 197 783b56e-783b57f 191->197 198 783b4ca-783b505 192->198 193->198 194->195 199 783b3f4 195->199 200 783b3f9-783b40f 195->200 196->197 203 783b581 197->203 204 783b586-783b59c 197->204 218 783b507 198->218 219 783b50c-783b513 198->219 199->200 201 783b411 200->201 202 783b416-783b471 200->202 201->202 225 783b473-783b479 202->225 226 783b47b 202->226 203->204 206 783b5a3-783b5b9 204->206 207 783b59e 204->207 210 783b5c0-783b5fd 206->210 211 783b5bb 206->211 207->206 212 783b604-783b615 210->212 213 783b5ff 210->213 211->210 215 783b617 212->215 216 783b61c-783b632 212->216 213->212 215->216 220 783b634 216->220 221 783b639-783b64f 216->221 218->219 219->185 220->221 222 783b651 221->222 223 783b656-783b675 221->223 222->223 227 783b677-783b67d 223->227 228 783b67f 223->228 229 783b47e-783b48d 225->229 226->229 230 783b682-783b6f0 227->230 228->230 229->185 237 783b6f2-783b6f8 230->237 238 783b6fa 230->238 239 783b6fd-783b705 237->239 238->239 239->185
                                          APIs
                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0783B296
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.1789941083.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7830000_outlooks.jbxd
                                          Similarity
                                          • API ID: ContextThreadWow64
                                          • String ID:
                                          • API String ID: 983334009-0
                                          • Opcode ID: 29d60e676402a5819360c8f84980a9f18fa1bc66e2ca96447a961dbc430584af
                                          • Instruction ID: 988b62d7df7242deca5e7f5fa73bf40fb629b7f8dc4043542e8bbc682931b79e
                                          • Opcode Fuzzy Hash: 29d60e676402a5819360c8f84980a9f18fa1bc66e2ca96447a961dbc430584af
                                          • Instruction Fuzzy Hash: B2614BF1D002198FDB14DFA9C5816AEFBF2FF89314F24816AD418AB251D7359942CFA1
                                          Function 028A8F7C Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 241 28a8f7c-28a8f86 242 28a8f88-28a9049 CreateActCtxA 241->242 244 28a904b-28a9051 242->244 245 28a9052-28a90ac 242->245 244->245 252 28a90bb-28a90bf 245->252 253 28a90ae-28a90b1 245->253 254 28a90d0 252->254 255 28a90c1-28a90cd 252->255 253->252 257 28a90d1 254->257 255->254 257->257
                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 028A9039
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.1692933931.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_28a0000_outlooks.jbxd
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: 75a254bea15ef42b5d4349c81ab0e276824b571b30982d71f22d864e35fb8e29
                                          • Instruction ID: c88c688656e7a478d87d6906af7a2aef0c08bd9491bc2d9b290c63005016efc7
                                          • Opcode Fuzzy Hash: 75a254bea15ef42b5d4349c81ab0e276824b571b30982d71f22d864e35fb8e29
                                          • Instruction Fuzzy Hash: 0E41F2B4C04718CFEB24CFA9C845BDEBBB5BF48314F20806AD408AB255DBB65945CF91
                                          Function 028A7B24 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 258 28a7b24-28a9049 CreateActCtxA 261 28a904b-28a9051 258->261 262 28a9052-28a90ac 258->262 261->262 269 28a90bb-28a90bf 262->269 270 28a90ae-28a90b1 262->270 271 28a90d0 269->271 272 28a90c1-28a90cd 269->272 270->269 274 28a90d1 271->274 272->271 274->274
                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 028A9039
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.1692933931.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_28a0000_outlooks.jbxd
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: 6282e5848c09bd6d04d44c9906ceb8aa1e6c6af8fe7817c9533125f14f2c6d96
                                          • Instruction ID: 40b513f87287c8e9f047bb35608edda996d8f8c0e1dcf59b3b04f4325e66b02d
                                          • Opcode Fuzzy Hash: 6282e5848c09bd6d04d44c9906ceb8aa1e6c6af8fe7817c9533125f14f2c6d96
                                          • Instruction Fuzzy Hash: 6C41B0B4C04719CBEB24DFAAC855BDEBBB5BF48304F20806AD408AB255DBB56945CF90
                                          Function 0783B7E0 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 275 783b7e0-783b836 277 783b846-783b885 WriteProcessMemory 275->277 278 783b838-783b844 275->278 280 783b887-783b88d 277->280 281 783b88e-783b8be 277->281 278->277 280->281
                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0783B878
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.1789941083.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7830000_outlooks.jbxd
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: 7951f0a21f09ffd609cf6421c1604f4c37d413c582ca2b762d94e0fe7e0349d1
                                          • Instruction ID: cc734a5815873d1a4e14be6e72160ce96edc9290124555e0484e7edd409e814d
                                          • Opcode Fuzzy Hash: 7951f0a21f09ffd609cf6421c1604f4c37d413c582ca2b762d94e0fe7e0349d1
                                          • Instruction Fuzzy Hash: 172146B2900349DFDB10CFA9C885BDEBBF1FF48310F10842AE958A7240D7B89545CBA4
                                          Function 0783B7E8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 285 783b7e8-783b836 287 783b846-783b885 WriteProcessMemory 285->287 288 783b838-783b844 285->288 290 783b887-783b88d 287->290 291 783b88e-783b8be 287->291 288->287 290->291
                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0783B878
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.1789941083.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7830000_outlooks.jbxd
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: 8fcf7ebebc4c9e2a9aaea3225e76d6a367cb84abab8494d54b22a4e7efc0cb9c
                                          • Instruction ID: c394861142c54df62029f37903decc3341274c36a5bfce6e3a726fa7d863831d
                                          • Opcode Fuzzy Hash: 8fcf7ebebc4c9e2a9aaea3225e76d6a367cb84abab8494d54b22a4e7efc0cb9c
                                          • Instruction Fuzzy Hash: CC2127B19003499FDB10CFAAC885BDEBBF5FF48354F10842AE958A7240D7789944CBA5
                                          Function 0783B210 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 295 783b210-783b263 297 783b273-783b2a3 Wow64SetThreadContext 295->297 298 783b265-783b271 295->298 301 783b2a5-783b2ab 297->301 302 783b2ac-783b2dc 297->302 298->297 301->302
                                          APIs
                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0783B296
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.1789941083.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7830000_outlooks.jbxd
                                          Similarity
                                          • API ID: ContextThreadWow64
                                          • String ID:
                                          • API String ID: 983334009-0
                                          • Opcode ID: a9f9da07a2f1d816d51ca2409e0a491d2e74ab5fe553b571b2aad92a373c198e
                                          • Instruction ID: 5978f827e25d4483586d7b111e2e0665aa560b96f0fcd446dae15150b311a0c6
                                          • Opcode Fuzzy Hash: a9f9da07a2f1d816d51ca2409e0a491d2e74ab5fe553b571b2aad92a373c198e
                                          • Instruction Fuzzy Hash: D0213AB1D003498FDB10DFAAC885BEEBBF4EF48314F14842AD459A7241C7789585CFA4
                                          Function 0783B218 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 306 783b218-783b263 308 783b273-783b2a3 Wow64SetThreadContext 306->308 309 783b265-783b271 306->309 312 783b2a5-783b2ab 308->312 313 783b2ac-783b2dc 308->313 309->308 312->313
                                          APIs
                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0783B296
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.1789941083.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7830000_outlooks.jbxd
                                          Similarity
                                          • API ID: ContextThreadWow64
                                          • String ID:
                                          • API String ID: 983334009-0
                                          • Opcode ID: 3ebcaa8c72b619bac6d6ce4da33636b08efeec05b9e9f6412d6928bcc3a3ce44
                                          • Instruction ID: 667ab134f8587eefe5c7cb62bd8eced0bd5b806608258c82ac757428a06ab880
                                          • Opcode Fuzzy Hash: 3ebcaa8c72b619bac6d6ce4da33636b08efeec05b9e9f6412d6928bcc3a3ce44
                                          • Instruction Fuzzy Hash: 4F2149B1D003098FDB10DFAAC885BEEBBF4EF48354F14842AD559A7240C7B89945CFA4
                                          Function 0783B8D0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 317 783b8d0-783b965 ReadProcessMemory 321 783b967-783b96d 317->321 322 783b96e-783b99e 317->322 321->322
                                          APIs
                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0783B958
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.1789941083.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7830000_outlooks.jbxd
                                          Similarity
                                          • API ID: MemoryProcessRead
                                          • String ID:
                                          • API String ID: 1726664587-0
                                          • Opcode ID: 2577ff0ae0e480f71e3c3b35cd326e6e096f1a8a0c91b3d7e4fb9eb4ae8dd2e5
                                          • Instruction ID: 40d84263ec814d89de5cd82c767ea73ed9690c5364e40dd57a79532992ea7ec8
                                          • Opcode Fuzzy Hash: 2577ff0ae0e480f71e3c3b35cd326e6e096f1a8a0c91b3d7e4fb9eb4ae8dd2e5
                                          • Instruction Fuzzy Hash: E62119B29003599FDB10CFAAC8447DEBBF5FF48314F10842AE558A7250D7799541CBA4
                                          Function 0783B8D8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 326 783b8d8-783b965 ReadProcessMemory 329 783b967-783b96d 326->329 330 783b96e-783b99e 326->330 329->330
                                          APIs
                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0783B958
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.1789941083.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7830000_outlooks.jbxd
                                          Similarity
                                          • API ID: MemoryProcessRead
                                          • String ID:
                                          • API String ID: 1726664587-0
                                          • Opcode ID: fd332d419602ee69747dd259063f46d5d77228f93ff4903892f5f00ac11de0bf
                                          • Instruction ID: 6d3ed8efee1e4124be564c34bf8765b264e5175c1c77e6ff9d5b3995beab358a
                                          • Opcode Fuzzy Hash: fd332d419602ee69747dd259063f46d5d77228f93ff4903892f5f00ac11de0bf
                                          • Instruction Fuzzy Hash: 312128B18003499FDB10CFAAC845BEEBBF5FF48310F10842AE958A7250D7789540CBA4
                                          Function 0783B720 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 334 783b720-783b7a3 VirtualAllocEx 337 783b7a5-783b7ab 334->337 338 783b7ac-783b7d1 334->338 337->338
                                          APIs
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0783B796
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.1789941083.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7830000_outlooks.jbxd
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: db132964b0de90d5774f9f83c82d9683c44f71152a25b5410cf7bc51e8384a02
                                          • Instruction ID: 6ecc152fa6d52069dc685b08f2657b49f1b913b56e3dfc3f4a87471eac8a3b71
                                          • Opcode Fuzzy Hash: db132964b0de90d5774f9f83c82d9683c44f71152a25b5410cf7bc51e8384a02
                                          • Instruction Fuzzy Hash: FF2147B29002499FDB10DFAAC844BDFBBF5EF48324F108829E515AB250C7B59545CFA0
                                          Function 0783B728 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 342 783b728-783b7a3 VirtualAllocEx 345 783b7a5-783b7ab 342->345 346 783b7ac-783b7d1 342->346 345->346
                                          APIs
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0783B796
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.1789941083.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7830000_outlooks.jbxd
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: f5bcf88177385de6ed0a0513c031d311f73e04eadc28cbacca7419896c4506b5
                                          • Instruction ID: 42549fff2c453035b5afd081ea6358825852328b039f4977d4027634a00abaaa
                                          • Opcode Fuzzy Hash: f5bcf88177385de6ed0a0513c031d311f73e04eadc28cbacca7419896c4506b5
                                          • Instruction Fuzzy Hash: 5C1126B29003499FDB10DFAAC844BDFBBF5EF48324F148829E559A7250C7759540CFA4
                                          Function 0783B161 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 350 783b161-783b1d7 ResumeThread 353 783b1e0-783b205 350->353 354 783b1d9-783b1df 350->354 354->353
                                          APIs
                                          • ResumeThread.KERNELBASE(?), ref: 0783B1CA
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.1789941083.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7830000_outlooks.jbxd
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: 37abfd607a21d37b17cdb1edfafb218f98c24b217157cb4e556e868119caa5d4
                                          • Instruction ID: d8e7c3419a04b581017d3e089d46a8d48e8617a8e15b0f41ea2e00c465dbb095
                                          • Opcode Fuzzy Hash: 37abfd607a21d37b17cdb1edfafb218f98c24b217157cb4e556e868119caa5d4
                                          • Instruction Fuzzy Hash: E61149B19003498FDB10DFAAC8457DFBBF5AF48314F10882AD559A7640C778A941CBA4
                                          Function 028AD6FC Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,028AEBA4), ref: 028AEDDE
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.1692933931.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_28a0000_outlooks.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: ab0129cbe9ade7a4706cfbe309303173b56adc90429413e1c749682fb08fad12
                                          • Instruction ID: b8097eff7438bc8862defbb33407ac572e891340616fc86a99949afb9ea9e377
                                          • Opcode Fuzzy Hash: ab0129cbe9ade7a4706cfbe309303173b56adc90429413e1c749682fb08fad12
                                          • Instruction Fuzzy Hash: 651132B9D003498FDB20CF9AC844BDEFBF4EF88214F10882AD558A7200C7B4A545CFA1
                                          Function 0783B168 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • ResumeThread.KERNELBASE(?), ref: 0783B1CA
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.1789941083.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7830000_outlooks.jbxd
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: 8a947e23237777abfadfbc46f1b9de85975d49cd53485e603a5e137bd0352384
                                          • Instruction ID: 3d0b1d96d8ee0b61bcc4d545807f70f38ef4b1bcf8ee64f8821eaa0328e0dad3
                                          • Opcode Fuzzy Hash: 8a947e23237777abfadfbc46f1b9de85975d49cd53485e603a5e137bd0352384
                                          • Instruction Fuzzy Hash: 171128B19043498BDB20DFAAC8457DFFBF5AF48224F14882AD559A7240C7756944CBA4
                                          Function 0783E9C8 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 0783EA2D
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.1789941083.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7830000_outlooks.jbxd
                                          Similarity
                                          • API ID: MessagePost
                                          • String ID:
                                          • API String ID: 410705778-0
                                          • Opcode ID: 6930ffbec8ac623f8d973ba2e294f2c6024e53365a8c801d032dc7fc022393cc
                                          • Instruction ID: 1ef9b046a9dbd4f3f3f2dcc1b8e5999601c9fec43b3bd88772b719894a7f8f36
                                          • Opcode Fuzzy Hash: 6930ffbec8ac623f8d973ba2e294f2c6024e53365a8c801d032dc7fc022393cc
                                          • Instruction Fuzzy Hash: 041133B58043099FDB10DF9AD885BDEFBF4FB58324F10842AE558A7240C374AA45CFA1
                                          Function 0783A008 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 0783EA2D
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.1789941083.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7830000_outlooks.jbxd
                                          Similarity
                                          • API ID: MessagePost
                                          • String ID:
                                          • API String ID: 410705778-0
                                          • Opcode ID: a09e7b7b1559ada9647ca84dd88f8cd95ec1ce285944f07bfc35cae7b5a4f028
                                          • Instruction ID: a112b1819374829e96931e6ebf21c57a07e121f7939240aba20daf718d6ff112
                                          • Opcode Fuzzy Hash: a09e7b7b1559ada9647ca84dd88f8cd95ec1ce285944f07bfc35cae7b5a4f028
                                          • Instruction Fuzzy Hash: 3B11E3B58003499FDB10DF9AD845BDEBBF8FB58314F10841AE558A7640C3B5A944CFE5
                                          Function 00D0D01C Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.1679780773.0000000000D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D0D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_d0d000_outlooks.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6815587ac00a30de8a97bf7ea542c9022134e54d54edf8413acd802e0d568035
                                          • Instruction ID: 745e2992a1a120e3da86bb06763e367f481645d0a01fcefcc76d48ffde7af6f4
                                          • Opcode Fuzzy Hash: 6815587ac00a30de8a97bf7ea542c9022134e54d54edf8413acd802e0d568035
                                          • Instruction Fuzzy Hash: FD21F271604304EFDB14DF64D984B26BBA6FB84324F24C56EE84E4B286C336D847CA72
                                          Function 00D0D005 Relevance: .1, Instructions: 62COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.1679780773.0000000000D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D0D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_d0d000_outlooks.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e95e7cc3b39e2593e84e8c58f9af3d1534d462ed26f337d6c11c499f768ca488
                                          • Instruction ID: bac93a35384f8d3f9c784182a6816f336dbea8a767a9a5e09e884b714ad04d6d
                                          • Opcode Fuzzy Hash: e95e7cc3b39e2593e84e8c58f9af3d1534d462ed26f337d6c11c499f768ca488
                                          • Instruction Fuzzy Hash: 682180755093808FCB12CF24D994715BF72EB46314F28C5EBD8498F6A7C33A980ACB62
                                          Function 00CFD731 Relevance: .0, Instructions: 45COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.1679407183.0000000000CFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_cfd000_outlooks.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 35be704971864b510af0a59587b566d5c51ce0d39b63557039edf487ab33711a
                                          • Instruction ID: 0ad5377e95552358ffe9a1d6db561f822882037aacc575710b10b084a31c2a78
                                          • Opcode Fuzzy Hash: 35be704971864b510af0a59587b566d5c51ce0d39b63557039edf487ab33711a
                                          • Instruction Fuzzy Hash: AF01F7311083489BE7506A22CC807B7BBD9DF40334F24C42BEE1A4E186C3789840CAB3
                                          Function 00CFD730 Relevance: .0, Instructions: 36COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.1679407183.0000000000CFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_cfd000_outlooks.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a7d27abe46dc6721eae3e0a7ae4e0a14a1727632180114db8c2e4e5968f2d1e7
                                          • Instruction ID: d254a19c45325d9dac090dc1b4249df2b61ba4961658b2c3aa19326a8ba04afa
                                          • Opcode Fuzzy Hash: a7d27abe46dc6721eae3e0a7ae4e0a14a1727632180114db8c2e4e5968f2d1e7
                                          • Instruction Fuzzy Hash: 9CF0C2720083449FE7209A16C884B73FBD8EF90338F28C55AED594E286C3789844CAB2

                                          Execution Graph

                                          Execution Coverage:7%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:0%
                                          Total number of Nodes:82
                                          Total number of Limit Nodes:8
                                          execution_graph 15045 1916540 15046 1916586 15045->15046 15051 1916780 15046->15051 15058 191670f 15046->15058 15063 1916720 15046->15063 15047 1916673 15052 1916783 DuplicateHandle 15051->15052 15053 191671b 15051->15053 15056 191681e 15052->15056 15066 191611c 15053->15066 15056->15047 15059 1916713 15058->15059 15062 19166ab 15058->15062 15060 191611c DuplicateHandle 15059->15060 15061 191674e 15060->15061 15061->15047 15062->15047 15064 191611c DuplicateHandle 15063->15064 15065 191674e 15064->15065 15065->15047 15067 1916788 DuplicateHandle 15066->15067 15068 191674e 15067->15068 15068->15047 15069 1914668 15070 1914676 15069->15070 15075 1916de0 15070->15075 15073 1914704 15076 1916e05 15075->15076 15084 1916ef0 15076->15084 15088 1916edf 15076->15088 15077 19146e9 15080 191421c 15077->15080 15081 1914227 15080->15081 15096 1918560 15081->15096 15083 1918806 15083->15073 15085 1916f17 15084->15085 15086 1916ff4 15085->15086 15092 1916414 15085->15092 15086->15086 15090 1916f17 15088->15090 15089 1916ff4 15089->15089 15090->15089 15091 1916414 CreateActCtxA 15090->15091 15091->15089 15093 1917370 CreateActCtxA 15092->15093 15095 1917433 15093->15095 15095->15095 15097 191856b 15096->15097 15100 1918580 15097->15100 15099 19188dd 15099->15083 15101 191858b 15100->15101 15104 19185b0 15101->15104 15103 19189ba 15103->15099 15105 19185bb 15104->15105 15108 19185e0 15105->15108 15107 1918aad 15107->15103 15109 19185eb 15108->15109 15111 1919e93 15109->15111 15114 191bed1 15109->15114 15110 1919ed1 15110->15107 15111->15110 15120 191df70 15111->15120 15115 191be91 15114->15115 15116 191beda 15114->15116 15115->15111 15124 191bf08 15116->15124 15127 191bef8 15116->15127 15117 191bee6 15117->15111 15121 191df91 15120->15121 15122 191dfb5 15121->15122 15135 191e120 15121->15135 15122->15110 15130 191bff0 15124->15130 15125 191bf17 15125->15117 15128 191bf17 15127->15128 15129 191bff0 GetModuleHandleW 15127->15129 15128->15117 15129->15128 15131 191c034 15130->15131 15132 191c011 15130->15132 15131->15125 15132->15131 15133 191c238 GetModuleHandleW 15132->15133 15134 191c265 15133->15134 15134->15125 15137 191e12d 15135->15137 15136 191e166 15136->15122 15137->15136 15139 191c464 15137->15139 15140 191c46f 15139->15140 15141 191e1d8 15140->15141 15143 191c498 15140->15143 15144 191c4a3 15143->15144 15145 19185e0 2 API calls 15144->15145 15146 191e247 15145->15146 15149 191e2c0 15146->15149 15147 191e256 15147->15141 15150 191e2ee 15149->15150 15151 191e3ba KiUserCallbackDispatcher 15150->15151 15152 191e3bf 15150->15152 15151->15152

                                          Executed Functions

                                          Function 0191BFF0 Relevance: 1.7, APIs: 1, Instructions: 199COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0191C256
                                          Memory Dump Source
                                          • Source File: 00000018.00000002.3861062896.0000000001910000.00000040.00000800.00020000.00000000.sdmp, Offset: 01910000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_24_2_1910000_outlooks.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: 7f094f91a62ae51be957ec2b7d27da447e5799c3ee59c85f03af0055b74ee3e2
                                          • Instruction ID: 280b91b51fbe103d1383fce61a0e3cbd102b68969646b8bd7c22d130236cf0c8
                                          • Opcode Fuzzy Hash: 7f094f91a62ae51be957ec2b7d27da447e5799c3ee59c85f03af0055b74ee3e2
                                          • Instruction Fuzzy Hash: DE8148B0A00B498FEB25CF69C44179ABBF5BF88310F00892DD44AD7B44D775E985CB91
                                          Function 01916780 Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 56 1916780-1916781 57 1916783-191681c DuplicateHandle 56->57 58 191671b-1916749 call 191611c 56->58 62 1916825-1916842 57->62 63 191681e-1916824 57->63 64 191674e-1916774 58->64 63->62
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0191674E,?,?,?,?,?), ref: 0191680F
                                          Memory Dump Source
                                          • Source File: 00000018.00000002.3861062896.0000000001910000.00000040.00000800.00020000.00000000.sdmp, Offset: 01910000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_24_2_1910000_outlooks.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: 6504168ba7e2234c0923b4e5ff642f8e94f9b5eefa84f690f44f049a82f450e3
                                          • Instruction ID: e0029358c5b3280376aa5f8db7ed1e561758bce631682d43138d593a9f7dbf89
                                          • Opcode Fuzzy Hash: 6504168ba7e2234c0923b4e5ff642f8e94f9b5eefa84f690f44f049a82f450e3
                                          • Instruction Fuzzy Hash: 45413776900248AFDF01CF99D884AEEBFF9FB48310F14806AE919A7310D775A950CFA5
                                          Function 01916414 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 69 1916414-1917431 CreateActCtxA 72 1917433-1917439 69->72 73 191743a-1917494 69->73 72->73 80 19174a3-19174a7 73->80 81 1917496-1917499 73->81 82 19174a9-19174b5 80->82 83 19174b8 80->83 81->80 82->83 85 19174b9 83->85 85->85
                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 01917421
                                          Memory Dump Source
                                          • Source File: 00000018.00000002.3861062896.0000000001910000.00000040.00000800.00020000.00000000.sdmp, Offset: 01910000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_24_2_1910000_outlooks.jbxd
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: 623febff2d3e9a25dfe84308fac66563a70bd5b259fb5c8ebd9df785d1c06016
                                          • Instruction ID: 37c93f210dbc3b6246ab6dfc85a8ad45ed3edc3805751d8f263f53b0883a704d
                                          • Opcode Fuzzy Hash: 623febff2d3e9a25dfe84308fac66563a70bd5b259fb5c8ebd9df785d1c06016
                                          • Instruction Fuzzy Hash: F541B270C0471DCBEB28CFA9C844B9EBBB6BF48704F10805AD408AB255D7756985CF90
                                          Function 01917364 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 86 1917364-191736b 87 1917370-1917431 CreateActCtxA 86->87 89 1917433-1917439 87->89 90 191743a-1917494 87->90 89->90 97 19174a3-19174a7 90->97 98 1917496-1917499 90->98 99 19174a9-19174b5 97->99 100 19174b8 97->100 98->97 99->100 102 19174b9 100->102 102->102
                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 01917421
                                          Memory Dump Source
                                          • Source File: 00000018.00000002.3861062896.0000000001910000.00000040.00000800.00020000.00000000.sdmp, Offset: 01910000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_24_2_1910000_outlooks.jbxd
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: 18a97b22a24cbd3a331893dd47aecf8f494722a3b03f803c351d54baf3c3e793
                                          • Instruction ID: c803fd0e1a750bbde3e6f9c1c19084d3ff519935f012b1a307f4e6761d3595f6
                                          • Opcode Fuzzy Hash: 18a97b22a24cbd3a331893dd47aecf8f494722a3b03f803c351d54baf3c3e793
                                          • Instruction Fuzzy Hash: 4E41B271C0471DCBEB28CFA9C844BDEBBB6BF48704F14805AD418AB255D7756985CF90
                                          Function 0191611C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 103 191611c-191681c DuplicateHandle 105 1916825-1916842 103->105 106 191681e-1916824 103->106 106->105
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0191674E,?,?,?,?,?), ref: 0191680F
                                          Memory Dump Source
                                          • Source File: 00000018.00000002.3861062896.0000000001910000.00000040.00000800.00020000.00000000.sdmp, Offset: 01910000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_24_2_1910000_outlooks.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: 40f39cc50413c83b05a0a10716cb1c385707e0c70bd7d7c7c2a225c56dd989fd
                                          • Instruction ID: e8a0a5d40ae80bdc280285cb07595b83d7320b4b16b59da4b3792a47f2340f31
                                          • Opcode Fuzzy Hash: 40f39cc50413c83b05a0a10716cb1c385707e0c70bd7d7c7c2a225c56dd989fd
                                          • Instruction Fuzzy Hash: 8721D4B5D003489FDB10CF9AD884ADEFBF8FB48310F14845AE958A7250D374A944CFA5
                                          Function 0191C1F0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 109 191c1f0-191c230 110 191c232-191c235 109->110 111 191c238-191c263 GetModuleHandleW 109->111 110->111 112 191c265-191c26b 111->112 113 191c26c-191c280 111->113 112->113
                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0191C256
                                          Memory Dump Source
                                          • Source File: 00000018.00000002.3861062896.0000000001910000.00000040.00000800.00020000.00000000.sdmp, Offset: 01910000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_24_2_1910000_outlooks.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: a93ec994e06f397f643fc2145703c3d403dff149cfafa994465cd708247ba3c7
                                          • Instruction ID: d2d469d14a8ce85da961d4884939f8cd254a8c879b4ca913e5ab7a4489e944e5
                                          • Opcode Fuzzy Hash: a93ec994e06f397f643fc2145703c3d403dff149cfafa994465cd708247ba3c7
                                          • Instruction Fuzzy Hash: 6511D2B5D002498FDB10DF9AC444BDEFBF4AB88224F14852AD569A7210C375A545CFA5
                                          Function 018CD01C Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000018.00000002.3860671605.00000000018CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 018CD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_24_2_18cd000_outlooks.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6d98cd14e3b2ae263946f21e70b45d418c871cc516845b82bacd2ed2b034b016
                                          • Instruction ID: 90cd8c0548951ba2417c34248c123b28e62ba31e0ebdd66093f49bb556c337f3
                                          • Opcode Fuzzy Hash: 6d98cd14e3b2ae263946f21e70b45d418c871cc516845b82bacd2ed2b034b016
                                          • Instruction Fuzzy Hash: 7C210771504304EFDB15EF58D5C4B16BBA5FB84714F20C67DE84A8B246C336D547CAA2
                                          Function 018CD017 Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000018.00000002.3860671605.00000000018CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 018CD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_24_2_18cd000_outlooks.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b45452ff36ccf171b58ba96a6db3430600b1fbfab4e67b74f20ffb50b37cf843
                                          • Instruction ID: 18301d929c2028c1f5d22b03694b235f1645bf43bd0d9876707650c775cee748
                                          • Opcode Fuzzy Hash: b45452ff36ccf171b58ba96a6db3430600b1fbfab4e67b74f20ffb50b37cf843
                                          • Instruction Fuzzy Hash: B811EB75508280CFCB12DF18D5C4B16BBA2FB84314F24C6AED8498B656C33AD40ACBA2

                                          Execution Graph

                                          Execution Coverage:8.5%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:0%
                                          Total number of Nodes:86
                                          Total number of Limit Nodes:9
                                          execution_graph 19928 1a16540 19929 1a16586 19928->19929 19933 1a16720 19929->19933 19936 1a1670f 19929->19936 19930 1a16673 19943 1a1611c 19933->19943 19937 1a16713 19936->19937 19938 1a16779 DuplicateHandle 19936->19938 19939 1a1611c DuplicateHandle 19937->19939 19941 1a1674e 19937->19941 19942 1a1681e 19938->19942 19939->19941 19941->19930 19942->19930 19944 1a16788 DuplicateHandle 19943->19944 19946 1a1674e 19944->19946 19946->19930 19947 1a1bf08 19950 1a1bff0 19947->19950 19948 1a1bf17 19951 1a1c034 19950->19951 19952 1a1c011 19950->19952 19951->19948 19952->19951 19953 1a1c238 GetModuleHandleW 19952->19953 19954 1a1c265 19953->19954 19954->19948 19955 1a14668 19960 1a14676 19955->19960 19958 1a14704 19961 1a16de0 19960->19961 19962 1a16e05 19961->19962 19970 1a16ef0 19962->19970 19974 1a16edf 19962->19974 19963 1a146e9 19966 1a1421c 19963->19966 19967 1a14227 19966->19967 19982 1a18560 19967->19982 19969 1a18806 19969->19958 19972 1a16f17 19970->19972 19971 1a16ff4 19971->19971 19972->19971 19978 1a16414 19972->19978 19975 1a16f17 19974->19975 19976 1a16ff4 19975->19976 19977 1a16414 CreateActCtxA 19975->19977 19977->19976 19979 1a17370 CreateActCtxA 19978->19979 19981 1a17433 19979->19981 19981->19981 19983 1a1856b 19982->19983 19986 1a18580 19983->19986 19985 1a188dd 19985->19969 19987 1a1858b 19986->19987 19990 1a185b0 19987->19990 19989 1a189ba 19989->19985 19991 1a185bb 19990->19991 19994 1a185e0 19991->19994 19993 1a18aad 19993->19989 19996 1a185eb 19994->19996 19995 1a19ed1 19995->19993 19996->19995 19998 1a1df70 19996->19998 19999 1a1df91 19998->19999 20000 1a1dfb5 19999->20000 20002 1a1e120 19999->20002 20000->19995 20004 1a1e12d 20002->20004 20003 1a1e166 20003->20000 20004->20003 20006 1a1c464 20004->20006 20007 1a1c46f 20006->20007 20008 1a1e1d8 20007->20008 20010 1a1c498 20007->20010 20011 1a1c4a3 20010->20011 20012 1a185e0 KiUserCallbackDispatcher 20011->20012 20013 1a1e247 20012->20013 20016 1a1e2c0 20013->20016 20014 1a1e256 20014->20008 20017 1a1e2ee 20016->20017 20018 1a1e3ba KiUserCallbackDispatcher 20017->20018 20019 1a1e3bf 20017->20019 20018->20019 20020 5ad0eb0 SendMessageW 20021 5ad0f1c 20020->20021 20022 5ad2690 20023 5ad26bc CloseHandle 20022->20023 20024 5ad269e 20022->20024 20028 5ad273f 20023->20028 20029 5ad147c 20024->20029 20030 5ad26d8 CloseHandle 20029->20030 20031 5ad26b8 20030->20031 20032 5ad2130 20033 5ad22bb 20032->20033 20034 5ad2156 20032->20034 20034->20033 20037 5ad23a8 20034->20037 20040 5ad23b0 PostMessageW 20034->20040 20038 5ad23b0 PostMessageW 20037->20038 20039 5ad241c 20038->20039 20039->20034 20041 5ad241c 20040->20041 20041->20034

                                          Executed Functions

                                          Function 01A1BFF0 Relevance: 1.7, APIs: 1, Instructions: 200COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 01A1C256
                                          Memory Dump Source
                                          • Source File: 00000024.00000002.1699230559.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_36_2_1a10000_EPhabVgXw.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: 7cf6b11cb01b68228a2c32dad73b8a73d27fcf47b2a6c324ae036258e916ca03
                                          • Instruction ID: 3f3e22cd19195c680fb447f76d2533928930662ecb5c14757ef263f7999e9ba7
                                          • Opcode Fuzzy Hash: 7cf6b11cb01b68228a2c32dad73b8a73d27fcf47b2a6c324ae036258e916ca03
                                          • Instruction Fuzzy Hash: A88178B0A00B458FE724DF69D44079ABBF1FF88320F008A2DD48AD7A48D775E946CB95
                                          Function 01A1670F Relevance: 1.6, APIs: 1, Instructions: 106COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 56 1a1670f-1a16711 57 1a16713-1a16747 56->57 58 1a16779-1a1681c DuplicateHandle 56->58 59 1a1674e-1a16774 57->59 60 1a16749 call 1a1611c 57->60 63 1a16825-1a16842 58->63 64 1a1681e-1a16824 58->64 60->59 64->63
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,01A1674E,?,?,?,?,?), ref: 01A1680F
                                          Memory Dump Source
                                          • Source File: 00000024.00000002.1699230559.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_36_2_1a10000_EPhabVgXw.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: f53b187c7665ba11db85265edf9d6ae016d2c9873f32eae272f74879ead87d0d
                                          • Instruction ID: 798e9d225e32f7b3110e473ec8340576c747be706ebf6780b030218626f89575
                                          • Opcode Fuzzy Hash: f53b187c7665ba11db85265edf9d6ae016d2c9873f32eae272f74879ead87d0d
                                          • Instruction Fuzzy Hash: 31418B769042489FCB02CFA9D844ADEBFF5FF49310F0980AAE958E7251D3759914CFA1
                                          Function 01A16414 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 69 1a16414-1a17431 CreateActCtxA 72 1a17433-1a17439 69->72 73 1a1743a-1a17494 69->73 72->73 80 1a174a3-1a174a7 73->80 81 1a17496-1a17499 73->81 82 1a174a9-1a174b5 80->82 83 1a174b8 80->83 81->80 82->83 85 1a174b9 83->85 85->85
                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 01A17421
                                          Memory Dump Source
                                          • Source File: 00000024.00000002.1699230559.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_36_2_1a10000_EPhabVgXw.jbxd
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: 50e45f447faba8a11d7d77d4f92fd5e72246d3ca790b27cbc842bd93b6b7f339
                                          • Instruction ID: 124c920e1edf3cda33b9a97333d38eefffcec30d290c14c0d57141012edb8e67
                                          • Opcode Fuzzy Hash: 50e45f447faba8a11d7d77d4f92fd5e72246d3ca790b27cbc842bd93b6b7f339
                                          • Instruction Fuzzy Hash: 6641BE70C0071DCBEB24CFA9C844BDEBBB5BF48304F24806AD418AB255DBB56946CFA0
                                          Function 01A17364 Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 86 1a17364-1a17431 CreateActCtxA 88 1a17433-1a17439 86->88 89 1a1743a-1a17494 86->89 88->89 96 1a174a3-1a174a7 89->96 97 1a17496-1a17499 89->97 98 1a174a9-1a174b5 96->98 99 1a174b8 96->99 97->96 98->99 101 1a174b9 99->101 101->101
                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 01A17421
                                          Memory Dump Source
                                          • Source File: 00000024.00000002.1699230559.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_36_2_1a10000_EPhabVgXw.jbxd
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: 047feaff626c582bc77176e5dfcf62e6fe6f4bc5386e15c4ce37513b0f21c714
                                          • Instruction ID: 98c4016a5db65ce67802b0aaeecd866671186f953ed21aece67f1fafacc8450e
                                          • Opcode Fuzzy Hash: 047feaff626c582bc77176e5dfcf62e6fe6f4bc5386e15c4ce37513b0f21c714
                                          • Instruction Fuzzy Hash: C441D071C00719CFEB25CFA9C944BCEBBB5BF49304F24806AD418AB255DBB55946CF60
                                          Function 01A1611C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 102 1a1611c-1a1681c DuplicateHandle 105 1a16825-1a16842 102->105 106 1a1681e-1a16824 102->106 106->105
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,01A1674E,?,?,?,?,?), ref: 01A1680F
                                          Memory Dump Source
                                          • Source File: 00000024.00000002.1699230559.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_36_2_1a10000_EPhabVgXw.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: bbef4c33cb8dca9f8fb09ba7fa2d8ab35d2132c7d1b76d43a01df0c3ab02960a
                                          • Instruction ID: 6b0c3a251310b7be1c6b0d4621579f72d3336a79209e68d769e2bf9704bb932a
                                          • Opcode Fuzzy Hash: bbef4c33cb8dca9f8fb09ba7fa2d8ab35d2132c7d1b76d43a01df0c3ab02960a
                                          • Instruction Fuzzy Hash: 8E21E5B59002489FDB10CF9AD884ADEBBF8FB48310F14841AE918A7350D374A940CFA5
                                          Function 01A16780 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 109 1a16780-1a167dc 111 1a167df-1a1681c DuplicateHandle 109->111 112 1a16825-1a16842 111->112 113 1a1681e-1a16824 111->113 113->112
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,01A1674E,?,?,?,?,?), ref: 01A1680F
                                          Memory Dump Source
                                          • Source File: 00000024.00000002.1699230559.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_36_2_1a10000_EPhabVgXw.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: c769e5bfbff0ed21f5aeab7188cc503f54131a37e6879200750bae48116d7815
                                          • Instruction ID: 8a2fa4faec3a94e4dabcd384cd02289d7dd4fce8dc74732a659910d3033223e7
                                          • Opcode Fuzzy Hash: c769e5bfbff0ed21f5aeab7188cc503f54131a37e6879200750bae48116d7815
                                          • Instruction Fuzzy Hash: 0521E5B5D002599FDB11CFA9D884AEEBBF4FB48310F14802AE919A7350D374A944CFA5
                                          Function 05AD0EA8 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 116 5ad0ea8-5ad0f1a SendMessageW 118 5ad0f1c-5ad0f22 116->118 119 5ad0f23-5ad0f37 116->119 118->119
                                          APIs
                                          • SendMessageW.USER32(?,?,?,?), ref: 05AD0F0D
                                          Memory Dump Source
                                          • Source File: 00000024.00000002.1769644453.0000000005AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_36_2_5ad0000_EPhabVgXw.jbxd
                                          Similarity
                                          • API ID: MessageSend
                                          • String ID:
                                          • API String ID: 3850602802-0
                                          • Opcode ID: 2276f5a3812ac5f794c11b9ca695bf5db79f430cc351a7801cad1463442bdf76
                                          • Instruction ID: 88d788dacba1dc163bd0415b75911a5b014ee00a3c9a3ed631f95f66fc6902d0
                                          • Opcode Fuzzy Hash: 2276f5a3812ac5f794c11b9ca695bf5db79f430cc351a7801cad1463442bdf76
                                          • Instruction Fuzzy Hash: 5811E3B58002489FDB10DF9AD845BDEFBF8FB48310F10841AE555A7200D375A944CFA1
                                          Function 05AD23A8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 127 5ad23a8-5ad241a PostMessageW 129 5ad241c-5ad2422 127->129 130 5ad2423-5ad2437 127->130 129->130
                                          APIs
                                          • PostMessageW.USER32(?,?,?,?), ref: 05AD240D
                                          Memory Dump Source
                                          • Source File: 00000024.00000002.1769644453.0000000005AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_36_2_5ad0000_EPhabVgXw.jbxd
                                          Similarity
                                          • API ID: MessagePost
                                          • String ID:
                                          • API String ID: 410705778-0
                                          • Opcode ID: 3019ff45a24fa52c082cd7b7ef05adb448d584ced59be6cd12c0f23af4dd6df2
                                          • Instruction ID: b4d0aafdb05c7f7c3c1b6cb643496c3127a3c14275442aec76bfc67411019517
                                          • Opcode Fuzzy Hash: 3019ff45a24fa52c082cd7b7ef05adb448d584ced59be6cd12c0f23af4dd6df2
                                          • Instruction Fuzzy Hash: A211E3B98003489FDB11DF9AD885BDEBBF8EB48320F10845AE955A7200D375A544CFA1
                                          Function 01A1C1F0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 121 1a1c1f0-1a1c230 122 1a1c232-1a1c235 121->122 123 1a1c238-1a1c263 GetModuleHandleW 121->123 122->123 124 1a1c265-1a1c26b 123->124 125 1a1c26c-1a1c280 123->125 124->125
                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 01A1C256
                                          Memory Dump Source
                                          • Source File: 00000024.00000002.1699230559.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_36_2_1a10000_EPhabVgXw.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: 0be6dd7332571c4f4bf9508fb91272c54d3e06d67ab71b5216bb1c502b982f2a
                                          • Instruction ID: de58515b4e752c3653b0bd3769e2efd03f67b57f69bba78a3c738dc695b83f97
                                          • Opcode Fuzzy Hash: 0be6dd7332571c4f4bf9508fb91272c54d3e06d67ab71b5216bb1c502b982f2a
                                          • Instruction Fuzzy Hash: 5511E0B6C002498FDB10DF9AD444BDEFBF4EB88224F10852AD929B7214D3B5A545CFA5
                                          Function 05AD0EB0 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 132 5ad0eb0-5ad0f1a SendMessageW 133 5ad0f1c-5ad0f22 132->133 134 5ad0f23-5ad0f37 132->134 133->134
                                          APIs
                                          • SendMessageW.USER32(?,?,?,?), ref: 05AD0F0D
                                          Memory Dump Source
                                          • Source File: 00000024.00000002.1769644453.0000000005AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_36_2_5ad0000_EPhabVgXw.jbxd
                                          Similarity
                                          • API ID: MessageSend
                                          • String ID:
                                          • API String ID: 3850602802-0
                                          • Opcode ID: 07e4c94feb0f781176893d0bf3f5e0fc24c0703b670503659f829760515aaf56
                                          • Instruction ID: 325e1dde380a3014eb0d668310294372990f6e8a9901912ec380679c36edb587
                                          • Opcode Fuzzy Hash: 07e4c94feb0f781176893d0bf3f5e0fc24c0703b670503659f829760515aaf56
                                          • Instruction Fuzzy Hash: D411E5B58003499FDB10DF9AD845BDEFBF8FB48320F20841AE559A7240D375AA44CFA5
                                          Function 05AD23B0 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 136 5ad23b0-5ad241a PostMessageW 137 5ad241c-5ad2422 136->137 138 5ad2423-5ad2437 136->138 137->138
                                          APIs
                                          • PostMessageW.USER32(?,?,?,?), ref: 05AD240D
                                          Memory Dump Source
                                          • Source File: 00000024.00000002.1769644453.0000000005AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_36_2_5ad0000_EPhabVgXw.jbxd
                                          Similarity
                                          • API ID: MessagePost
                                          • String ID:
                                          • API String ID: 410705778-0
                                          • Opcode ID: fefd52d8896ad54b41a621c3c8e443df65f42517b5202870442930c76f78bfc0
                                          • Instruction ID: b7cc90be6a12f4c49c6624fce7a75714226e67e97b10a2ca7d460dc2b76bbb6f
                                          • Opcode Fuzzy Hash: fefd52d8896ad54b41a621c3c8e443df65f42517b5202870442930c76f78bfc0
                                          • Instruction Fuzzy Hash: D411D3B58003499FDB10DF9AD845BDEFBF8FB48320F10841AE959A7240D375A544CFA5
                                          Function 05AD2690 Relevance: 1.3, APIs: 1, Instructions: 70COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 197 5ad2690-5ad269c 198 5ad26bc-5ad273d CloseHandle 197->198 199 5ad269e-5ad26b9 call 5ad147c 197->199 203 5ad273f-5ad2745 198->203 204 5ad2746-5ad276e 198->204 203->204
                                          APIs
                                          • CloseHandle.KERNELBASE(?), ref: 05AD2730
                                          Memory Dump Source
                                          • Source File: 00000024.00000002.1769644453.0000000005AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_36_2_5ad0000_EPhabVgXw.jbxd
                                          Similarity
                                          • API ID: CloseHandle
                                          • String ID:
                                          • API String ID: 2962429428-0
                                          • Opcode ID: c9da077bf13cdf76d6e023c6ccf55079785f073731233b6a3de3ab6687f77611
                                          • Instruction ID: f6f91feb268aa4ae5c8ca6dec5702a70779ca42f2cc6c587c2f51544b35b39cf
                                          • Opcode Fuzzy Hash: c9da077bf13cdf76d6e023c6ccf55079785f073731233b6a3de3ab6687f77611
                                          • Instruction Fuzzy Hash: 302136B6900348CFDB10EFA9C544BAEBBF4FF48320F10845AD569AB251D335A945CFA5
                                          Function 05AD147C Relevance: 1.3, APIs: 1, Instructions: 50COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 208 5ad147c-5ad273d CloseHandle 210 5ad273f-5ad2745 208->210 211 5ad2746-5ad276e 208->211 210->211
                                          APIs
                                          • CloseHandle.KERNELBASE(?), ref: 05AD2730
                                          Memory Dump Source
                                          • Source File: 00000024.00000002.1769644453.0000000005AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_36_2_5ad0000_EPhabVgXw.jbxd
                                          Similarity
                                          • API ID: CloseHandle
                                          • String ID:
                                          • API String ID: 2962429428-0
                                          • Opcode ID: 86c2a2b6ce687baf9a963a27dfaee5d0b551a0ceb6f051ab1edb9014c5891a00
                                          • Instruction ID: 164c875336e28de912fb01ec59f359c61189d29fd8b80dd0e022155d9bfda539
                                          • Opcode Fuzzy Hash: 86c2a2b6ce687baf9a963a27dfaee5d0b551a0ceb6f051ab1edb9014c5891a00
                                          • Instruction Fuzzy Hash: C61116B58003498FDB20DF9AC445BDEBBF4EB48320F10846AD569A7240D378A945CFA5
                                          Function 0198D01C Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000024.00000002.1695831195.000000000198D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0198D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_36_2_198d000_EPhabVgXw.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 481055fb2599c7bda6f9feefdce037e2a48fa1b1019ce3e9a424fff2f3f878b2
                                          • Instruction ID: b55717daf8be3424fdccd61eaf5c7f3239f4503b2cf3fe53a0b270ab7d2ceef5
                                          • Opcode Fuzzy Hash: 481055fb2599c7bda6f9feefdce037e2a48fa1b1019ce3e9a424fff2f3f878b2
                                          • Instruction Fuzzy Hash: B621D371504304EFDB15EF94D984B26BBA5EB84214F20C96DE84D4B286C336D447CA62
                                          Function 0198D006 Relevance: .1, Instructions: 62COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000024.00000002.1695831195.000000000198D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0198D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_36_2_198d000_EPhabVgXw.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 56bba06af7755648fba563b45d95fbd81a00c1a2f17019db6df78075851c408c
                                          • Instruction ID: d10007682e4a832720821098ea8eb595abb28d817301659863d882842de16dd3
                                          • Opcode Fuzzy Hash: 56bba06af7755648fba563b45d95fbd81a00c1a2f17019db6df78075851c408c
                                          • Instruction Fuzzy Hash: 0721CF755083808FDB13CF24C990715BFB1EB46214F28C1EAD8498F2A3C33A980BCB62

                                          Execution Graph

                                          Execution Coverage:8.5%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:0%
                                          Total number of Nodes:89
                                          Total number of Limit Nodes:11
                                          execution_graph 15822 16e4668 15823 16e4676 15822->15823 15828 16e6de0 15823->15828 15826 16e4704 15829 16e6e05 15828->15829 15837 16e6edf 15829->15837 15841 16e6ef0 15829->15841 15830 16e46e9 15833 16e421c 15830->15833 15834 16e4227 15833->15834 15849 16e8560 15834->15849 15836 16e8806 15836->15826 15838 16e6f17 15837->15838 15840 16e6ff4 15838->15840 15845 16e6414 15838->15845 15843 16e6f17 15841->15843 15842 16e6ff4 15842->15842 15843->15842 15844 16e6414 CreateActCtxA 15843->15844 15844->15842 15846 16e7370 CreateActCtxA 15845->15846 15848 16e7433 15846->15848 15850 16e856b 15849->15850 15853 16e8580 15850->15853 15852 16e88dd 15852->15836 15854 16e858b 15853->15854 15857 16e85b0 15854->15857 15856 16e89ba 15856->15852 15858 16e85bb 15857->15858 15861 16e85e0 15858->15861 15860 16e8aad 15860->15856 15862 16e85eb 15861->15862 15864 16e9e93 15862->15864 15867 16ebed1 15862->15867 15863 16e9ed1 15863->15860 15864->15863 15873 16edf60 15864->15873 15868 16ebeda 15867->15868 15870 16ebe91 15867->15870 15879 16ebef8 15868->15879 15882 16ebf08 15868->15882 15869 16ebee6 15869->15864 15870->15864 15874 16edf91 15873->15874 15875 16edfb5 15874->15875 15890 16ee120 15874->15890 15894 16ee110 15874->15894 15875->15863 15876 16ee045 15876->15863 15880 16ebf17 15879->15880 15885 16ebff0 15879->15885 15880->15869 15884 16ebff0 GetModuleHandleW 15882->15884 15883 16ebf17 15883->15869 15884->15883 15887 16ec000 15885->15887 15886 16ec034 15886->15880 15887->15886 15888 16ec238 GetModuleHandleW 15887->15888 15889 16ec265 15888->15889 15889->15880 15891 16ee12d 15890->15891 15892 16ee166 15891->15892 15898 16ec464 15891->15898 15892->15876 15895 16ee120 15894->15895 15896 16ee166 15895->15896 15897 16ec464 4 API calls 15895->15897 15896->15876 15897->15896 15899 16ec46f 15898->15899 15901 16ee1d8 15899->15901 15902 16ec498 15899->15902 15901->15901 15903 16ec4a3 15902->15903 15904 16e85e0 4 API calls 15903->15904 15905 16ee247 15904->15905 15906 16ee256 15905->15906 15909 16ee2b0 15905->15909 15915 16ee2c0 15905->15915 15906->15901 15910 16ee2ee 15909->15910 15911 16ec530 GetFocus 15910->15911 15912 16ee317 15910->15912 15914 16ee3bf 15910->15914 15911->15912 15913 16ee3ba KiUserCallbackDispatcher 15912->15913 15912->15914 15913->15914 15916 16ee2ee 15915->15916 15917 16ec530 GetFocus 15916->15917 15918 16ee3bf 15916->15918 15919 16ee317 15916->15919 15917->15919 15919->15918 15920 16ee3ba KiUserCallbackDispatcher 15919->15920 15920->15918 15921 16e6788 15922 16e67c4 DuplicateHandle 15921->15922 15923 16e681e 15922->15923 15924 16e6540 15925 16e6586 GetCurrentProcess 15924->15925 15927 16e65d8 GetCurrentThread 15925->15927 15928 16e65d1 15925->15928 15929 16e660e 15927->15929 15930 16e6615 GetCurrentProcess 15927->15930 15928->15927 15929->15930 15933 16e664b 15930->15933 15931 16e6673 GetCurrentThreadId 15932 16e66a4 15931->15932 15933->15931

                                          Executed Functions

                                          Function 016E6518 Relevance: 6.1, APIs: 4, Instructions: 139threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • GetCurrentProcess.KERNEL32 ref: 016E65BE
                                          • GetCurrentThread.KERNEL32 ref: 016E65FB
                                          • GetCurrentProcess.KERNEL32 ref: 016E6638
                                          • GetCurrentThreadId.KERNEL32 ref: 016E6691
                                          Memory Dump Source
                                          • Source File: 00000025.00000002.1698457075.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_37_2_16e0000_outlooks.jbxd
                                          Similarity
                                          • API ID: Current$ProcessThread
                                          • String ID:
                                          • API String ID: 2063062207-0
                                          • Opcode ID: 3478fc2133998127f81dff7f25b39ec5a0409b917e7e50380df650656c5ada64
                                          • Instruction ID: 742bdf3c943adabbb58199fd1b5186e4dd51b2175712bddc8d95c15b970a002b
                                          • Opcode Fuzzy Hash: 3478fc2133998127f81dff7f25b39ec5a0409b917e7e50380df650656c5ada64
                                          • Instruction Fuzzy Hash: 1A5187B09113198FEB14CFAAC9487DEBBF0BF88314F24855AE409A7391DB749944CF66
                                          Function 016E6540 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • GetCurrentProcess.KERNEL32 ref: 016E65BE
                                          • GetCurrentThread.KERNEL32 ref: 016E65FB
                                          • GetCurrentProcess.KERNEL32 ref: 016E6638
                                          • GetCurrentThreadId.KERNEL32 ref: 016E6691
                                          Memory Dump Source
                                          • Source File: 00000025.00000002.1698457075.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_37_2_16e0000_outlooks.jbxd
                                          Similarity
                                          • API ID: Current$ProcessThread
                                          • String ID:
                                          • API String ID: 2063062207-0
                                          • Opcode ID: 730689b52553ba63fbe345b91be83045eecb36c94f2c883d007284a6142ae4e6
                                          • Instruction ID: f0029212bd02c313d8dfee87f749e4952c292dc422198901601e392522586e14
                                          • Opcode Fuzzy Hash: 730689b52553ba63fbe345b91be83045eecb36c94f2c883d007284a6142ae4e6
                                          • Instruction Fuzzy Hash: 4E5157B09112198FDB18CFAAC948BEEBBF1FF48314F208559E409A7390DB749944CF66
                                          Function 016EBFF0 Relevance: 1.7, APIs: 1, Instructions: 202COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 45 16ebff0-16ebffe 46 16ec002-16ec00f 45->46 47 16ec000-16ec001 45->47 48 16ec03b-16ec03f 46->48 49 16ec011-16ec01e call 16eaf60 46->49 47->46 51 16ec053-16ec094 48->51 52 16ec041-16ec04b 48->52 54 16ec034 49->54 55 16ec020 49->55 58 16ec096-16ec09e 51->58 59 16ec0a1-16ec0af 51->59 52->51 54->48 102 16ec026 call 16ec698 55->102 103 16ec026 call 16ec689 55->103 58->59 60 16ec0d3-16ec0d5 59->60 61 16ec0b1-16ec0b6 59->61 66 16ec0d8-16ec0df 60->66 63 16ec0b8-16ec0bf call 16eaf6c 61->63 64 16ec0c1 61->64 62 16ec02c-16ec02e 62->54 65 16ec170-16ec230 62->65 68 16ec0c3-16ec0d1 63->68 64->68 97 16ec238-16ec263 GetModuleHandleW 65->97 98 16ec232-16ec235 65->98 69 16ec0ec-16ec0f3 66->69 70 16ec0e1-16ec0e9 66->70 68->66 72 16ec0f5-16ec0fd 69->72 73 16ec100-16ec109 call 16eaf7c 69->73 70->69 72->73 78 16ec10b-16ec113 73->78 79 16ec116-16ec11b 73->79 78->79 80 16ec11d-16ec124 79->80 81 16ec139-16ec146 79->81 80->81 83 16ec126-16ec136 call 16eaf8c call 16eaf9c 80->83 88 16ec148-16ec166 81->88 89 16ec169-16ec16f 81->89 83->81 88->89 99 16ec26c-16ec280 97->99 100 16ec265-16ec26b 97->100 98->97 100->99 102->62 103->62
                                          Memory Dump Source
                                          • Source File: 00000025.00000002.1698457075.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_37_2_16e0000_outlooks.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ed0884108ae8f370b35e6b755beac20fc991d14396637551c4a453cd9d7428fd
                                          • Instruction ID: 1f463ce5e6378727cfe5f0828839be911a659fb9f85f9096e3a354ac6da36669
                                          • Opcode Fuzzy Hash: ed0884108ae8f370b35e6b755beac20fc991d14396637551c4a453cd9d7428fd
                                          • Instruction Fuzzy Hash: 14814870A01B058FD724DF69D84879ABBF1FF88214F008A2DD48ADBB50D775E846CB95
                                          Function 016E6414 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 104 16e6414-16e7431 CreateActCtxA 107 16e743a-16e7494 104->107 108 16e7433-16e7439 104->108 115 16e7496-16e7499 107->115 116 16e74a3-16e74a7 107->116 108->107 115->116 117 16e74b8 116->117 118 16e74a9-16e74b5 116->118 120 16e74b9 117->120 118->117 120->120
                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 016E7421
                                          Memory Dump Source
                                          • Source File: 00000025.00000002.1698457075.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_37_2_16e0000_outlooks.jbxd
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: ab7211e39f79a3ce1d33991e2754eb661058062287809b59349801e530caf231
                                          • Instruction ID: 121698993edbf19db5b42f5466a3d26a3d2d6511c11550a500ff67447c8304d2
                                          • Opcode Fuzzy Hash: ab7211e39f79a3ce1d33991e2754eb661058062287809b59349801e530caf231
                                          • Instruction Fuzzy Hash: F041A170C01729CBDB24DFA9C848BDEBBF5BF48304F64816AD408AB255DBB56946CF90
                                          Function 016E7364 Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 121 16e7364-16e7431 CreateActCtxA 123 16e743a-16e7494 121->123 124 16e7433-16e7439 121->124 131 16e7496-16e7499 123->131 132 16e74a3-16e74a7 123->132 124->123 131->132 133 16e74b8 132->133 134 16e74a9-16e74b5 132->134 136 16e74b9 133->136 134->133 136->136
                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 016E7421
                                          Memory Dump Source
                                          • Source File: 00000025.00000002.1698457075.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_37_2_16e0000_outlooks.jbxd
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: 7024000c9f8429e780da56a0caaba4396f05eab60eb106ef0d5178b668c3e9d7
                                          • Instruction ID: aa9440ba6a5ef50e9206ac0a3de34cd98c60bd2e442d7cecbb2866cbafd9ef61
                                          • Opcode Fuzzy Hash: 7024000c9f8429e780da56a0caaba4396f05eab60eb106ef0d5178b668c3e9d7
                                          • Instruction Fuzzy Hash: 0D41D1B1C01729CBEB24CFA9C8447CEBBF5BF48304F24816AD408AB251D775694ACF90
                                          Function 016E6780 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 137 16e6780-16e6781 138 16e67c4-16e681c DuplicateHandle 137->138 139 16e6783-16e67c1 137->139 141 16e681e-16e6824 138->141 142 16e6825-16e6842 138->142 139->138 141->142
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 016E680F
                                          Memory Dump Source
                                          • Source File: 00000025.00000002.1698457075.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_37_2_16e0000_outlooks.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: 0169469ba035ecc7aa6e77a95bf71a26fd6600a9cf09c937ff6d1299a2fddbb0
                                          • Instruction ID: da3beea43ac359a0d64251043447fc3b520cb9b6906edb750d010f8d6e0e3f53
                                          • Opcode Fuzzy Hash: 0169469ba035ecc7aa6e77a95bf71a26fd6600a9cf09c937ff6d1299a2fddbb0
                                          • Instruction Fuzzy Hash: EE21E3B59012489FDB10CFAAD884BEEBBF4FB48320F14841AE914A7351D374A944CFA5
                                          Function 016E6788 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 145 16e6788-16e681c DuplicateHandle 147 16e681e-16e6824 145->147 148 16e6825-16e6842 145->148 147->148
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 016E680F
                                          Memory Dump Source
                                          • Source File: 00000025.00000002.1698457075.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_37_2_16e0000_outlooks.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: 039e0bfbba4ddb5dd1bb0ee4bed3fa59b5115c94306731538b8bf215081f77eb
                                          • Instruction ID: 1ccd71db130ae0b661c16f51b9b8e23f60191ca6174a05d41a5e6a9eb804cd03
                                          • Opcode Fuzzy Hash: 039e0bfbba4ddb5dd1bb0ee4bed3fa59b5115c94306731538b8bf215081f77eb
                                          • Instruction Fuzzy Hash: 9721E4B59012489FDB10CFAAD884ADEBFF4FB48320F14841AE914A3351D374A944CFA5
                                          Function 016EC1F0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 151 16ec1f0-16ec230 152 16ec238-16ec263 GetModuleHandleW 151->152 153 16ec232-16ec235 151->153 154 16ec26c-16ec280 152->154 155 16ec265-16ec26b 152->155 153->152 155->154
                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 016EC256
                                          Memory Dump Source
                                          • Source File: 00000025.00000002.1698457075.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_37_2_16e0000_outlooks.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: e771af86eb08081edc8ada017d188cd328ec067ee8f93b8c29e55a30fd6f6c08
                                          • Instruction ID: 8082b8dd1f26fb841ad47a0771ded002f414c8f946922ecd6f52025cb7391a5f
                                          • Opcode Fuzzy Hash: e771af86eb08081edc8ada017d188cd328ec067ee8f93b8c29e55a30fd6f6c08
                                          • Instruction Fuzzy Hash: 121102B5C007498FDB10CF9AC844BDEFBF4AB88214F10852AD419A7200C375A545CFA1
                                          Function 012BD01C Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000025.00000002.1681981759.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_37_2_12bd000_outlooks.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 16a48fc5da9dcf4c8e59160554c07d2e5acd02f29b710bac10e348ea1da6a983
                                          • Instruction ID: 6e74c47ac065c61317e696a96928f8d2860da78da061d789d2d85dfb57c1c574
                                          • Opcode Fuzzy Hash: 16a48fc5da9dcf4c8e59160554c07d2e5acd02f29b710bac10e348ea1da6a983
                                          • Instruction Fuzzy Hash: 00214975514308DFDB15DF64D4C0B96BBA1FB84398F24C96DE9090B242C377D447CA61
                                          Function 012BD006 Relevance: .1, Instructions: 63COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000025.00000002.1681981759.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_37_2_12bd000_outlooks.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ecd52ba6ded94b40c5e6239109aa7ebbccde33deaad19c00b240b5588b1c1afd
                                          • Instruction ID: fa4d0603cd0d594a5ff977946666fa974860b4b8566d02f08ab32c18e381405b
                                          • Opcode Fuzzy Hash: ecd52ba6ded94b40c5e6239109aa7ebbccde33deaad19c00b240b5588b1c1afd
                                          • Instruction Fuzzy Hash: 8B21B3714083849FCB02CF24D9D4751BF71EB46314F28C5DAD9498F2A7C33A9806CB62